Apple's 'new wave' anti-malware patent takes a leaf out of Qubes' book

Apple's 'new wave' anti-malware patent takes a leaf out of Qubes' book

Summary: A new patent awarded to Cupertino could signal that native resource and memory isolation may be a future Apple security mechanism.

SHARE:
TOPICS: Security, Apple, Malware
23

Apple has been awarded a patent for a computer system architecture designed to fend off exploits and malware by isolating network interface programs from a computer's main memory storage — an idea that's not new, but could offer a native alternative to existing resource and memory isolation tools.

Read this

iPhone and innovation: Is hardware the only place Apple can go to keep up the buzz?

iPhone and innovation: Is hardware the only place Apple can go to keep up the buzz?

Speculation about the next iteration of the iPhone has already begun - but how many times can Apple reinvent its classic handset?

Apple was awarded patent No. RE 43,987 on 5 February based on an application it filed in 2011 — just over a year before the OS X Flashback Trojan outbreak that, for some, shattered the myth that Apple's OS X is immune to the threat posed by malware.

Distinguishing its idea from existing technologies, the patent highlights what Apple sees as the limitations of "state of the art" hardware and software-based malware blockers, sweepers and firewalls from companies like Symantec, Lavasoft, Spy Sweeper, Webroot, and Javacool.

The "basic flaw" with antivirus software is that "all incoming executable data files must be resident on the computer's main processor to perform their desired function," the patent says.

"Once resident on that processor, access may be gained to non-volatile memory and other basic computer system elements. Malware exploits this key architectural flaw to infiltrate and compromise computer systems," Apple adds.

Another shortcoming is that these products are "not effective" against vulnerabilities, but the major problem Apple identifies is an architectural one, relating to how programs share memory storage space — particularly where applications run in the browser and execute code downloaded from the internet, such as Java applets or executable files.

Network interface programs, such as the browser, sit on the same processor as the operating system and other trusted programs, and if malware writers can circumvent security measures, they can corrupt files on the shared memory storage medium, Apple notes.

"What is needed in the art is a means of isolating the network interface program from the main computer system such that the network interface program does not share a common memory storage area with other trusted programs," according to Apple.

'Protected memory area'

Its vision is to constrain network interface programs by giving them "access to a separate, protected memory area, while being unable to initiate access to the main computer's memory storage area", which would prevent malware from automatically being able to corrupt system and user files on the main memory storage area.

"If a malware infection occurs, a user would be able to completely clean the malware infection from the computer using a variety of methods. A user could simply delete all files contained in the protected memory area, and restore them from an image residing on the main memory area, for example."

"The basic idea is to make every critical process, which Apple describes as network-connected, blind to every other process's resources" — Claudio Guarnieri

Although the idea of isolation Apple describes in the patent is a good idea, its goal is very similar to other efforts such as the Qubes OS project, according to Rapid7 security researcher Claudio Guarnieri.

"The basic idea is to make every critical process, which Apple describes as network-connected, blind to every other process's resources," Guarnieri told ZDNet.

"Apple's segmentation approach is to have slices of memory inaccessible from a context to another, in order to contain a potential compromise within the originating slice, protecting the whole system and the other applications from being affected too. To achieve the same goal, Qubes OS instead uses full virtualisation to allocate separated resources for each domain."

"Theoretically, resource isolation is not a new concept, but being able to implement it natively in the operating system would be a great step forward for Apple products' security."

Topics: Security, Apple, Malware

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • ""Theoretically, resource isolation is a new concept" -- you mean *not* ...

    ... new concept, right?

    As to the essence, since Apple filed for this patent like two years ago and yet still did not implement it, this might mean that the burdens of this methods are not considered to be worthy of the cause.
    DDERSSS
  • No body said...

    Apple was immune, just far more secure than the alternatives. And any infection would come from the cross platform garbage, hoping to gain a foothold via the pressing 'need' to 'support' PC level 'quality' on an otherwise better, more secure, platform.
    comp_indiana
    • As I recall

      From the many ZDNet posts about the Mac malware issue there were quite a few die hard Mac users who said that this was a lie cooked up by Ed Bott, that there was no Mac malware. Some even said there was never any Mac malware ever. Granted they were the most rabid frothing at the mouth Apple fanbois on ZDNet.
      athynz
      • Hmmm...

