Engineering Philosophy: Joanna Rutkowska

Joanna Rutkowska, security researcher and creator of Qubes OS

Key Takeaways

She built a desktop operating system on the assumption that it would be compromised. Joanna Rutkowska is the Polish security researcher who created Qubes OS – “a reasonably secure operating system” – around the principle of security by compartmentalization. Instead of trying to make the system bug-free, Qubes splits your digital life into isolated virtual machines called “qubes” (work, personal, banking, untrusted), so that a breach in one is contained and cannot reach the others.¹²
Her offensive reputation came first – she breaks systems to learn how to isolate them. At Black Hat 2006 she presented Blue Pill, a proof-of-concept rootkit that used AMD hardware virtualization to slide a thin malicious hypervisor underneath a running OS, trapping it inside a virtual machine it could not see. Attacking the deepest layers of the platform is what taught her which layers you must never trust.³
She turned “distrust the infrastructure” into architecture. In a keynote titled “Security Through Distrusting,” Rutkowska argued that the industry’s habit of making components “trusted” is naive and does not scale – better to treat any single component as potentially compromised, distrust nearly all of them, and have no single point of failure.⁵ Qubes is that argument compiled into a working desktop.²
She probed the platform layers everyone else trusted blindly. Beyond Blue Pill she did pioneering work attacking System Management Mode and Intel Trusted Execution Technology, and in 2009 she coined the “Evil Maid” attack, defeating full-disk encryption like TrueCrypt through brief physical access. Each attack mapped a trust boundary that turned out to be a lie.¹⁴

The Principle

“All software contains bugs… Rather than attempting to prevent every possible exploit, Qubes assumes that exploitation will happen and focuses on containing the damage.” – the Qubes OS introduction, paraphrasing its founding rationale²

Most security engineering chases an impossible target. You audit the code, patch the holes, harden the configuration, and tell yourself that if you are careful enough the system will be secure. Rutkowska’s career is a long, patient demonstration that the target is a mirage. A modern desktop runs tens of millions of lines of code – kernel, drivers, browser, PDF reader, firmware – and every one of those lines is a place a bug can hide. You will not find them all, and your adversary only needs one. So the honest question is not “how do I make this bug-free?” but “when – not if – something gets in, how much can it reach?”²

The answer Rutkowska built is security by isolation. If you cannot prevent a compromise, you can decide in advance how far it spreads. Qubes splits the machine into separate virtual machines – one for work, one for banking, one for personal browsing, one for opening sketchy attachments – each running on the Xen hypervisor with its own boundary. Open a malicious link in the untrusted qube and the malware lands in a sealed room. It never shared a trust boundary with your banking qube, so it cannot reach your credentials, and you can simply throw the compromised qube away.¹² The physical world already works this way: you do not vote, sleep, and store cash in the same undivided room, and Qubes asks why your computer does.²

There is a second half to the principle, and it is the harder one: distrust the infrastructure, and shrink what you are forced to trust. In her “Security Through Distrusting” keynote, Rutkowska argued that calling a component “trusted” is not a compliment – it is an admission that the component is “capable of destroying my whole security integrity” if it fails.⁵ So the discipline is to treat nearly every component as potentially compromised, to remove single points of failure, and to keep the trusted computing base – the code whose correctness everything else depends on – as small as you possibly can.⁵² You will trust something in the end. The craft is making that something tiny, inspectable, and few.

Context

Joanna Rutkowska was born in 1981 in Warsaw, Poland, and earned a master’s degree in computer science from the Warsaw University of Technology.¹ She came up not as a defender but as an offensive researcher, and a famously good one – in the mid-2000s she was probing the lowest, most-trusted layers of the x86 platform, the layers that defensive security usually treats as solid ground.

