Joanna Rutkowska

Last updated

Joanna Rutkowska
Joanna Rutkowska official.jpg
Joanna Rutkowska in May 2018
Born1981
Warsaw
NationalityPolish
EducationWarsaw University of Technology; Master's Degree in Computer Science
Occupation(s)Security researcher; CEO/Founder of Invisible Things Labs
EmployerInvisible Things Labs
Known for Blue Pill, Evil Maid attack, Qubes OS
Website blog.invisiblethings.org

Joanna Rutkowska (born 1981 in Warsaw) is a Polish computer security researcher, primarily known for her research on low-level security and stealth malware, [1] and as founder of the Qubes OS security-focused desktop operating system. [2]

Contents

Career

She became known in the security community after the Black Hat Briefings conference in Las Vegas in August 2006, where Rutkowska presented an attack against Vista kernel protection mechanism, and also a technique dubbed Blue Pill, that used hardware virtualization to move a running OS into a virtual machine. Subsequently, she has been named one of Five Hackers who Put a Mark on 2006 by eWeek Magazine for her research on the topic. [3] The original concept of Blue Pill was published by another researcher at IEEE Oakland in May 2006 under the name VMBR. [4]

During the following years, Rutkowska continued to focus on low-level security. In 2007 she demonstrated that certain types of hardware-based memory acquisition (e.g. FireWire based) are unreliable and can be defeated. [5] Later in 2007, together with team member Alexander Tereshkin, presented further research on virtualization malware. [6] In 2008, Rutkowska with her team focused on Xen hypervisor security. [7] In 2009, together with a team member Rafal Wojtczuk, presented an attack against Intel Trusted Execution Technology and Intel System Management Mode. [8]

In April 2007, Rutkowska founded Invisible Things Lab in Warsaw, Poland. The company focuses on OS and VMM security research and provides various consulting services. In a 2009 blog post she coined the term "evil maid attack", detailing a method for accessing encrypted data on disk by compromising the firmware via an external USB flash drive. [9]

In 2010, she and Rafal Wojtczuk began working on the Qubes OS security-oriented desktop Xen distribution, which utilizes Fedora Linux. The initial release of Qubes 1.0 was completed by September 3, 2012. [10] Its main concept is "security by compartmentalization", using domains implemented as lightweight Xen virtual machines to isolate various subsystems. Each compartment is referred to as a Qube, which operates as a separate hardware level virtual machine. The project refers to itself as "a reasonably secure operating system" and has received endorsements by numerous privacy and security experts. [11] [12] [ failed verification ] It is fairly unique in its capabilities, having a design informed by research on proven vulnerabilities in the trusted compute base (TCB), that are unaddressed in most common desktop operating systems.

She has published seminal works on systems trustability, most recently Intel x86 Considered Harmful [13] and State Considered Harmful - A Proposal for a Stateless Laptop. [14] Rutkowska has been invited as an esteemed presenter at security conferences, such as Chaos Communication Congress, Black Hat Briefings, HITB, RSA Conference, RISK, EuSecWest & Gartner IT Security Summit.

Related Research Articles

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Xen</span> Type-1 hypervisor

Xen is a free and open-source type-1 hypervisor, providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently. It was originally developed by the University of Cambridge Computer Laboratory and is now being developed by the Linux Foundation with support from Intel, Citrix, Arm Ltd, Huawei, AWS, Alibaba Cloud, AMD, Bitdefender and epam.

A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

In computing, paravirtualization or para-virtualization is a virtualization technique that presents a software interface to the virtual machines which is similar, yet not identical, to the underlying hardware–software interface.

<span class="mw-page-title-main">QEMU</span> Free virtualization and emulation software

QEMU is a free and open-source emulator. It emulates a computer's processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it to run a variety of guest operating systems. It can interoperate with Kernel-based Virtual Machine (KVM) to run virtual machines at near-native speed. QEMU can also do emulation for user-level processes, allowing applications compiled for one architecture to run on another.

System Management Mode is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer's firmware, or a hardware-assisted debugger, is then executed with high privileges.

Intel Trusted Execution Technology is a computer hardware technology of which the primary goals are:

Blue Pill is the codename for a rootkit based on x86 virtualization. Blue Pill originally required AMD-V (Pacifica) virtualization support, but was later ported to support Intel VT-x (Vanderpool) as well. It was designed by Joanna Rutkowska and originally demonstrated at the Black Hat Briefings on August 3, 2006, with a reference implementation for the Microsoft Windows Vista kernel.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform by Intel

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

libvirt Management tool

libvirt is an open-source API, daemon and management tool for managing platform virtualization. It can be used to manage KVM, Xen, VMware ESXi, QEMU and other virtualization technologies. These APIs are widely used in the orchestration layer of hypervisors in the development of a cloud-based solution.

