A magazine about programmers, code, and society. Written by and for humans since 2018.

Joanna Rutkowska

By Adrian Kosmaczewski.
Published in Issue 087: Considered Harmful, part of Current Volume 08: 2025-2026.
1463 words, reading time ~7 minutes.

In a key scene of the 2012 blockbuster James Bond film “Skyfall”, MI6 quartermaster Q, played by Ben Whishaw, realizes too late that plugging a cable into the laptop of a notoriously skilled terrorist like Raoul Silva (one of Javier Bardem’s most remarkable roles) was a terrible idea. After a few seconds of connection, the laptop infects the systems of MI6, releasing all physical doors and disabling all security guards, prompting Silva to escape and wreak havoc through the London Underground. A message appears on the laptop screen, taunting Q, reading “Not such a clever boy”.

It seems to us like Q was not aware of Joanna Rutkowska’s work before getting the job of quartermaster, let alone plugging that cable. Maybe it is time for MI6 to review their hiring processes.

Unbeknownst to most filmgoers is the fact that Ms Rutkowska is at the origin of the name “Evil maid attack”, physically perpetrated against or through computing devices, allowing attackers to steal information or potentially even injecting malware, to be remotely activated later on.

(Kids: never plug your devices to those wall-mounted USB sockets you find on hotels and such. You have been warned. And no, we are not kidding.)

The noughties were a troublesome, yet revealing, decade for computer security, dictated by a global political turmoil that would trigger an even more complicated decade right after (and let us not talk about the current one, shall we).

In terms of computer security, after learning from Microsoft itself in 2002 that most software was vulnerable to exploits of a gazillion kinds, that network security was almost non-existent, and that the infrastructure of our modern world is at risk of collapsing every minute, the wake-up call has been violent, and the response, at best, sloppy and dull. Yes, we are now in 2025, and we have Rust, but until the great rewriting is over, we will have to deal with a world run by quite deficient software, at best. While we wait for our app to compile, the state of the world keeps degrading.

It is not like we did not know any better. Just like Cassandra, the daughter of Priam, himself king of Troy, who was cursed with the gift of prophecy and the inability of convincing anyone of her predictions, we have had many experts warning the industry of impeding disasters, to no avail. Suffice to mention Window Snyder and Kate Moussouris, Bruce Schneier, and even our dear friend Anastasiia Vixentael.

It is mandatory for us to add Ms Rutkowska to this illustrious list of pioneers and experts. During the infamous decade of the 2000s she published quite an impressive series of papers about various research subjects, ranging from general security topics, to low-level Windows kernel exploits, to memory forensics, and to USB security. She is also the founder and main developer behind Qubes OS, described as a “reasonably secure operating system”, and praised by none less than Edward Snowden himself.

Needless to say, Ms Rutkowska has reached the status of a living legend in the field. And today we are going to focus our attention in one of those papers: “Intel x86 considered harmful”, published in October 2015.

(Spoiler alert: no, this is not about the Pentium FDIV bug of 1994, already quite the damning record for Intel, if you ask me. This is much worse; sensible readers beware.)

It is, surprisingly, quite a readable paper for a software person like me, without an extended knowledge of hardware minutiæ. Her text starts with a very thoughtful and philosophical discussion about what the words “trust” and “trustworthy” mean; a fascinating topic we dedicated a whole issue to last April. Why and how do we consider a particular system trustworthy? Ms Rutkowska’s point of view is overwhelming and obliterating, in a quote we have shared previously in this magazine:

The word “trusted” is a sneaky and confusing term: many people get a warm fuzzy feeling when they read it, and it is treated as a good thing. In fact the opposite is true. Anything that is “trusted” is a potentially lethal enemy of any secure system. (…)

The Operating System’s kernel, drivers, networking- and storage-subsystems are typically considered trusted in most contemporary mainstream operating systems such as Windows, Mac OSX and Linux; with Qubes OS being a notable exception. This means the architects of these systems assumed none of the these components could ever get compromised or else the security of the whole OS would be devastated. (…) Quite an assumption indeed!

