Saturday, May 24, 2008

gaming the mac malware game theory

adam j. o'donnell has put up an interesting bit of analysis of malware attack strategies... it's interesting (to me at least) for 2 reasons: the focus on strategy and because i can't honestly say i've seen game theory applied to the malware domain before... that said, i think there are some problems with it...

right off the bat there's the explanation of game theory describing how rational players would interact with one another... no doubt this is not a problem that is unique to the current discussion but not all the players involved in this particular game are rational; on the attackers' side many probably are but some definitely aren't (and you probably need look no further than your junk mail folder for evidence of that), while on the users side many don't even know they're playing this game in the first place... rationality is a surprisingly subjective thing - it's an attribute characterized by the making of reasoned, logical decisions based on available facts, but how can person A know what facts person B has available to them? a decision where a particular fact is significant will most likely seem illogical to the other party if only one of them knows the fact... this is problematic because one of the conclusions adam draws (that mac malware won't reach a tipping point until the mac reaches 1/6th market share) seems to require the entire malware writing population to adhere to the rationality that game theory assumes... i don't doubt that game theory can be used to model behaviour in populations, but i think it's descriptive value exceeds it's predictive value...

the subjectivity of rationality isn't the only problem with this sort of model, however, as adam demonstrates by focusing on a single motivation and therefore ignoring the subjectivity of value... while it is certainly true that financially motivated malware creation is a significant trend these days, there's little reason to think that people magically stopped using it as a means to acquire the rewards they sought before the commercial malware trend started... there is a wide variety of motives and by extension a wide variety of value propositions for prospective malware creators...

beyond the overly narrow constraints on value, there appears to be an additional problem with the way the game itself is framed... by that i mean that it's implied that the attacker has 2 strategies: attack platform A or attack platform B... it's still very early in the evolution of malware for the mac osx platform but we already know there's a 3rd strategy, we've seen it in the wild with the zlob gang's approach i described before: attack platform A AND platform B...

this mischaracterization of the game points to a classic mac vs. pc mindset - a platform rivalry that has more meaning to users than it does to attackers... a rational attacker would recognize that the platforms are not fundamentally different, that attacks that can be applied to one can generally also be applied to the other (ie. the 2 suggested strategies are not mutually exclusive), and that the cost of mounting an equivalent attack on a second platform is the cost of porting the malware rather than developing the entire attack from scratch... in this way the minority platform becomes little more than a special case that the attackers may decide to accommodate when revising their attack for the next wave of their malware campaign... and revising their attack is exactly what the more professional, financially motivated, rational attackers do when a malware campaign proves successful... after all, adding features (like mac attack capability) adds to their payoff rather than selecting a different (less optimal) payoff...

0 comments: