Black Hat Woman

Researcher Joanna Rutkowska talks stealth malware, driving tests, and classical music

Dark Reading logo in a gray background | Dark Reading

She hacked the Windows Vista kernel, she administered a Blue Pill to an operating system, and she pioneered rootkit detection research, but Joanna Rutkowska doesn't know how to drive a car. (See How to Cheat Hardware Memory Access and Hacking the Vista Kernel.)

Figure 1:

The 26-year-old Polish researcher only recently took her first driving lesson. She says she just hasn't had time to take driving lessons and get a license, which in Poland you can get at 17. And she's not counting on getting her license on the first try, either, she says.

"It's very difficult to pass the driving exam in Poland, and it's not unusual for people to try three or five times in a row," she says.

It's hard to imagine Warsaw-based Rutkowska -- who has quietly taken the male-dominated research community by storm with her groundbreaking research in Vista hacking and in creating and detecting stealth malware in operating systems -- failing at much of anything. The confident yet self-effacing researcher shrugs off the discovery of that now famous crack in the Vista fortress as just part of her research.

"When Microsoft announced last year that the kernel would be protected from loading [unauthorized] code, I thought, 'hmmm, that's a nice challenge. I should play with this,'" Rutkowska recalls with a smile.

She's almost always one of very few -- if any -- women presenting their work at hacker conferences like Black Hat. Rutkowska says she's surprised that more women haven't cracked the security field. But she's used to being the minority: Women made up only 5 percent of the faculty at the Warsaw University of Technology department where she studied mathematics, and she had few female classmates.

Rutkowska says she doesn't feel like she's taken less seriously because she's a woman, though. "I haven't observed any sexist behavior, or someone not listening to me."

At age 11 she got her first computer -- a PC AT, with 2 Mbytes of RAM and a 40-Mbyte hard drive. "It had a 'Hercules' mono-graphics card and most games didn't work on it, so I had no other choice than to start programming," Rutkowska says. She says she was always drawn to math and thought it was "cool."

Like most researchers, Rutkowska got her start writing exploits as a teenager. "After writing exploits for some time, I started thinking about what to do after," she says. "I was interested in OS internals and got a good background in it. That brought me into the rootkit field."

Rutkowska's first hack came after reading a famous article in Phrack magazine about a stack-smashing exploit, which she then compiled herself and tested. "I read the article, and said, 'no, this couldn't work. It's impossible,'" she recalls. "And it actually did work."

She doesn't write exploits anymore, but she hasn't forgotten the thrill of a successful one. "It's exciting and surprising, like a magic trick," she explains. "I focus on a slightly different area now, but I still appreciate interesting exploits."

So how did a math student turn security researcher? Rutkowska says her security know-how was mostly self-taught: "My university education had very little to do with security."

Still, she worries that security technology and research is too prevention-oriented and doesn't emphasize detection enough. "The whole industry is focusing on prevention, and we have all those anti-exploitation technologies, which are very helpful indeed. But I'm so surprised that no one cares about detection," she says. "Every time there's prevention, there is some bypass method" created.

Without detection, there's no way to know if an attacker has grabbed administrative access to a machine, she says. And if you can't see that an attacker has infiltrated the system, nothing in that system will be "reliable" anymore. "The scary part is that once an attacker [gets] into the system, we can't reliably read system memory, neither using software-based, nor hardware-based, methods. That means we can't answer the question of whether the system is clean or not," she says.

So far, Rutkowska hasn't felt the wrath of any vendors whose products she uses in her research, unlike many of her fellow researchers who have ticked off vendors or been threatened with legal action. She says it's not about vendors being singled out, anyway: "As a researcher, they can't expect me to test on every possible platform. I only have limited time and resources."

And her rare spare time these days includes choosing her first vehicle: "I haven't decided on the car yet, but most likely it would be some kind of SUV, as roads in Poland are not really in good shape."

Personality Bytes

  • Worst day at work: "When you want to implement some attack or rootkit... [you think] you should do this way, and after spending 20 hours writing some code, you realize you missed some small thing and it doesn't work."

  • Hangout: "Good Italian and sushi restaurants."

  • After hours: "Standard stuff, like going to the cinema, theatre, or just for a walk."

  • In her iPod now: "There is some classical music -- violin, Vivaldi, Paganini, and I like some smooth jazz."

  • PC or Mac: "PC. I wouldn't mind a Mac, but usually most of our clients have a PC."

  • Next career: "Maybe a private 'I'... Something similar to what I do now. It would be nice to be a fiction writer."

  • Hax0red: "I'm not aware of any attempt [of a hack]. That means they either didn't succeed, or did it in some really stealthy way. It would be funny. I really wouldn't mind -- that would be an interesting experience."

  • Hacker handle: "No, I do not consider myself a hacker. I'm a security researcher who just tries to present problems which I cannot solve by myself, hoping that other people will also starting working on them."

  • Next big project: "I'd like to work more on the defense side -- how we need to change the design of the current OS and hardware to make the systematic compromise-detection possible. But I can't do much without the help of operating system vendors on this. We can show the problems and suggest solutions for how to make a verifiable OS possible."

    — Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights