Trustworthy Software Platform is a non-profit project dedicated to prevent poor-quality and malicious software by sharing experiences of all computer users worldwide.

A piece of software must fulfill three mandatory conditions in order to be called trustworthy. It must be verifiable that the software comes from the real publisher (authenticity), has not been tampered with after its publication (integrity) and is safe to run, meaning that it has no malicous component bundled with (safety).

Today there are several code signing technologies in the market, such as Microsoft Authenticode or Sun Java Signing, that have the goal of ensuring the trustworthiness of code files dowloaded from the Internet. They answer the question of whether the file is intact and originates from the real publisher, but the question of safety remains unanswered.


Microsoft Authenticode Security Warning

If the user knows which publishers he/she wants to trust, these existing technologies ensure that the software comes from them. But the main problem the users encounter is usually I never heard of you before; I wouldn’t mind trying your code, but I have no good way of determining whether to trust you or not.”. With the current technologies its impossible to answer the question whether some software the user has never seen before is trustworthy or not.

The goal of the platform is to provide a new way for the verification of trustworthy software.

The code signing technologies already ensure the integrity and authenticity. Instead of reinventing the wheel these existing mechanisms are used as a base and extended with the safety verification feature of the platform.

The verification of safety needs a different approach compared to the verification of integrity and authenticity. The safety of a piece of software cannot be determined using cryptographic algorithms or mathematical computations. No algorithm can ensure that a software product has no embedded malware or that it does not violate your privacy.

One way to ensure the safety is to delegate the verification to a trusted authority.

In order to realize the project without causing too much financial costs, the Internet community is selected as the trusted authority. The platform serves as a global repository to store the experiences, thoughts and comments of people about the software products they use daily. This information is shared with everyone and used during the verification process.

The platform consists of a global repository as mentioned above and a little piece of software that integrates into the user’s operating system. This version (as of this writing 1.0) supports only the Windows platforms. It adds a new layer above the Microsoft Authenticode technology and replaces the classic security warning window with the dialog box you see below;

Averina TSP Security Warning

This window displays the community rating, user reviews and badware status beside the publisher information and allows the users to make much more reliable decisions before executing code files acquired from an unknown source. Using the links presented in this window the user can also contribute to the platform without requiring a registration.

One aspect that is hosted outside the platform is the badware status information. This information is provided by StopBadware.org. The platform periodically updates its repository using the most actual badware reports.


Averina TSP Web Frontend

The current state of the project is only a tiny fraction of the whole idea. The next versions will add many new features that will provide services for both end users and software publishers.

Before writing this post I found a great article from David S. Platt, who has a very similar vision. I suggest that you also read his article. In my next post I will delve into the internals of the system and explain some technical aspects. I hope that this introduction was helpful and clear to understand. If you have any questions, please leave a reply.