The Antivirus Dead Canary Sketch

Author: No Comments Share:
  • Darren Bilby, Google Senior Security Engineer, describes antivirus like a canary in a coal mine.
  • Mathematician Alan Turing proved that AV is an impossible problem in 1936, long before malware existed.
  • Bromium Hardware Task Isolation works because it doesn’t rely on solving the Halting problem.
dead-parrot
We know this is a parrot and not a canary, but how could we resist?

Senior Google Security Engineer Darren Bilby recently described Antivirus as a “useless tick boxing exercise” at a conference in New Zealand. He states that, while antivirus does some useful things “In reality it is more like a canary in a coal mine. It is worse than that. It’s like we are standing around the dead canary saying, ‘Thank god it inhaled all the poisonous gas’.”

Detection doesn’t work

Darren Bilby is perfectly correct. The sad thing is we have actually known that AV is an impossible problem long before malware (or even the computer in any modern sense of the word) existed. Back in 1936 the legendary mathematician Alan Turing proved that an algorithm cannot predict from a general description of a program and an input if the program will finish running or execute forever, its known as the Halting Problem. This rather irritating proof has big implications for the world of AV because it means you also cannot predict if the program will be good or bad, ergo AV as a concept is flawed and no amount of shiny new detection features can ever make it reliable.

Learn more: Read the Bromium Overview

Darren Bilby goes on to say “And sure you are going to have to spend some time on things like intrusion detection systems because that’s what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help.”

Hardware Task Isolation doesn’t rely on detection

This is why Bromium was founded in the first place. Five years ago Bromium’s founders accepted that detection doesn’t work. Alan Turing proved it. Instead we decided to do exactly what Darren Bilby is requesting and spend some time working on something that does actually help: Hardware Task Isolation.

Rather than relying on solving the Halting Problem, our isolation approach makes the assumption that everything which originates from outside of the machine is bad and we can’t possibly detect all the bad things it might do. So we use the power of hardware isolation to put each user task such as a Word document or IE browser tab in to a tiny virtual machine.

At this point, if malware does run, it infects the virtual machine but cannot get out onto the user’s host machine, which will remain clean. As soon as the user task is ended, by closing the document or browser tab, the entire micro-VM – including any evil malware in it – is thrown away forever. The really clever part is that we do all this work with minimal alteration to the native user experience. Imagine the remediation of crypto malware is as simple as having the user simply close the evil document that delivered it, rather than to have to re-image the machine and recover the lost data!

A security approach that truly protects

Just like other security vendors, we cannot solve the Halting Problem. But unlike other vendors, we have done something that actually helps because we accepted the mathematical proof as true and sought an alternative approach. Virtualization.

If you were at Darren Bilby’s presentation in New Zealand, or have seen it in the press since and agree with him that “We need to stop investing in those things we have shown do not work,” please come and speak to us.

We promise not to show you another dead canary.

Previous Article

Software Tester POV: We Practice What We Preach

Next Article

Client-Side Virtualization Security at Warp Speed!

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *