Could mandates on disclosing software effects benefit security?

[everhart at gce.com (Glenn and Mary Everhart)]

Hi, all...

As I think about what trust is needed for computer operation, it seems at the 
moment we all play blind man's bluff...
That is, we are given software from various points and asked to "just trust" the 
provider sight unseen, and with no simple way to find what the software should 
be doing.

Now, on the other hand, if a software package being installed or used had a 
specification of what exactly it writes and why it writes it, a user might 
reasonably hope to allow or disallow some of the writing, and might hope to be 
able to detect when some part of his machine's state was being altered where it 
should not be.

In such a case, noticing and blocking viral or Trojan behavior becomes 
relatively easy, and a vendor tempted to add backdoors or worms or adware would 
have to include that within his list of what was done. Ideally such a list could 
be enforced during installs so that undisclosed actions would simply not take 
place, and fraudulent explanations might be subject of civil and criminal 
liability. (I would presume too that disclosing un-obfuscated source code would
be an acceptable, if not as good, way to disclose effects.)

There would be some vendors who would scream that they could not hide their 
secrets with such requirements, but I have seen plenty of cases where license 
keys and the like have been successfully managed even in systems open in this way.

Automated behavior detecting systems have implemented some of this kind of 
checking for a long time, at least as far back as my own "Safety" package's 
"paranoid mode" (1993) and probably much further, and in numerous Linux and 
Windows monitoring systems today. Their problem is that they attempt to gather 
information about what actions are "normal" by watching installations or 
operation, and as Sony showed last year, even companies often thought of as
ethical sometimes have software that does things to your computer you may not 
authorize and should know about.

Question is: would it make sense to lobby for disclosure requirements of all 
writes software does, to whatever, and reasons for them, as conditions to make 
it fit for sale? Perhaps likewise to be a (or the?) defense against claims the 
software is doing things to others' machines without authoriation?

Certainly such lists would require more of everyone installing software, at 
least in principle (I imagine permission interpreters would alleviate most 
work), but they would also make it possible for the first time to give trust in 
an informed way.

With reports of 25% of the net being infected with malware, it could be high 
time for something to allow trust not to be as promiscuously given as in the past.

Glenn C. Everhart
(Everhart at gce.com  home)