Her breakout was Blue Pill, demonstrated at the Black Hat Briefings on 3 August 2006, alongside work showing how to defeat Windows Vista’s kernel-protection mechanisms. eWeek named her one of the “Five Hackers who Put a Mark on 2006.”¹³ In April 2007 she founded Invisible Things Lab in Warsaw, the consultancy and research shop that became the home for her platform-security work.¹ Over the following years she and her collaborators – Alexander Tereshkin and Rafal Wojtczuk among them – published attacks on the Xen hypervisor, on Intel Trusted Execution Technology, and on System Management Mode, the deeply privileged “ring -2” execution mode below even the operating-system kernel.¹ In 2009 she coined the Evil Maid attack, a physical-access technique that compromises a laptop’s boot process to steal the passphrase of full-disk encryption such as TrueCrypt.⁴

Then she did the thing offensive researchers rarely do: she built the defense. Work on Qubes OS began around 2010 with Wojtczuk, and Qubes 1.0 was released on 3 September 2012, built on the principle of security by compartmentalization.¹ She led the project for years, and the approach drew public endorsements from figures as varied as Edward Snowden and the cryptographer Daniel J. Bernstein.² In later years she moved toward privacy and decentralization work; the specifics of her most recent projects are best read from her own current channels rather than summarized secondhand, and this piece keeps to what is firmly on the record.¹

The Work

Qubes OS: security by compartmentalization

Start here, because Qubes is the principle made into something you can actually run. The design begins by conceding the war that most security tools pretend to be winning: all software has bugs, and some of those bugs are exploitable.² Qubes does not try to be the unbreakable system. It tries to be the system where a break does not matter very much.

The mechanism is the Xen hypervisor. Beneath everything sits a thin hypervisor and a special administrative domain called dom0, which controls the display and hardware but is deliberately kept off the network. Above it run your qubes – lightweight virtual machines, each scoped to a purpose and a trust level.¹² You might keep a “work” qube, a “banking” qube, a “personal” qube, and an “untrusted” qube for opening anything that arrived from a stranger. Each qube’s windows carry an unforgeable colored border, so you can see at a glance which security domain a given window belongs to.² Crucially, the qubes share root filesystems through a template system, so they stay light and patch together, while their private data stays isolated.² And for the riskiest tasks there are disposable qubes – VMs that spin up to open one PDF or one link and then self-destruct, taking any infection with them.²

Interactive security-compartmentalization demo (requires JavaScript). You keep banking, work, personal browsing, and email on one computer. In a normal "monolithic" operating system they all share one trust boundary, so a single compromise -- a malicious link opened in the browser -- can reach everything, including your banking credentials. Qubes OS, created by Joanna Rutkowska, splits those activities into isolated virtual machines called qubes. Open the same malicious link and the breach is sealed inside the one qube it landed in; your other domains never shared a boundary with it, so they stay safe, and you can simply discard the compromised qube. Toggle between a monolithic system and Qubes, trigger the compromise, and watch how far it spreads.

Why it matters as engineering: Qubes reframes the unit of security from “the machine” to “the domain.” On a normal desktop, every application you run shares one address space of trust – your browser, your tax software, and the attachment you should not have opened are all one bad bug away from each other. Qubes makes the boundary between domains a hardware-enforced wall rather than a hopeful convention. The cost is real – more RAM, more friction, the discipline of deciding which qube a task belongs in – and Rutkowska is candid that security through distrust “is no panacea” because it trades against usability.⁵ But the payoff is that the worst case stops being catastrophic. A compromise is no longer “they own my computer.” It is “they own one disposable room, which I am about to delete.”

Breaking the platform: Blue Pill, SMM, and the Evil Maid

You cannot design good isolation boundaries until you know exactly which boundaries are fake, and Rutkowska learned that by attacking them. Blue Pill, her 2006 Black Hat demonstration, is the clearest case. It was a proof-of-concept rootkit that exploited AMD’s hardware virtualization (AMD-V) to do something audacious: start a thin hypervisor on a running machine and migrate the live operating system into a virtual machine beneath it, on the fly.³ From inside that VM, the OS would see a normal world – but the hypervisor below it could intercept “hardware interrupts, requests for data and even the system time,” feeding the trapped OS whatever answers it liked.³

It is worth being precise about what Blue Pill was and was not. It was a proof of concept, not malware found in the wild, and its boldest claim – that such a hypervisor rootkit could be made “100% undetectable” – was disputed, with other researchers proposing timing-based detection.³ But the contested headline is not the lesson. The lesson is the attack surface it exposed: the assumption, baked into every operating system, that the layer it runs on is benign. Blue Pill showed that virtualization could turn the most-privileged layer into the attacker’s home turf – and that whatever you trust to be “below” you is exactly what you cannot verify from “above.”

