MOBILE MALWARE: WHY THE TRADITIONAL AV PARADIGM IS DOOMED AND HOW TO USE PHYSICS TO DETECT UNDESIRABLE ROUTINES

MOBILE MALWARE: WHY THE TRADITIONAL AV PARADIGM IS DOOMED AND HOW TO USE PHYSICS TO DETECT UNDESIRABLE ROUTINES

The traditional Anti-Virus paradigm focuses on signature-based and behavioral detection. These require substantial processing, which hurts the limited power resources of handsets. Also, carriers are reluctant and slow to deliver Firmware Over The Air (FOTA) patches, due to the rigorous testing they need to subject updates to, and the costs of over-the-air updates. A move to cloud-based screening fails to recognize that not all threats will be propagated over the backbone, may obfuscate themselves in transit; or fight back (as rootkits do) to evade reporting or use of techniques such as the "Google kill switch".

Hardware vendors are evaluating security solutions with hardware support, such as TrustZone, but while this reduces the vulnerabilities, it still exposes an attack surface. Software-based attestation has been proposed by several research groups, based on various techniques that rely on the physics of the device (such as the speed of the bus, etc) to detect undesirable routines. These techniques typically require some hardware support on the devices, though, such as a trustworthy authentication (of the device to an external verifier) and a timer that cannot be manipulated by malware.

Presented by