Saturday, May 01, 2010


If you have been following my research over the last several years (even in the days before ITL), you will undoubtedly notice how much I have changed the profile over that time...

Several years ago, myself and Alex Tereshkin (who later became ITL employee #1), were known mostly as rootkit researchers. It was back in the days when the word "rootkit" was not as much well known as it is today (It became well known sometime in the late 2005, and I remember when I was applying for a US Visa that year, the immigration officer in the Warsaw embassy asked me what I did professionally and when I replied that I was a security researcher specializing in rootkits, he was very happy to tell me that he just read about those "rootkits" somewhere, although he was not very much worried about them, because he was a Mac user...)

But then, in the coming years, we decided to explore other areas, like virtualization, trusted computing, chipset security, and even touched on the CPU security briefly. Many valuable contributions in those areas have come from Rafal Wojtczuk, who joined our team some two years ago.

And then, finally, we became ready to actually build something meaningful. Not just yet another nonsense trivial-to-break "security product", but something that have had a potential to really improve user's security. And so, the Qubes project idea has been born, and soon it became ITL's highest priority project.

So, these days we don't do any reverse engineering or malware analysis any more. We'd rather design systems so they be immune to rootkits by design (e.g. by significant TCB reduction), rather then analyze each and every new rootkit sample caught in the wild and try to come up with a detector for it.

Of course, this all doesn't mean we're giving up on our offensive research. There is still a chance you will hear about some new attacks from us. But this would surely be limited only to the attacks that we consider relevant in an environment that is already designed with security in mind, like Qubes :) So, e.g. an attack against VT-d, or some CPU exploit, or a Xen exploit, might be extremely interesting. But don't expect to see any research on how to e.g. compromise Windows 7 or Mac kernel or break out of their primitive sandboxes -- these systems are so badly designed from a security standpoint, that coming up with a yet-another attack against them makes little sense from a scientific point of view.

Naturally, I'm all excited about this all: that I've been exploring new areas, and that my work has eventually started becoming meaningful. But that is, of course, only mine subjective opinion. Specifically, this turned out not be the case for Alex, who simply enjoys reverse engineering and compiler hacking just for the sake of doing it (Alex did some excellent job on metamorphic code generators, that are years ahead of what you can read at public conferences). Unfortunately, with the current new course we took at ITL, Alex started getting less and less chances to apply his skills, and faced a decision whether to stay at ITL and do other things, i.e. other than reversing or compiler hacking, or to quit and continue doing what he has always liked to do.

The reader has probably figured out by now that Alex decided to quit ITL. I fully understand his decision and wish him all the best in his new adventures!

You should still be able to reach Alex using his old ITL's email address (alex@), or directly via his new email: alex.tereshkin at


Peter Joseph said...

I recall the early days of the blog well! I read some very interesting things that opened my eyes. The main thing I realised was just how futile modern operating systems and security vendors interests are. They are fighting a battle they can never win trying to protect fundamentally flawed operating systems/applications etc. Insecure by design.

You are working in the right direction and I hope you will start a revolution in OS design.

I'm sure Alex will do well in his future endeavours and people have to do what they feel is best for them.


Gynvael Coldwind said...

Hmm, sounds like a logical decision... but I still feel kinda sad - you've really done great research together!

Anyways, Alex - good luck seeking new stuff to work on, I'm really looking forward to what you may publish in the future! :)

Same goes to Joanna & Rafal - I'm very interested how work on Qubes will develop :)

gl&hf ;)

Anonymous said...

Joanna, nice post very professional. You've been partners and friends for a long time, so I am sure that decision was not easy for either of you.

I took a course a few years ago with you and Alex on the Bluepill. It was very informative and the best technical course I have ever taken to date. I do understand your direction with Qubes, it makes complete sense. I look forward to using it, and seeing it develop.

All the best to you and Alex.