The same instinct drove the rest of her offensive work. With collaborators she attacked System Management Mode, the obscure, hyper-privileged firmware mode that runs beneath the kernel, and Intel Trusted Execution Technology, a feature whose entire purpose was to establish trust.¹ And in 2009 she coined the Evil Maid attack: leave an encrypted laptop unattended in a hotel room, and a “maid” with brief physical access can tamper with the unencrypted bootloader so it captures your passphrase the next time you type it.⁴ Full-disk encryption like TrueCrypt was vulnerable because the boot code could not authenticate itself to the user – you had no way to know the loader asking for your passphrase was still yours.⁴ Every one of these attacks is a map of a trust boundary that did not hold. The defensive architect who later built Qubes already knew, from the inside, which walls were load-bearing and which were painted on.

Joanna Rutkowska presenting platform-security research

Distrust the infrastructure: shrinking the trusted computing base

Qubes is not just “run everything in VMs.” The deeper design principle is minimizing and distrusting the trusted computing base – the set of components whose correctness the whole system’s security rests on. Rutkowska’s keynote “Security Through Distrusting” states the philosophy bluntly: the conventional drive to make components “trusted” is “overly naive and non-scalable,” because in security “trusted” really means a component “capable of destroying my whole security integrity” if it goes wrong.⁵ The correct response is to assume any single component may be compromised, distrust nearly all of them, and design so there is no single point of failure.⁵

You can see this principle in Qubes’s specific choices. The administrative domain dom0 is deliberately denied network access, because a dom0 that could be reached over the network would be a single point whose compromise owns the machine.² Networking and USB are themselves pushed into their own isolated qubes, so that a bug in a network card driver or a malicious USB device lands in a sandbox rather than in the kernel everything trusts.² Files crossing between domains are handled defensively – the same “treat it as potentially pwned” logic Rutkowska applied to how Qubes processes images and PDFs.⁵ And disposable qubes embody the distrust most directly: rather than trusting a PDF reader not to be exploited, you assume it will be, run it in a VM you are about to destroy, and let the explosion happen in an empty room.²

The throughline is humility about your own code. A system that trusts a large, complex component is making a large, complex bet. Rutkowska’s architecture works to make the bet small – to shrink the trusted computing base down to a thin hypervisor and a network-isolated dom0, and to treat almost everything above that as expendable, replaceable, and presumed hostile.²⁵

Joanna Rutkowska presenting Qubes OS at LinuxCon Europe

From the desktop to decentralization

Rutkowska led Qubes for years, then turned toward the broader problem the operating system only partly solves: even a perfectly compartmentalized desktop still trusts the infrastructure around it – the cloud storage, the network, the services that hold your data.¹⁵ Her later work moved toward privacy and decentralization, extending the same distrust outward from the single machine to the systems it talks to. The precise shape and status of those projects is best taken from her own current writing rather than paraphrased here; what carries across cleanly is the principle, not the product. The instinct is constant: assume the infrastructure is compromised, and architect so that the assumption costs you as little as possible.⁵

The Method

Read across Qubes, Blue Pill, the SMM and TXT attacks, and “Security Through Distrusting,” and the same commitments recur. Rutkowska’s method is less a slogan than a set of standing habits.

