Cybersecurity solutions that detect malware only at the software layer are inherently flawed. This fact is actually based on a basic principle proven nearly 100 years ago by the famous Austrian mathematician and logician, Kurt Gödel. Gödel changed the face of mathematics with his Incompleteness Theorems. He proved that the completeness of the natural numbers system was actually improvable.
Since natural numbers must themselves be used to prove their own completeness, they inherently provide an incomplete view of the entire picture. By this, Gödel demonstrated mathematically what the philosopher Wittgenstein described as the inability of language to refer to itself because the reference itself uses language. Gödel showed that systems have a limited capability of self-attribution, due to their dependence on a closed logical subbase. In layman’s terms, if something is part of a system, that something cannot objectively analyze that system.
Computer science bears the logical weaknesses exposed by Gödel. As computers operate according to logical rules that mechanically compose them, their “view” will always be inherently myopic. Modern malware detection solutions, which are all based only on software, suffer from this flaw. Like Gödel’s proof, anti-virus and sandbox platforms are incapable of examining the entire system while being a part of it, because they too are subject to its logical rules.
Zero-day attacks take advantage of unprecedented vulnerabilities, and thus undermine the rules of the system that they are attacking. Cyber security platforms are unable to identify these hostile utilizations because they are incapable of seeing beyond the logic of the operating system. Companies continue offering software level solutions and promise top notch detection, while factually they are subject to this logical knot, and are blindsided by malicious activity conducted outside their limited scope of visibility.
Learning from Gödel, we believe that the only way to break through the inherent boundaries of a system, is to look at the system from an outsider’s point of view.
Practically, we at Perception Point achieve this by implementing two main principles: First, we use both software and hardware. This combination allows us to see core computing processes that others are simply not aware of. Second, we refrain from getting involved in the process itself – we watch and trace it but do not change it at all. This ensures that our extra level of protection would not harm/crash the program we are protecting. Putting ourselves in the observer perspective gives us an unprecedented view to see from outside the system.
This article was inspired by: Gödel and the limits of logic by John W Dawson
Special thanks to Yochai Greenfeld and Michael Calev in aid of preparing this article.
In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.
How hackers can make variations within one campaign - as seen in a recent customer attack we blocked.
Typically phishing links are sent directly inside the email body, but now attackers are embedding their phishing links inside an email attachment instead.Show More