Comments on: 2011: The year of mobile malware? Nope.

By: Tweets that mention 2011: The year of mobile malware? Nope. â€“ On the road to Bandol -- Topsy.com

Sat, 22 Jan 2011 10:08:46 +0000

[…] This post was mentioned on Twitter by David Rogers, Eric Vetillard. Eric Vetillard said: Will 2011 be the year of mobile malware? I don't think so, and static analysis will help http://bit.ly/dYnb1F (#MoCaSa followup) […]

By: Eric VÃ©tillard

Eric VÃ©tillard — Thu, 20 Jan 2011 21:21:36 +0000

Hi Craig,

There is still one point on which I kind of disagree. Strong typing makes the analysis easier, but I don’t think that it is the most difficult part. I rather beileve that the most difficult part comes from the fact that native code execution is arbitrary, and that it can be used to manipulate code pointers. Thismakes the analysis much more complex, because it greatly increases the possible number of execution patterns. There is already some work about such native code analysis, which works under the condition that the code satisfies some properties. This is quite likely to come in the near future.

If we come tu rumors, I would even say that static analysis is one good reason for Apple to force the use of their tools. If the code generated by their tools satisfies a few interesting properties, it makes advanced static analysis possible, which can significantly reduce the cost of vetting applications. Now that can be considered as a competitive advantage, or as a very nice way to balance automation and human discretion very efficiently.

By: Craig Heath

Craig Heath — Thu, 20 Jan 2011 18:42:39 +0000

I think we are actually in agreement here, it just goes to show the limitations of Twitter’s 140 characters! Bytecode is much easier to do effective static analysis on, because of the type safety and the inability of the code to manipulate references to arbitrary objects. The vast majority of malware on the Symbian platform is compiled native ARM code though, which is rather harder to make any reliable judgements about. Nevertheless, static analysis has its part to play, and we agree that there has to both an element of automation and an element of human discretion, so the trick is just how to balance those two most efficiently.