        IIRC Ed made no distinction between malware in general and viruses, to construct an alarmist premise that OSX was riddled and no different to Windows in that respect. Which I'm sure you will agree, is over simplifying the issue because the Mac Defender problem was NOT a virus but a traditional PEBKAK approach.
        Still, it's obvious from posters here that a lot(most) of Windows users thought that it was a virus and that provoked the fanbois into hyperbole mode...and there is never much factual truth in that scenario.
        frogspaw
      • Thinking out loud on a Monday afternoon.

        It seems to me that with our internet centric universe, the burden of malware protection has fallen on the ISPs of the world in conjunction with major hardware platform manufactures, international Bank security forces and private security companies hired by those aforementioned business concerns rather than thru third party anti-malware software.

        For example, the MacDefender malware was defeated not thru anti-malware or anti-virus software, not thru a particular OS internal security feature or features but thru the combined efforts from those concerns that I mentioned above. Those responsible for the MacDefender malware were taken into custody by the authorities and that was how this particular malware threat eliminated.

        I could cite other examples that mirror that example. So could you.

        Don't get me wrong, any means that an OS can internally protect it's users from malware attacks needs to be implemented. If Apple is to be used as an example (as this blog does), than this patent might bear fruit someday in a future iOS or OS X release.

        Now, having stated that, for whatever reason, the malware plague that Ed Bott saw in his crystal ball falling upon OS X systems never materialized to the degree he suggested. Indeed, except for the socially engineered malware attacks that target ANY and ALL OS system users (and which no anti-malware software or internal OS security features can successfully combat since it involves direct circumvention of those security features by the end user), my platform of choice has served me well in protecting me from harm. I don't use third party anti-malware software on my OS X computers but I very infrequently check those systems with one or with checking software specifically designed to detect a particular infection threat. In eight years, my system has remained free from malware infestation. And I'm not the only person that could make that claim. (Remember, I stated I do check my systems occasionally but infrequently)

        By the way, Java had been uninstalled more than a few years ago on my systems. Flash is updated automatically and, of course, iOS devices are immune to Flash or Java attacks.
        kenosha77a
        • echoing your thinking

          Indeed, the sole reason most malware is stopped today is the coordinated effort by plenty of agencies and enterprises (mostly ISP related) top catch the criminals and isolate the infrastructure they use. Sometimes this is trivial, sometimes more difficult. But the efforts of the "antivirus companies" are at best pathetic. Since many years, they no longer even understand their target.

          The process of hardening even the most absurd from security standpoint platforms, like Windows, makes the operation of those antivirus tools ineffective. Even Microsoft discovered, that by making their OS harder to penetrate, they make it also harder for the "anti malware" software to operate too -- and this is all good.

          The irony here is that most of those inter-national malware networks shutdown setups were built to primarily protect Windows, because it became evident traditional "security" is not helping. But the same setups were used to neutralise Mac malware even before it made any significant harm.
          danbi
      • That was a lie cooked up by the likes of Ed Bot and other

        bloggers on the M$ payroll. The only way to get anything on an Apple is to install it yourself, and how many people go and willingly install a virus or malware on their own computers?
        I Am Galactus
        • OS X Malware

          "The only way to get anything on an Apple is to install it yourself, and how many people go and willingly install a virus or malware on their own computers?"

          That's not always true...
          http://arstechnica.com/security/2012/07/mac-spying-malware/
          dvm
      • As you imagine, you mean.

        I don't recall seeing anyone accuse Ed Bott of lying, rather just being annoyed at him jumping up and down crying "See, see, Macs can get viruses too!. I told you so"
        rfoto
      • Not "malware", but "viruses"

        Liam wrote: "shattered the myth that Apple's OS X is immune to the threat posed by malware."

        Actually, there was NEVER any such "myth". During the past 13 years that OS X has been in existence, there have been a handful (probably less than a dozen in total) Trojans written for the Mac. We have always known that there were those few Trojans... but there has NEVER been a Mac "virus" (that is NOT a "myth"!).

        Apple's advertising in the past had a statement that reflected this fact, by saying that Macs do not have viruses. That statement was true then, and it's still true today.

