PATTERN Cited by 1 source

Format-aware malware check before OS handoff¶

A client-side defense pattern: an app performs format-conformance, risk-indicator, spoof-detection, and dangerous-type checks on untrusted media / attachments at the app layer, before the bytes reach OS-provided libraries that the app cannot patch.

The pattern is motivated by the forcing-function pair:

concepts/os-library-vulnerability-ungovernable — the app depends on OS libraries it can't patch.
concepts/patch-lag — even when the OS is patched, installed-base lag can be months.

Given these, the app must assume the OS library is buggy on some fraction of devices at any moment — and defend before handoff.

Canonical wiki instance¶

WhatsApp's wamedia + Kaleidoscope (2015–present, Rust rewrite 2026-01-27). Introduced after the 2015 Android Stagefright vulnerability:

"The bug lay in the processing of media files by operating system-provided libraries, so WhatsApp and other applications could not patch the underlying vulnerability. Because it could often take months for people to update to the latest version of their software, we set out to find solutions that would keep WhatsApp users safe, even in the event of an operating system vulnerability."

WhatsApp modified its existing cross-platform C++ wamedia library — originally built to send and consistently format MP4 files — to detect files which do not adhere to the MP4 standard and might trigger bugs in vulnerable OS libraries on the receiver side.

Over time the check set grew into Kaleidoscope — the full ensemble:

Non-conformant structure detection on specific file types to defeat parser-differential exploits on OS libraries.
Risk-indicator checks inside higher-risk file types — e.g. PDFs with embedded files + scripting.
File-type spoofing detection — extension or MIME type mismatch with content bytes.
Known-dangerous-type uniform flagging — executables / apps flagged for special UX handling.

Architectural requirements¶

For the pattern to work reliably, three things must hold:

The checker is in the trust boundary — runs before the OS-library handoff, can block the input.
The checker is memory-safe itself — since it processes untrusted input automatically, a memory-safety bug in the checker is a new attack surface. Meta's 2026 Rust rewrite of wamedia is exactly this follow-on investment. See patterns/memory-safe-language-for-untrusted-input.
The checker is consolidated, not duplicated per platform — per-platform divergence in the check creates a parser-differential that the attacker can exploit. See concepts/cross-platform-client-library.

What it costs¶

Engineering investment in the check set (encoding format rules, maintaining them across spec revisions, researching known-trap patterns).
False-positive risk — legitimate files that deviate from strict conformance may be blocked.
Cannot detect all malware — the pattern is mitigation, not elimination. Meta's honest framing: "format checks will not stop every attack, this layer of defense helps mitigate many of them."
Per-platform build support if the checker is cross-platform in a non-lingua-franca language (e.g. Rust on iOS/Android/Web/Wearables).

Adjacent patterns¶

Sandboxing the OS library — complementary; works where the platform permits.
In-app copy of the library — alternative; works where platform permits and the library is small enough to re-ship.
Disable the risky feature — extreme response; loses UX.

Seen in¶

sources/2026-01-28-meta-rust-at-scale-an-added-layer-of-security-for-whatsapp — canonical wiki instance. Full lineage: 2015 Stagefright → wamedia format-check → Kaleidoscope check ensemble → 2026 wamedia Rust rewrite so the checker is memory-safe itself.