Apple, Anti-Malware, Patents


Recently, there has been this trend. Blogs look for patents filed by companies and then report on each of them as if they are second coming of Jesus in technology. Especially if it is Apple who is doing the filings.

A few days ago, this new patent showed up about Apple’s “new wave approach to fighting malware” with the author giving up half-researched commentary on it.

I was intrigued by this news (if you can call it that), not because it’s something new but instead because process isolation is hardly a new concept. The author mentions “Qubes OS” as the one to be original inventor before Apple but in fact, it has been used for years (eg chrooting/containers in linux) and more popular recently in Android’s uid based approach. Even Qualcomm (and other SoC vendors) have stuff that helps in this space with Trustzone based isolation between processor entities at hardware level.

So, I wanted to check out what’s new here (which was not immediately clear and probably no one else tried to see it because the patent link is wrong in the article and it links to some display patent, not the one in question). The correct patent is this: http://www.freepatentsonline.com/RE43987.html

After going through the mangled language that any patent embodies, it is clear that “conceptually” it is similar to what has been done till now, but the approach is different. On the whole, the basic difference seems to be that linux uses chrooting, android uses separate users, Qubes adds a virtualization layer to achieve the above and Apple goes one further (not necessarily better) and makes it real/physical separate processor instead of a virtual one.

However, I’m still not sold on this and it doesn’t seem foolproof. (I’m not a security expert by any means, so please take the below with a tablespoon full of salt and you are free to add corrections or throw me out the window ;) ) In fact, it doesn’t seem much better than the current system but has an add-on of cost (extra physical processor, dedicated circuitry/components) and losing ease of use. Some points to be noted:

  1. The burden is still mostly on user. The user still needs to keep all his anti-malware programs updated all the time and be alert for each indication on the system and allow/disallow things to happen in system all the time to keep it protected. This approach is not going to save the system in any way if any of the above steps falter. Which is, pretty similar to what we see today.

  2. The approach does not mention aversion of several crucial points:

a. If processor P2 itself is compromised by the malware, then it is rendered useless in the scenario where P2 itself is tasked with scanning the memory/files on Memory M2 for malware. It can be made to just report “all clean” by malware as the scanning engine running on P2 is still accessible by network content in the same way it would have been on P1 in a non-dual-processor system.

b. P2 is connected to the video display subsystem and this can be used to malware’s advantage to trick user into clicking on wrong areas or doing wrong things in the same way as it is today

c. It says keypresses can be encrypted by P1 and decrypted by Network device 190 to allow P2 to not know what was pressed. But this again seems to not require the above approach. First, it requires a special network device now, not a generic one as mentioned in the patent. Second, since the network device itself needs to be configurable now for this, there is another attack vector there. This is, however, somewhat similar to what existing SoC solutions do in mobile space but that is better/feasible because the other end is a software entity and the mechanics of how it works is different.

d. For online gaming etc, where the influx of data is huge and needs to be processed in real time, P1 takes this data directly from M2 once P2 signals availability. Not sure, how is this different then from having a single processor system without the above isolation?

e. Several other things which I can keep typing about till my keys wear out.

TL;DR: This patent on its own may be a new idea (rather a new twist to an existing concept) but it is hardly something that can be put into practice and maybe the reason why Apple hasn’t actually produced anything with this, yet. It might become better with other ideas coupled (which Apple may have filed separate patents for but are currently unknown).

Aside: Why do patents cite archaic things? Every patent gives examples of some old stuff. E.g. Even though this patent was filed in 2011, it refers to Pentium 4 as an example of processors and Quake 3 Arena as an example of online games?


See also