Well, there you go Q, you clearly trusted your MI6 systems too much. (Well, to his defense, we can say the movie was filmed in 2012 and this paper was released 3 years later.)

She argues in her paper that modern Intel x86 platforms cannot be considered trustworthy due to their complex firmware, a series of never ending and persistent vulnerabilities in the boot process, and even worse, the introduction of opaque hardware components like the Intel Management Engine.

(Those readers with good memory will also remember the curious fact that researchers discovered in 2017 that the Intel Management Engine had an embedded version of Minix 3 running inside of it, a fact never fully disclosed by Intel themselves. Minix, for those unaware, is a famous “Unix-like” operating system originally written in the 1980s by professor Andrew Tanenbaum to teach his operating systems class in the Vrije Universiteit Amsterdam. But as usual, I digress.)

The paper then dives into security aspects of the boot process of Intel CPUs, including BIOS, UEFI, SMM, and how insecure the whole ensemble is at the end, even providing some recommendations about how to secure your Intel systems to the maximum possible extent (which, she argues, it is not much). She gave a conference talk precisely around the subject of “reasonably trustworthy x86 laptops” in December 2015, right after the publication of this paper, also worth a watch.

Next comes a discussion about peripherals and their vulnerabilities, including network devices (again, Q, read this paper, please). And right after, a chapter dedicated to the Intel Management Engine, a topic she had been studying and lecturing about for quite a while at the time of the publication of this paper.

Intel ME is very much similar to the previously discussed SMM. Like SMM it is running all the time when the platform is running (but unlike SMM can also run when the platform is shut down!). Like SMM it is more privileged than any system software running on the platform, and like SMM it can access (read or write) any of the host memory, unconstrained by anything.

Yes, the mere fact of plugging your laptop to the main electricity socket is enough for the Intel Management Engine to kick off. And no, it cannot be disabled, leading to what Ms Rutkowska calls the “zombification” of general-purpose operating systems, and to the de facto existence of what she calls “an ideal rootkiting infrastructure”:

When reading through the “ME Book” it is quite obvious that Intel believes that 1) ME, which includes its own custom OS and some critical applications, can be made substantially more secure than any other general purpose system software written by others, and 2) ultimately all security-sensitive computing tasks should be moved away from the general purpose OSes, such as Windows, to the ME, the only-one-believed-to-be-secure-island-of-trust…

There is another problem associated with Intel ME: namely it is just a perfect infrastructure for implanting targeted, extremely hard (or even impossible) to detect rootkits (targeting “the usual suspects”).

You get the idea. I can only recommend diving into this fascinating text (particularly if you land the job of quartermaster at MI6) and, well, maybe choosing another architecture than x86 for your next laptop, if all else fails. Because according to Ms Rutkowska, the situation is not really different with AMD processors:

And it seems AMD has an equivalent of Intel ME also, just disguised as Platform Security Processor (PSP).

To finish this joyful edition of De Programmatica Ipsum dedicated to the topic of “Considered Harmful”, we can recommend Dijkstra’s own “Go To Statement Considered Harmful”; then, continue with "‘Stored Program Concept’ Considered Harmful: History and Historiography" by Hutchinson et al. Let us not forget about “Debunking the ‘Expensive Procedure Call’ Myth, Or Procedure Call Implementations Considered Harmful, Or Lambda: The Ultimate GOTO” by Guy Steele Jr. Also, “Recursive Make Considered Harmful” by Peter Miller, “Prototyping Considered Dangerous” by Michael Atwood et al., “Global Variable Considered Harmful” by Wulf and Shaw, “GOFAI Considered Harmful” by Drew McDermott, and “Electron considered harmful” by Drew DeVault.

After reading these pieces, however, you will have the eerie feeling that pretty much anything related to computers should be considered harmful. And you might be right. Le sigh.

Cover photo by the author.

Continue reading Issue 086: Borland or go back to Issue 087: Considered Harmful.
Download this issue as a PDF or EPUB file and read it on your preferred device.
Did you like this article? Consider contributing to the sustainability of this magazine. Thanks!

Back to top