Joanna Rutkowska is a Polish security specialist, primarily known for her research on stealth malware and contributions to Windows Vista backdoor installation and hiding techniques.
In August 2006 at the Black Hat Briefings conference in Las Vegas, Rutkowska presented system compromise techniques that could be used on Windows Vista systems - and subsequently, has been named one of Five Hackers who Put a Mark on 2006 by eWeek Magazine for her research on the topic .
In the first part of the presentation, Rutkowska discussed how to bypass Vista kernel protection, demonstrating how to load unsigned code into the Vista kernel. The second part of the presentation introduced a technique dubbed Blue Pill. It could be described as a rootkit technology, allowing potentially malicious code to covertly take control over the system through the use of CPU virtualization. This method, although presented and implemented on Vista system is OS-independent and does not exploit any weakness in the Vista system itself. The effectiveness of the latter approach, dubbed Blue Pill, is a subject of a debate among some researchers.
At Black Hat Federal, in March 2007, Rutkowska demonstrated that certain types of hardware-based memory acquisition (e.g. FireWire based) are unreliable and can be defeated.
At the next Black Hat in Las Vegas, Rutkowska and Alexander Tereshkin presented research that:
Disclosed specific Vista driver vulnerabilities (and patterns of vulnerabilities) that again allowed the bypass of Vista kernel protection.
Released the source code to the New Blue Pill project, a ground-up rewrite of Blue Pill and the first published virtualized rootkit.
Discussed ways to avoid the detection of virtualization-based rootkits.
Critiqued detection approaches presented by other researchers, noting that "blue pill detection" methods to be generic VMM detectors, incapable of distinguishing between malicious and non-malicious hypervisors.
Presented the first working proof of concept of "nested virtualization", allowing other hardware-based hypervisors as guests of the Blue Pill's hypervisor. The published code only allowed the running of simple hypervisors as a guest, e.g. the Blue Pill hypervisor itself as a guest of another Blue Pill hypervisor.
In April 2007 Rutkowska founded Invisible Things Lab in Warsaw, Poland. The company focuses on OS and VMM security research and provides various consulting services