Secure Coding mailing list archives
Could mandates on disclosing software effects benefit security?
From: everhart at gce.com (Glenn and Mary Everhart)
Date: Wed, 31 Jan 2007 21:26:48 -0500
Hi, all... As I think about what trust is needed for computer operation, it seems at the moment we all play blind man's bluff... That is, we are given software from various points and asked to "just trust" the provider sight unseen, and with no simple way to find what the software should be doing. Now, on the other hand, if a software package being installed or used had a specification of what exactly it writes and why it writes it, a user might reasonably hope to allow or disallow some of the writing, and might hope to be able to detect when some part of his machine's state was being altered where it should not be. In such a case, noticing and blocking viral or Trojan behavior becomes relatively easy, and a vendor tempted to add backdoors or worms or adware would have to include that within his list of what was done. Ideally such a list could be enforced during installs so that undisclosed actions would simply not take place, and fraudulent explanations might be subject of civil and criminal liability. (I would presume too that disclosing un-obfuscated source code would be an acceptable, if not as good, way to disclose effects.) There would be some vendors who would scream that they could not hide their secrets with such requirements, but I have seen plenty of cases where license keys and the like have been successfully managed even in systems open in this way. Automated behavior detecting systems have implemented some of this kind of checking for a long time, at least as far back as my own "Safety" package's "paranoid mode" (1993) and probably much further, and in numerous Linux and Windows monitoring systems today. Their problem is that they attempt to gather information about what actions are "normal" by watching installations or operation, and as Sony showed last year, even companies often thought of as ethical sometimes have software that does things to your computer you may not authorize and should know about. Question is: would it make sense to lobby for disclosure requirements of all writes software does, to whatever, and reasons for them, as conditions to make it fit for sale? Perhaps likewise to be a (or the?) defense against claims the software is doing things to others' machines without authoriation? Certainly such lists would require more of everyone installing software, at least in principle (I imagine permission interpreters would alleviate most work), but they would also make it possible for the first time to give trust in an informed way. With reports of 25% of the net being infected with malware, it could be high time for something to allow trust not to be as promiscuously given as in the past. Glenn C. Everhart (Everhart at gce.com home)
Current thread:
- Could mandates on disclosing software effects benefit security? Glenn and Mary Everhart (Jan 31)
- Could mandates on disclosing software effects benefit bugtraq at cgisecurity.net (Jan 31)
- Could mandates on disclosing software effects benefit Glenn and Mary Everhart (Feb 01)
- Could mandates on disclosing software effects benefit bugtraq at cgisecurity.net (Jan 31)