Assume compromise; design for the blast radius. The founding move is to concede that prevention will fail and ask how far a breach spreads.² At scale this is the security twin of what Werner Vogels does for reliability – everything fails all the time, so contain the blast radius rather than pretend you can avoid the failure. The lesson transfers far past Qubes: do not architect for the case where nothing gets in; architect so that when something does, it is trapped in a small, disposable cell. It is the evidence gate applied to security – “no one has broken in yet” is not evidence; “a breach here cannot reach there” is.

Distrust the infrastructure, and prove the boundary. Treat every component as potentially pwned and refuse to grant trust by default.⁵ This is Thompson’s “Reflections on Trusting Trust” turned into desktop architecture: you cannot trust what you have not examined, so stop trusting the layers you cannot see and wall them off instead. The discipline is to ask of every component, “if this is compromised, what does it own?” – and to redraw the boundaries until the answer is “almost nothing.”

Break it yourself before someone else does. Rutkowska’s defense is built on a decade of offense – Blue Pill, SMM, Evil Maid – because you cannot isolate a boundary you have not first proven is fake.³⁴ This is the exact instinct Adi Shamir brought to cryptography: attack to defend, and trust only what survives a serious attempt to break it. The standing habit is to put on the attacker’s hat first, map which of your trust assumptions are lies, and design the walls where the lies were.

Shrink the trusted computing base. The fewer lines of code your security depends on, the smaller your bet.²⁵ A thin hypervisor and a network-isolated dom0 are an inspectable wager; a monolithic kernel with every driver and service inside the trust boundary is a blind one. It is minimum worthy product applied to trust: the cleanest trusted base is the smallest one that still does its single job. Strip the trust down to what must be trusted, and presume the rest hostile.

Be honest about the trade-off. Rutkowska does not oversell – she says plainly that security through distrust “is no panacea” and costs usability and convenience.⁵ The habit is to name the price of the security you are buying rather than hide it, so the next engineer can weigh it. That candor is quality is the only variable applied to security: the real guarantee, stated with its costs, is worth more than a comfortable promise that quietly does not hold. A boundary you understood and chose beats one you assumed and inherited.

Influence Chain

Who Shaped Her

The offensive-research community of the mid-2000s. Rutkowska rose inside the platform-attack culture of Black Hat and low-level systems hacking, where the work was to find the assumption nobody questioned and break it.³ That culture’s central reflex – distrust the layer everyone trusts – became the spine of her defensive work. (Formative influence)

The hardware-virtualization wave. Blue Pill was possible only because AMD-V and Intel VT-x had just made hardware virtualization mainstream.³ The same technology she used as a weapon in 2006 became the foundation she built isolation on in Qubes, where Xen turns the hypervisor from an attacker’s tool into a defender’s wall.¹² (Direct influence)

The Xen and hypervisor-security lineage. Her years analyzing and attacking Xen taught her exactly how strong – and how fragile – hypervisor isolation is, knowledge that shaped Qubes’s decision to keep dom0 off the network and push drivers into isolated domains.¹² (Formative influence)

Who She Shaped

Privacy-conscious computing. Qubes became the recommended desktop for journalists, activists, and security researchers who need to assume targeted compromise – a real tool for people whose threat model is a state, not a slogan.²

The compartmentalization mindset. “Security by isolation” and “reduce the trusted computing base” propagated well beyond Qubes into how sandboxing, container isolation, and per-app virtualization are reasoned about across the industry.²⁵

Defenders who break first. Rutkowska is a standing example that the strongest defensive architects are often former attackers – that mapping the real trust boundaries by breaking them is the prerequisite to drawing them correctly.³⁴

The Throughline

Rutkowska is the isolation keystone of this series – the figure who answers “the system will be breached” not with despair but with architecture. Adi Shamir attacks to defend in cryptography, trusting only what survives a real attempt to break it; Rutkowska runs that same loop one layer down, breaking hypervisors and boot chains so she can build a desktop that survives their compromise.³⁴ Thompson and Ritchie gave us the warning that you cannot trust what you did not build and examine yourself; Rutkowska’s “distrust the infrastructure” is that warning turned into a running operating system, where the untrusted layers are walled off rather than hoped about.⁵ And where Werner Vogels says everything fails all the time, so contain the blast radius for reliability, Rutkowska says the same for security: Radia Perlman designed networks assuming the hostile and failing case is the design center, and Rutkowska designs machines that way. Where Vogels contains a failing disk and Perlman contains a failing link, Rutkowska says: the attacker is already inside – so isolate every domain, distrust every layer, and make the breach a disposable room you can throw away. (Series bridge)

