Apple's 'new wave' anti-malware patent takes a leaf out of Qubes' book

A new patent awarded to Cupertino could signal that native resource and memory isolation may be a future Apple security mechanism.
Written by Liam Tung, Contributing Writer

Apple has been awarded a patent for a computer system architecture designed to fend off exploits and malware by isolating network interface programs from a computer's main memory storage — an idea that's not new, but could offer a native alternative to existing resource and memory isolation tools.

Apple was awarded patent No. RE 43,987 on 5 February based on an application it filed in 2011 — just over a year before the OS X Flashback Trojan outbreak that, for some, shattered the myth that Apple's OS X is immune to the threat posed by malware.

Distinguishing its idea from existing technologies, the patent highlights what Apple sees as the limitations of "state of the art" hardware and software-based malware blockers, sweepers and firewalls from companies like Symantec, Lavasoft, Spy Sweeper, Webroot, and Javacool.

The "basic flaw" with antivirus software is that "all incoming executable data files must be resident on the computer's main processor to perform their desired function," the patent says.

"Once resident on that processor, access may be gained to non-volatile memory and other basic computer system elements. Malware exploits this key architectural flaw to infiltrate and compromise computer systems," Apple adds.

Another shortcoming is that these products are "not effective" against vulnerabilities, but the major problem Apple identifies is an architectural one, relating to how programs share memory storage space — particularly where applications run in the browser and execute code downloaded from the internet, such as Java applets or executable files.

Network interface programs, such as the browser, sit on the same processor as the operating system and other trusted programs, and if malware writers can circumvent security measures, they can corrupt files on the shared memory storage medium, Apple notes.

"What is needed in the art is a means of isolating the network interface program from the main computer system such that the network interface program does not share a common memory storage area with other trusted programs," according to Apple.

'Protected memory area'

Its vision is to constrain network interface programs by giving them "access to a separate, protected memory area, while being unable to initiate access to the main computer's memory storage area", which would prevent malware from automatically being able to corrupt system and user files on the main memory storage area.

"If a malware infection occurs, a user would be able to completely clean the malware infection from the computer using a variety of methods. A user could simply delete all files contained in the protected memory area, and restore them from an image residing on the main memory area, for example."

"The basic idea is to make every critical process, which Apple describes as network-connected, blind to every other process's resources" — Claudio Guarnieri

Although the idea of isolation Apple describes in the patent is a good idea, its goal is very similar to other efforts such as the Qubes OS project, according to Rapid7 security researcher Claudio Guarnieri.

"The basic idea is to make every critical process, which Apple describes as network-connected, blind to every other process's resources," Guarnieri told ZDNet.

"Apple's segmentation approach is to have slices of memory inaccessible from a context to another, in order to contain a potential compromise within the originating slice, protecting the whole system and the other applications from being affected too. To achieve the same goal, Qubes OS instead uses full virtualisation to allocate separated resources for each domain."

"Theoretically, resource isolation is not a new concept, but being able to implement it natively in the operating system would be a great step forward for Apple products' security."

Editorial standards