Interview with Joanna Rutkowska, security researcher
by (IN)SECURE Magazine - Monday, 18 June 2007.
Naturally, from time to time we see a very interesting bug report, sometimes presenting a new class of bugs or a new method of exploitation. It's hard to overestimate the value of such reports for the security community, so if the author decided to release those information for free, I guess we all should only be grateful to the author.

What is your opinion about Microsoft Patch Tuesdays? Shouldn't there be more frequent patch releases?

I guess there should be, but I can also understand that releasing a patch is a complicated business process, because it requires lots of testing, etc. I also realize that even if we had patches released on a daily basis, that still would not be a sufficient solution, as attackers might still exploit some unknown vulnerability.

Thus, I think it's much more important that the OS itself provided various anti-exploitation technologies and also be designed to limit the damage of the potential successful exploitation (least privilege design, strict privilege separations, etc). And it's clear that Microsoft is going this way, although there's still room for improvement in this area.

What is the most interesting fact you've become aware of while researching for your recent papers?

It's hard to point to just one fact. Usually the most amazing thing is that something you though of before (e.g. some attack) actually does work after you implemented the proof-of-concept code. That's always very amazing for me.

What's your take on the open source vs. closed source security debate?

I don't like when people say that something is secure just because it's open source and inherently insecure, just because it's a commercial, closed source product.

Although it should be admitted that a lot of security technologies have been introduced in the open source systems for the first time, like e.g. ASLR which has been invented by PaX about 6 years ago.

What are your future plans? Any exciting new projects?

I think that I would like to focus more on the defense side now. In the past two years I have worked on several offensive techniques, starting from passive, very hard to detect covert channels ("Nushu"), then I presented "Stealth by Design", type II malware, then I showed that Vista kernel can be subverted despite the new protection mechanism and also demonstrated that recent hardware virtualization technology can be used to create a new class of stealth malware - something I call type III malware (e.g. "Blue Pill"). And just recently I found that hardware based memory acquisition as used for forensics, believed to be absolutely reliable, because it uses so called "Direct Memory Access" to read memory, can be cheated in some cases.

Unfortunately I haven't seen any serious effort in the security world to address most of those threats. We still don't have any effective way to combat type II malware. Network intrusion detection systems and firewalls are years behind when it comes to detecting or preventing any more advanced covert channels. We still don't have any good solution to prevent or detect hardware virtualization based malware...

I would like to work more on the defense side now - I believe that we should convince OS vendors (and also CPU vendors) to make systems verifiable - so that we could come up with *systematic* ways to check whether the system is infected by any of type I, II or III malware.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th