What I Take From This

The lesson I keep from Rutkowska is to design for the breach, not against it. My instinct, like most builders’, is to harden the thing – validate the input, patch the dependency, lock the config – and treat security as a wall I am trying to make tall enough. “All software contains bugs” is the rebuke: the wall will be breached, because there is always one more bug, and the question that actually matters is what the attacker reaches once they are over it. So when I build something now – an auth boundary, a service that runs untrusted input, a feature that touches money – I try to ask “when this is compromised, what is the blast radius?” before I ask “how do I keep it out?” The honest version of secure is not “I cannot see how this breaks.” It is “when it breaks, the damage is trapped in one room I can delete.”

The second lesson is reasonable paranoia about what I am forced to trust. It is easy to wave a component through as “trusted” and move on, but Rutkowska reframed that word for me: calling something trusted is admitting it can destroy everything if it fails. That changed how I draw boundaries. Every library I pull in, every service I depend on, every layer I run on top of is a bet that it is correct – and the size of the bet is the size of my trusted computing base. So I try to keep that base small and inspectable, to push the risky and the complex into sandboxes I presume hostile, and to be honest, the way she is, that the isolation costs me convenience. The paranoia is not pessimism. It is the discipline of knowing exactly what I am trusting, and making that list as short as I possibly can.

FAQ

What is Qubes OS?

Qubes OS is a free, open-source, security-oriented desktop operating system created by Joanna Rutkowska, described by the project as “a reasonably secure operating system.”² It uses the Xen hypervisor to split your computing into isolated virtual machines called qubes – separate compartments for activities like work, banking, personal browsing, and opening untrusted files. Because the qubes are isolated, a compromise in one cannot reach the others, so the damage from any single breach is contained. It also supports disposable qubes that self-destruct after use, and gives each domain an unforgeable colored window border so you can see which compartment a window belongs to.¹²

What is security by isolation (compartmentalization)?

Security by isolation, or compartmentalization, is the principle at the heart of Qubes: rather than trying to make software bug-free, you assume compromise will happen and contain the damage by dividing the system into isolated domains.² The Qubes introduction makes the analogy to physical life – you naturally separate activities into different rooms – and applies it to a computer where everything would otherwise share one trust boundary.² The complementary half is “distrust the infrastructure”: treat every component as potentially compromised, remove single points of failure, and keep the trusted computing base as small as possible.⁵

What was the Blue Pill?

Blue Pill was a proof-of-concept rootkit Joanna Rutkowska demonstrated at Black Hat on 3 August 2006. It used AMD hardware virtualization (AMD-V) to start a thin malicious hypervisor on a running machine and migrate the live operating system into a virtual machine beneath it, so the hypervisor could intercept and fake the OS’s view of hardware, interrupts, and even system time.³ Rutkowska’s claim that such a rootkit could be “100% undetectable” was disputed, with other researchers proposing timing-based detection. It was a research demonstration of an attack surface – the assumption that the layer below your OS is benign – not malware found in the wild.³

What is the Evil Maid attack?

The Evil Maid attack is a physical-access technique Joanna Rutkowska named in a 2009 blog post. If an attacker gains brief unsupervised access to an unattended, encrypted laptop – in a hotel room, say – they can tamper with the unencrypted boot code so it secretly captures the user’s full-disk-encryption passphrase the next time it is entered.⁴ Full-disk encryption systems such as TrueCrypt were vulnerable because the boot loader could not authenticate itself to the user, so the victim had no way to tell the compromised loader from the legitimate one.⁴ It is a vivid demonstration that encryption alone does not protect a machine an adversary can physically touch.

