Bring the iphone app store to the desktop

In a previous life I was part of an effort to help people avoid malware on their computers. SiteAdvisor was an attempt to help inform people about which websites they could trust and which downloads they could install with confidence. However, it still relies on people paying attention to the red / yellow / green warning symbols in search results.

The Apple iPhone App Store offers a different model for how to protect people's computers. The only software you can download onto iPhones is software that has been reviewed by Apple. This makes a lot of sense to me. Many people just click 'Yes' on anything that pops up on their computer. Or they just type their admin password in whenever prompted to do so. Or they don't know what those handy red SiteAdvisor ratings next to Yahoo search results mean. Or maybe they really did get malware installed on their computer by a worm or browser exploit.

Why not go one step further than SiteAdvisor's advisory ratings and implement mandatory access control for laptop/desktop systems? I know there are a lot of people that hate having their iPhones locked down. Fine. Give the power users an option to unlock their desktop or laptop. But for the other 95% of the population simply block installing any software that is not approved by Apple, Microsoft or whomever is the security auditor of choice for your operating system. Or at least block installing any system software update, browser plugin, or other critical piece of software that is not whitelisted.

This needs to be implemented at a low level in the OS. Any data loaded into a region of memory that is marked or will be marked executable needs to have a code signature verified to prove it is reviewed and whitelisted code. One consequence of this is that run-time code generation is not possible. So no just-in-time compilers like Java use. But in the end, I'd happily settle for a much more secure computer and let Intel make my Java apps run faster.