        The comparison was/is Macs have zero viruses, while Windows OS have thousands of viruses. Again, that is no "myth" (even though the Microsoft fanboys would like it to be untrue ;-).
        Harvey Lubin
        • Malware vs virus

          Why do you talk about viruses since the blogger never mentioned them? He specifically talked about malware, something OS X isn't immune.

          "The comparison was/is Macs have zero viruses, while Windows OS have thousands of viruses. Again, that is no "myth" (even though the Microsoft fanboys would like it to be untrue ;-)."

          What I find interesting is that while OS X has no viruses, it lacked from many important security mechanisms. For example, it didn't have full ASLR support or sandbox for applications until 10.7, while both features were supported in Vista. Maybe that was the reason OS X was so easily hacked in the PWN20WN events. Charlie Miller at one time mentioned about OS X, "OS X has always been way behind on security, but now it's more or less comparable [to Windows]. Once you have ASLR and DEP and some sandboxing, that's all anyone has."

          So it looks like Windows was the one ahead with security features. From what I have read, OS X 10.7/10.8 and Windows 7/8 are very similar on their security features.
          dvm
  • RE:Apple was immune, just far more secure than the alternatives

    Are you joking? Ask Nils':
    """""For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There's nothing in the Mac operating system that will stop you.""""

    Or maybe Dino Dai Zovi:
    """"On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.

    It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.""""

    Or maybe you want ask Charlie Miller? Better no...

    This 'protected memory area' is a nice idea, but still I prefer to have modern anti-exploit mitigation provided by Microsoft in Windows and by EMET, than have only this one feature.
    Mr.SV
    • Really?

      Many hundreds of thousands of pieces of malware available to target Windows computers vs. a handful targeting the Mac.

      Does SV stand for "sucker, virtual?"
      DM108
      • target don't meant they hit

        Just like a car crash I you are lazy driver...

        I hurt your feelings? That's why you react so emotional and start personal attack?
        Mr.SV
      • Yes, people make more malware for Windows

        It might have to do with how many people, and by extension how many ignorant people, use Windows.
        Michael Alan Goff
        • Plus

          It is also important to note, that as long as Windows is way easier to penetrate than any other platform, it will be the first to target -- because you get more return for your investment, fast.

          In most jurisdictions, you are punished harder, if you break into a locked house, than if you enter trough the many wide open doors. So that plays a role, too.
          danbi
          • Security

            "It is also important to note, that as long as Windows is way easier to penetrate than any other platform, it will be the first to target -- because you get more return for your investment, fast."

            Interesting that for many years OS X was the easier to penetrate and hack in the pwn20wn events. OS X lacked many important security features, while Windows had them since Vista. But at the same time, Windows was the platform with more malware. IMO, to say that Windows is easier to penetrate because of the quantity of malware doesn't make sense. Charlie Miller at one time mentioned that OS X is safer because there is less malware. But if an attacker cared to target them it would be easier for them.

            From what I had read, both OS' are very close with their security mechanisms, but at the same time they have to keep up, something, IMO, MS is doing better.
            dvm
          • That's not correct anymore

            It used to be, but it's not anymore.
            Michael Alan Goff
    • Working from dated info

      Memory layout randomization is now used through out the Mac OS, just like windows. The comments you mention came about when MS added substantial support for this in 2007 at the same time Apple added it to only a limited subset of it's os. So at the time MS did a better (although incomplete) job of this, mostly because they needed to.

      With each release of the OS Apple better protected memory, and today both OS's do a very complete job of it.
      DougPetrosky
      • RE:Memory layout randomization

        "Full" ASLR support OS-X get with Mountain Lion in 2011, my quotes are from 2009, from here:
        http://www.zdnet.com/blog/security/questions-for-pwn2own-hacker-charlie-miller/2941

        Yes, I know they are little outdated but considering memory protection offered by OS-X and Windows today, this quotes are still valid. Windows have implemented more technology like ASLR, for example SEHOP (by default enabled on Server Windows editions, on desktop user must enable this manually or by EMET), HEASLR (High Entropy Address Space Layout Randomizatio), ForceASLR and many more.

        Granted, by end of the day everything depends how end user "drive" his "car".
        Mr.SV