Sources

“Joanna Rutkowska,” Wikipedia. Polish security researcher, born 1981 in Warsaw, Poland; master’s degree in computer science from the Warsaw University of Technology. Presented attacks on Windows Vista kernel protection and the Blue Pill technique at Black Hat 2006, using hardware virtualization; named one of eWeek’s “Five Hackers who Put a Mark on 2006.” Founded Invisible Things Lab in Warsaw in April 2007. With collaborators (Alexander Tereshkin, Rafal Wojtczuk) published research attacking the Xen hypervisor, Intel Trusted Execution Technology, and System Management Mode. Coined the “Evil Maid” attack in 2009. Began Qubes OS development with Wojtczuk around 2010; Qubes 1.0 released 3 September 2012, built on the principle of “security by compartmentalization” using isolated lightweight virtual machines called “qubes.” Later moved toward privacy and decentralization work. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
“Introduction,” Qubes OS documentation (qubes-os.org), and “Qubes OS,” Wikipedia. Qubes OS is a free, open-source, security-oriented operating system for single-user desktop computing, with the project tagline “A Reasonably Secure Operating System.” It implements “Security by Isolation”/”security by compartmentalization,” operating on the premise that “all software contains bugs” and that perfect, bug-free software is impossible – so rather than attempting to prevent every exploit, Qubes assumes exploitation will happen and focuses on containing the damage by keeping valuable data separate from risky activities. Uses the Xen hypervisor to isolate applications into virtual machines (“qubes”), each with a purpose, nature (Fedora/Debian/Windows template), and trust level; an administrative domain (dom0) manages hardware/display and is kept off the network; networking and USB are pushed into isolated qubes. Features include disposable qubes that self-destruct when shut down, a shared-template system for app qubes, split GPG, and unforgeable colored window borders identifying each security domain. Created by Joanna Rutkowska (initial release 3 September 2012); the approach has been publicly endorsed by figures including Edward Snowden and Daniel J. Bernstein. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
“Blue Pill (software),” Wikipedia. Blue Pill is a proof-of-concept rootkit, designed by Joanna Rutkowska and first demonstrated at the Black Hat Briefings on 3 August 2006, that uses x86 hardware virtualization (originally AMD-V/SVM, later ported to Intel VT-x). It works by “trapping a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it,” after which “hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor.” Rutkowska claimed it could achieve “100% undetectability,” a claim that was disputed – AMD dismissed it and other researchers proposed timing-based detection methods. It was a proof of concept and research demonstration, not malware found in the wild. ↩↩↩↩↩↩↩↩↩↩↩↩
“Evil maid attack,” Wikipedia. An evil maid attack targets an unattended device through physical access, compromising it in an undetectable way so the attacker can later access its data. The term was introduced by security analyst Joanna Rutkowska in a 2009 blog post, describing a method for compromising the boot process/firmware of an unattended computer (e.g., via an external USB flash drive) to circumvent full-disk encryption such as TrueCrypt. Such systems are vulnerable because they “are susceptible to evil maid attacks due to their inability to authenticate themselves to the user” – an attacker can modify the encryption loader code to capture the passphrase. The attack requires the victim to leave the device unattended once (to plant the compromise) and again afterward (to retrieve the captured data). ↩↩↩↩↩↩↩↩↩
Iain Thomson, “Security industry needs to be less trusting to get more secure,” The Register, 7 December 2017, reporting on Joanna Rutkowska’s keynote “Security Through Distrusting.” Rutkowska, chief executive of Invisible Things Lab, argued that the conventional security-industry focus on making systems “trusted” is “overly naive and non-scalable to more complex systems,” because in computer security “trusted” means a piece of code “is capable of destroying my whole security integrity.” Her alternative is to treat any single component in a system as potentially compromised – distrusting nearly all components and actors and having no single point of failure – a principle she applied in Qubes to how it handles image and PDF files. She acknowledged that “security through distrust is no panacea because it involves trade-offs, particularly in usability and convenience.” ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