Transmissions

by Dragorn

0x007, License to Code

Every so often, someone has the revolutionary idea that programmers should be licensed.  Usually, the claim is made that licensing developers (or development companies) would produce better, more secure code by ensuring that the authors had some form of basic training.  This is a ridiculous idea from almost any perspective, with the availability of development tools, the self-taught nature of many programmers, and the prevalence of outsourcing to countries who have no economic interest in restricting development.

Would you be surprised to learn we already have what effectively amounts to licensing for coders, which determines what parts of the computer you're allowed to use, how you use what is still available, and if you're even allowed to develop in the first place?

Closed ecosystem markets have already enforced these limitations, and done it so successfully that the general perception of the device is altered from "general purpose computer" to "device which runs apps."

This sounds like yet another attack on Apple, and in some ways it definitely is, but the change from "computer" to 'general purpose device" goes beyond just Apple.  Android devices would seem more open because most devices can run code not vetted by the market, but many devices are still locked and cannot run unsigned kernels or base operating systems.  Microsoft has announced that the embedded version of Windows for low-power ARM chips will not allow browser extensions or the running of non-vetted code.  We no longer connect computers to our TVs to play media - we connect "media devices" which should be capable of doing whatever general purpose computing we need, but are relegated to running specific media apps with no options to run our own code.

Limitations on general computing are spreading.  Tablets break down the barrier between embedded mobile device and laptop - but also bring the restrictions of running only the code you're told you can run, and only being able to use the features of the computer you're told you're allowed to use.  Hybridized laptop/tablet combinations spread the limitations even further: It looks like a computer, it kind of acts like a computer, but you can't actually use it like a computer, unless the vendor decided to be benevolent enough to allow you to unlock it and install your own operating system on it.

Apple is taking the assault on computers a step further, it seems.  Announcements about Mountain Lion indicate it will have a switch to force the computer to only run code which comes from the Apple store.  Simultaneously, applications in the App Store will soon come under a mandate that they must run sandboxed and can only utilize a limited subset of the resources available.  The switch is optional for now, but hints of the future.  The sandboxing and limitation of applications on what would otherwise be a standard computer is also currently optional, and the cut-over data for mandatory sandboxing keeps slipping later and later, but it's still on the horizon, and it's coming.

There's plenty of angst to spread around beyond just Apple changing OS X of course; the implementation of secure boot on Intel hardware has been a specter since TPM was first introduced.  By controlling the firmware so that it will only boot signed known-good kernels, a validated boot chain can prevent malware from hijacking the system.  Unfortunately, it also prevents any code not signed by the manufacturer from booting, the exact same trick locked-down cell phones use to prevent unauthorized firmware from being used.

Once again, rumors of Microsoft requiring a signed boot order for the next revision of Windows are making the rounds, and it's not yet clear exactly what the level of restriction will be.  A locked bootloader on Intel hardware would prevent Linux or BSD kernels from booting, and even if vendors were willing to work with distributions to make valid signed versions, it would be limited to authorized versions of the kernel, not development or homebrew distributions like Gentoo.  It's already difficult to get a commercial PC which doesn't have a version of Windows pre-loaded, and thanks to subsidies it's often more expensive to get one without.  If manufacturers have to change the firmware to produce "Windows" and "Non- Windows" products, it will become even harder.

Unfortunately, like nearly all technological change, these restrictions aren't completely negative, but the danger is the removal of choice.  Limiting access can be a good thing, it's why we don't run everything as root or admin.  I have relatives, and I suspect we all do, who would benefit from a limited environment.  For general users who are not, and have no wish to become, security conscious, limiting the system to only running vetted code has a very strong appeal.

Limiting resources falls directly into what would normally be standard operating procedure for security: Give the user (or application) access only to the data and resources it needs.  I sandbox programs under Linux by making network-facing GUI code like Firefox run under its own user.  Having applications be limited by default could be a fantastic thing for security: If you give the user a choice, they'll probably pick the wrong thing.  If you always do the more secure thing, you eliminate a major attack vector.

Our challenge should be to figure how to limit code by default to help increase security for non-specialist users, without sacrificing choice, flexibility, and the general-purpose computing platform we all count on.  It's a computer, not a media player, or a web browser, or a slingshot-birds toy.