Joanna Rutkowska Reveals Her Process for Security Research
In our ongoing series of interviews, Joanna Rutkowska answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work she does.
Joanna Rutkowska is a strange combination of a security researcher and a system-level architect. She is the Founder of Invisible Things Lab and well known for her research exposing various security problems in operating and virtualization systems, and also a number of hardware technologies. Her personal goal is to build a reasonably secure client OS. She hopes to achieve this goal with Qubes OS. She believes that every user has a right to privacy, and the right to keep their data on a local hard disk (or at least to do encryption on *their* computers).
What motivates you to find security vulnerabilities?
I am NOT a bug hunter or a pen tester. Perhaps the word “researchers” started to be associated so often with such people that when I say that I’m a security researcher most people read it as: pen tester, hacker, bug hunter, code auditor, etc. In that case, please think about me as a system architect who sometimes is also curious to see how the building blocks (that an architect normally uses to build systems) actually work, and whether they do work indeed.
The work we have done at Invisible Things Lab (note that ITL is more than just me) has never been about blind bug hunting (e.g. looking for 1001th bug in a Web browser), but rather a somehow systematic process of familiarizing ourselves with all the new technologies, such as virtualization, trusted boot, driver sandboxing, etc.
What the primary tools you use, and how do you use them?
I’m sure it’s clear now that asking me for “tools” I use at work is a rather a ridiculous question. 😉 Well, if you really insisted we name a program, I would say: PDF viewer. All of our research begins from studying various specs and manuals, such as Intel specs, for new technologies. We don’t do any routine kind of work, such as scanning your network or database for vulnerabilities. Those people use tools. We use brains. I know, I know, this sound a bit megalomaniacal. 😉
How do you choose your target of investigation? Do you pick your target application and look for bugs, or look for a genre of bug in many different applications?
As I answered before, we don’t look for bugs in applications. We’re not bug hunters or pen-testers. We focus on Operating Systems (OS), Virtual Machine Monitors (VMM), and in the most recent years on hardware technologies, such as Intel VT and TXT that are needed to build future operating systems/VMMs.
Which platform has engineered security better, Microsoft’s Hypervisor or the VMware line of products?
Those platforms do not use many of the new technologies, such as Intel VT-d (note I wrote: VT-d, not: VT-x) or TXT, that could be used to create much more secure systems.
For our Qubes OS we chose Xen as a VMM. I think this speaks for itself.
What are you working on currently?
We’re planning to release Beta 1 of the Qubes OS in the coming weeks.
Qubes OS is really the product of all those years of research. And the type of work I do for Qubes is really architecting.
Can you tell me a little more about Qubes and the choice to use Xen as a VMM. Did it address a particular flaw you saw in other systems or were there other reasons you chose it?
This is a very good question, but I would have go very technical in order to answer it. But, the short answer would be that we believe Xen offers much more secure architecture than other popular VMMs; such as KVM, or Virtual Box, or VMWare (well this one is not really open source, but even if it was we would never use it anyway). While at the same time it still offers a number of practical features, such as power management, that are lacking in “academic” hypervisors.
Do you see a real possibility of an exploit that breaks out of a virtual machine, allowing the attacker read/write access to the operating system and data on other virtual machines?
Yes. Such exploits have already been demonstrated in the past by us as well as other researchers. And something also tells me: more to come…