BY KATHY GIORI, QUALCOMM
When it comes to digital security, the world takes the matter seriously, and who wouldn’t? In today’s always connected world, data from our pocket phones reaches out and back to the Internet frequently. We want to ensure that our information is protected no matter where we are and what other Wi-Fi access points (APs) we connect through as an on-ramp to the Internet. Does an AP built from open source software mean that the data it carries is less secure? No.
Openness has been shown to improve platform security. With open source software, vulnerabilities can be fixed much faster. Anyone in the world can write, test and apply a patch, and share that fix with others. If the source to create a patch is not available, then there will be a bottleneck to obtaining a fix. In such cases of limited or no access to original source, it may not be possible to obtain a patch to block an exploit. The consumer would be left vulnerable.
On the other hand, when regulatory bodies impose operational limitations on platforms, maintaining that compliance may require a different form of security – closed or limited access to source. For example, there is a restriction placed by the Federal Communications Commission (FCC) on Wi-Fi AP operation that is intended to protect Doppler weather radar operation at airports. Accurate readings of weather radar are important for air-traffic controllers to warn pilots who are flying near that airport and safely route them around dangerous storms. Given access to open source software that includes logic to control regulatory restrictions, an intelligent Linux developer would be capable of negligence in terms of disabling FCC protections on an AP.
We need openness for improved security, but openness leaves an opportunity for abuse of regulatory compliance. The question becomes, how do we satisfy these opposing constraints?
Such challenges are being tackled by members of the prpl Foundation, an open source non-profit focused on enabling next-generation datacenter-to-device portable software and virtualized architectures. In particular, there are two prpl Engineering Groups (PEGs) working on this dilemma: one focused on improving OpenWrt (a popular embedded Linux distribution), and the other focused on improved security in general.
When software is open, some means need to be put in place to ensure that modifications to the software can’t easily break compliance. Two methods to address this problem are being tackled. The first is a purely software-based approach. Software packages are compiled as binaries before being loaded on a platform. The images can be securely “signed” by a trusted source. Linux already allows for checking the validity of the signature of the regulatory database, which can only be signed by the regulatory database maintainers. The trick of this approach is making sure all vendors and after-market software distributions such as OpenWrt comply by keeping the signature checking in place. This honor system approach can ensure compliance of mass marketed binary images, leaving the gap of regulatory abuse quite limited due to the extreme expertise needed to break the rules.
Another approach takes advantage of new hardware virtualization capabilities. With this approach, a limited slice of hardware and software functionality that handles regulatory compliance is isolated from the openness and flexibility afforded by the rest of the platform. Again, access to changes within the narrow regulatory compliance slice would be highly restricted. But access to innovate and apply security patches to everything else would be maintained far more openly and flexibly.
By working alongside companies like Qualcomm Atheros, prpl Foundation hopes to highlight the importance of openness for innovation and security purposes and strives to find common ground with the FCC on these particular issues.