Interview with Joanna Rutkowska, security researcher

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Joanna Rutkowska is primarily known for her contributions to Windows Vista backdoor installation and hiding techniques.

She is very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels.

How did you get interested in Windows security?

When I started to play with Windows internals, I already had a background with Linux usermode exploitation and kernel programming. Move to Windows was a natural evolution and was mostly dictated by my curiosity.

What’s your general take on the security aspects of Windows Vista? Is it much more secure than Windows XP as Microsoft is telling us?

Indeed, Vista introduced lots of security improvements comparing to XP. The most important one is probably the User Account Control feature which will hopefully force people to work from restricted accounts. UAC is still far from perfect – e.g. it’s pretty annoying that every single application installer (even if it is Tetris) asks for administrative credentials and the user has no real choice to continue the installation *without* agreeing on that. However, I see UAC as an important step towards implementing the least-privilege principle in Windows.

Also, Microsoft introduced some anti-exploitation technologies, like e.g. ASLR and invested a lot of money and time into improving the quality of the code behind the operating system and the applications.

The introduction of BitLocker technology which makes use of the Trusted Platform Module (TPM) to assure the integrity of the booting processes seems like an important improvement. Of course, this should not be though of as a silver bullet solution against rootkits and all other malware.

In the 64-bit version of Vista, Microsoft also introduced the requirement that all kernel drivers must be digitally signed, but I don’t believe this mechanism to be effective in stopping kernel malware. Also, the much discussed Kernel Patch Protection (AKA Patch Guard), should not be though of as an effective protection against kernel compromises, as it’s relatively easy to bypass by the malware authors. Still, I see those two mechanism as useful when it comes to system compromise *detection* (in contrast to prevention) – at least when it comes to type I malware.

In your opinion, what is the biggest mistake Microsoft has made when it comes to security in 2006?

I don’t really see any particular, spectacular mistake made my Microsoft in 2006 but there are some things which I don’t fully agree with, like e.g. the design of Integrity Level mechanism which prevents only against writes not reads or issues regarding kernel protection or the fact that they concentrate only on prevention (like most other OS vendors) and haven’t done anything to make systematic compromise detection feasible. I guess these are just different points of view and I would not call any of them a ‘big mistake’.

What do you think about the full disclosure of vulnerabilities?

I’m quite neutral about this. On one hand, I think that it should be every customer’s right to point out flaws in the products they buy and I really don’t see why those who find bugs should be *obliged* to first report it to the vendor – i.e. why should they be forced to do a free Q&A with the vendor?

On the other hand, when we look at the quality of the advisories published these days, where most of the bugs reported are just some denial of services, I have the feeling that people are looking for cheap publicity. It’s quite understandable that companies which are victims of those “audits” might feel a bit pissed off.

Naturally, from time to time we see a very interesting bug report, sometimes presenting a new class of bugs or a new method of exploitation. It’s hard to overestimate the value of such reports for the security community, so if the author decided to release those information for free, I guess we all should only be grateful to the author.

What is your opinion about Microsoft Patch Tuesdays? Shouldn’t there be more frequent patch releases?

I guess there should be, but I can also understand that releasing a patch is a complicated business process, because it requires lots of testing, etc. I also realize that even if we had patches released on a daily basis, that still would not be a sufficient solution, as attackers might still exploit some unknown vulnerability.

Thus, I think it’s much more important that the OS itself provided various anti-exploitation technologies and also be designed to limit the damage of the potential successful exploitation (least privilege design, strict privilege separations, etc). And it’s clear that Microsoft is going this way, although there’s still room for improvement in this area.

What is the most interesting fact you’ve become aware of while researching for your recent papers?

It’s hard to point to just one fact. Usually the most amazing thing is that something you though of before (e.g. some attack) actually does work after you implemented the proof-of-concept code. That’s always very amazing for me.

What’s your take on the open source vs. closed source security debate?

I don’t like when people say that something is secure just because it’s open source and inherently insecure, just because it’s a commercial, closed source product.

Although it should be admitted that a lot of security technologies have been introduced in the open source systems for the first time, like e.g. ASLR which has been invented by PaX about 6 years ago.

What are your future plans? Any exciting new projects?

I think that I would like to focus more on the defense side now. In the past two years I have worked on several offensive techniques, starting from passive, very hard to detect covert channels (“Nushu”), then I presented “Stealth by Design”, type II malware, then I showed that Vista kernel can be subverted despite the new protection mechanism and also demonstrated that recent hardware virtualization technology can be used to create a new class of stealth malware – something I call type III malware (e.g. “Blue Pill”). And just recently I found that hardware based memory acquisition as used for forensics, believed to be absolutely reliable, because it uses so called “Direct Memory Access” to read memory, can be cheated in some cases.

Unfortunately I haven’t seen any serious effort in the security world to address most of those threats. We still don’t have any effective way to combat type II malware. Network intrusion detection systems and firewalls are years behind when it comes to detecting or preventing any more advanced covert channels. We still don’t have any good solution to prevent or detect hardware virtualization based malware…

I would like to work more on the defense side now – I believe that we should convince OS vendors (and also CPU vendors) to make systems verifiable – so that we could come up with *systematic* ways to check whether the system is infected by any of type I, II or III malware.