XenClient is a discontinued desktop virtualization product developed by Citrix. It runs virtual desktops on endpoint devices. The product reached end of-life in December 2016. Unlike modern systems, XenClient runs both operating system and applications locally in the end users device, without the need for a connection to a data center, making it suitable for use in environments with limited connectivity, disconnected operation on laptops, and other scenarios where local execution is desired while keeping management centralized.

Second Level Address Translation (SLAT), also known as nested paging, is a hardware-assisted virtualization technology which makes it possible to avoid the overhead associated with software-managed shadow page tables.

Bromium was a venture capital–backed startup based in Cupertino, California that worked with virtualization technology. Bromium focused on virtual hardware claiming to reduce or eliminate endpoint computer threats like viruses, malware, and adware. HP Inc. acquired the company in September 2019.

<span class="mw-page-title-main">Qubes OS</span> Security-focused Linux-based operating system

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. Isolation is provided through the use of virtualization technology. This allows the segmentation of applications into secure virtual machines called qubes. Virtualization services in Qubes OS are provided by the Xen hypervisor.

<span class="mw-page-title-main">Whonix</span> Anonymous operating system

Whonix is a Linux distribution, based on Kicksecure OS, claimed to be security hardened by its developers. Its main goals are to provide strong privacy and anonymity on the Internet. The operating system consists of two virtual machines, a workstation and a Tor gateway running Debian. All communications are forced through Tor.

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

Hyperjacking is an attack in which a hacker takes malicious control over the hypervisor that creates the virtual environment within a virtual machine (VM) host. The point of the attack is to target the operating system that is below that of the virtual machines so that the attacker's program can run and the applications on the VMs above it will be completely oblivious to its presence.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Evil maid attack</span> Type of computer security breach

An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.

Downfall, known as Gather Data Sampling (GDS) by Intel, is a computer security vulnerability found in 6th through 11th generations of consumer and 1st through 4th generations of Xeon Intel x86-64 microprocessors. It is a transient execution CPU vulnerability which relies on speculative execution of Advanced Vector Extensions (AVX) instructions to reveal the content of vector registers.

References

  1. "About". Invisible Things Lab. Archived from the original on 6 June 2016. Retrieved 12 June 2016.
  2. Porup, J. M. (5 October 2015). "Finally, a 'Reasonably-Secure' Operating System: Qubes R3". Vice: Motherboard. Retrieved 20 November 2017. 'Security by Isolation,' as Qubes founder Joanna Rutkowska puts it.
  3. Naraine, Ryan (2 January 2007). "Five Hackers Who Left a Mark on 2006". eWeek. Retrieved 11 June 2016.
  4. King, Samuel T.; Chen, Peter M.; Wang, Yi-Min; Verbowski, Chad; Wang, Helen J.; Lorch, Jacob R. (1 January 2006). "SubVirt: Implementing Malware with Virtual Machines". 2006 IEEE Symposium on Security and Privacy (S&P'06). IEEE Computer Society. pp. 314–327. CiteSeerX   10.1.1.684.4485 . doi:10.1109/SP.2006.38. ISBN   978-0-7695-2574-7. S2CID   1349303.
  5. Rutkowska, Joanna (28 February 2007). Beyond The CPU: Defeating Hardware Based RAM Acquisition (PDF). Black Hat DC. Washington, D.C.
  6. Rutkowska, Joanna; Tereshkin, Alexander (8 February 2007). IsGameOver(), anyone? (PDF). Black Hat USA. Las Vegas, Nevada.
  7. Walker-Morgan, Dj (12 August 2008). "Xen virtualisation swallows a "Blue Pill"". The H. Archived from the original on 8 December 2013.
  8. Attacking Intel Trusted Execution Technology
  9. Rutkowska, Joanna (16 October 2009). "The Invisible Things Lab's blog: Evil Maid goes after TrueCrypt!". The Invisible Things Lab's blog. Retrieved 30 October 2018.
  10. "Introducing Qubes 1.0!". blog.invisiblethings.org. Retrieved 1 February 2017.
  11. @Snowden (29 September 2016). "If you're serious about security, @QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better" (Tweet) via Twitter.
  12. @hashbreaker (15 March 2015). "Happy thought of the day: An attacker who merely finds a browser bug can't listen to my microphone except when I've told Qubes to enable it" (Tweet) via Twitter.
  13. Rutkowska, Joanna (October 2015). "Intel x86 considered harmful" (PDF). The Invisible Things. Retrieved 12 June 2016.
  14. Rutkowska, Joanna (December 2015). "State Considered Harmful - A Proposal for a Stateless Laptop" (PDF). The Invisible Things. Retrieved 12 June 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.