Could mandates on disclosing software effects benefit

[everhart at gce.com (Glenn and Mary Everhart)]

bugtraq at cgisecurity.net wrote:
> > Question is: would it make sense to lobby for disclosure requirements of all 
> > writes software does, to whatever, and reasons for them, as conditions to make 
> > it fit for sale? Perhaps likewise to be a (or the?) defense against claims the 
> > software is doing things to others' machines without authoriation?
> >
> > Certainly such lists would require more of everyone installing software, at 
> > least in principle (I imagine permission interpreters would alleviate most 
> > work), but they would also make it possible for the first time to give trust in 
> > an informed way.
>
> People see Microsoft in the news all the time for having vulnerabilities and it isn't stopping
> them from making money. Regarding websites, myspace and other large online companies have also
> been bitten and aren't being negative affected.
>
> I think creation of federal guidelines requiring security in the development cycle would be a much more
> practical way to force people to implement appropriate baseline security measures. To some extent
> policies such as SOX are starting this process regarding certain types of data or environments. 
>
> In the majority of causes without the threat of preventing business, you're not going to get people to do anything 
> unless they 
> absolutely need to. 
>
> Regards, 
>
> - Robert
> http://www.cgisecurity.com/
> http://www.webappsec.org/
> http://www.qasec.com/
>   
Enforcing "security" in development would however be so nebulous as to be 
unenforceable. On the other hand, disclosure of where anything was writing to 
the state of your machine can be done, and reasons given, regardless what 
attacks might exist. It is not a DIRECT security measure, but it could be 
effective if it were generally done. It does not mean any software must be 
secure, and does not directly assault the ridiculously unfair common "license 
agreement" conditions software vendors get away with. It would however mean a 
vendor must tell you what his program is going to do to your machine and why. If 
applied to Windows, it would mean a Windows license would entitle you to info 
about what every registry setting did, what was run at start or autonomously 
later, about most every now-hidden side effect of system calls (if they change 
machine state), and so on. It would not mean that every format would need to be
disclosed, so if for example a registry entry were written with a license key in 
it, it would be necessary to say the entry had a key written to it, but the 
algorithm and data used to compute this would not need to be disclosed. You as 
machine owner could tell if you wanted to allow that operation or not.

On the other hand most every piece of malware that changes machine state somehow 
would be writing something and infected code might be expected to be doing 
detectable writes somewhere that uninfected code did not.

I will submit that the bulk of kernel expertise at this point appears to be in 
the hands of malware folks, and absent some changes of environment like this,
connected computing outside of MAYBE non-programmable appliances is going to be
impossible. "Getting security designs used" has been tried repeatedly, has never
worked in the "popular" systems. A few OSs exist that do better and there is 
some good research, but as long as people are not in the habit of demanding to 
know what software X is doing, and they just run it and hope it won't damage 
their systems too much, their machines will continue to be owned.

What I suggest is admittedly a libertarian kind of solution, in that it allows 
most anything to be out there, provided everybody is told exactly what it it. If 
people want the software equivalent of eating ground glass for themselves, as 
long as they are told what will happen, it is up to them. Evolution swings into 
action... On the other hand it does not try to mandate perfect software, and 
since the skill to write perfect software is darn rare and expensive, it does 
not demand people stop using what they can get. Requiring design considerations 
is in effect a kind of Prohibition (and will feed crime enterprises just the 
same). Requiring only some disclosure means more labels or pamphlets need to be 
produced (they are cheap to disseminate in the networked age!) but lets software 
be built by whoever tries.

If it were possible to get decent security quality labels on software I would 
suggest those too. If we started with modification disclosure, it might be 
possible to evolve in that direction. Then the cost of protecting oneself would 
drop. But let's start with something that might be doable and that can be done
technically by most everyone.


Glenn Everhart