Computers send messages via strings of bytes. The bytes may represent either executable code or data and the dividing line between code and data has become more and more difficult to discern. Explicitly executable files (e.g., .exe on Wintel hardware/OS) are directly executed by the native platform. Yet executable binary code may be hidden in various seemingly innocuous formats such as .jpg and SMS messages (see below). Various interpreters available on the computer can also make data executable. Text, for example, may represent executable code in Java, JavaScript, ActiveX, PHP, Perl, Python and many other scripting languages that can be executed without the knowledge of the user.
Some especially sensitive application areas such as government,
military and financial IT do their best to prohibit code
transfer. Their best is not good enough. Recent nation-state
attacks include Chinese
attacks against the US Department of Defense, Stuxnet
a joint US/Israeli exploit against Iranian nuclear sites, and Flame
a very large and multi-function US malware package that exploits
flaws in Windows Update. Banks and other financial institutions
are hacked far more often than the public realizes. Commercial
databases containing credit card and other private information
of consumers continue to be compromised all too often. In
July 2013, four
Russians and a Ukrainian were charged with stealing
about 160 million credit and debit card numbers.
The computers compromised in the above cases were managed by IT
professionals. These professionals were in most cases quite
competent. The failure was in trusting their ability to deal
with the complexity of their systems and the resultant
inevitability of chinks in their armor. And that complexity
results in large part from the overly generalized functionality
of the computer's operating systems, databases, networking and
overall software architectures.
The culture of computing all too often takes for granted that
code must be malleable They find it difficult even to
imagine a world in which it is technically impossible to alter
code in a computer. The PC revolution in particular was founded
upon the legal fiction that Microsoft "owns" the code on every
Windows computer and has the right to modify it at will.
Hence Windows Update is a legally protected and vital part of
the Windows software ecology. The business of PCs and tablets
and now smartphones depends upon the easy movement of code from
the vendors to the users! The massive growth of smartphones and
their apps is rife
with vulnerabilities.
Loading code, if it cannot be prohibited entirely, should be a
special, and carefully managed
process much better managed than it is at present.
Apple's AppStore policies for iPod/Phone/Pad apps are a good
start, but only a start. Google's free-for-all policies
for Android apps seem designed to replicate Windows' flaws.
Enforcing such a taboo will be complicated by the fact that it is difficult to distinguish code from data. Code in the guise of data may sneak in as a supposedly innocuous file like a .jpg image and get executed as a result of a buffer-overrun exploit [1]. In smart phones code may sneak in using an SMS messaging exploit [2]. Fortunately, the importance of a taboo against transferring code is becomings more obvious, so perhaps we can expect the computing industry to incrementally improve its enforcement capabilities.
Increasing specialization
in
computing tends to reduce the need, hence the
acceptability, of code transfer. Compatibility within the
Windows monoculture with its common APIs permits meaningful, if
dangerous, code transfers. Unfortunately Android is becoming a
similarly insecure monoculture. Outside of a monoculture, it
simply makes no sense to base multicellular computing messages
on transmitted code. Specialized computers in communities of
collaborating machines function in very different ways and in
different contexts. Code for a router is meaningless in a PDA or
a parallel computation engine. It is neither practical nor
useful for a machine requesting a service to send code that
specifies how that service is to be carried out. Only the
receiving computer can know how best to provide the service.
As code transfer loses popularity, the growing trend of using Web Services in the "Cloud" is gaining popularity. Rather than each computer supporting a wide range of function, they increasinly rely on the specialized services of other machines. Thus Web Services mimic living system’s use of polymorphic message sending. The receiving computer, not the sender, determines the meaning of all Web Services messages. So the multicellular computing world seems already to be evolving the same basic architecture that evolved in biology. Future orchestrated collaborations between computers on the Internet likely will be based upon one variety or another of Service Oriented Architecture. Heavyweight SOA, based upon SOAP, WSDL and a host of other industry standards, is gaining favor in corporate IT systems. Lighter weight mashups, e.g., those based on AJAX are growing rapidly in the Internet at large. In either case, useful Web Services are emerging on the net and multicellular combinations of Web Services are becoming more common.
Whichever new protocols emerge, we must coexist for many years with legacy systems that use proprietary communication protocols, old EDI protocols, HTML protocols, and many less common formats. If biology is any guide, many of these will never fully disappear. They will become frozen historical accidents to puzzle future students of the history of computing.
The form of future collaborations between computers seems on its way to being settled, i.e., by some sort of Cloud Web Service conventions based on XML. But the substance is not. Polymorphic messages encoded in XML are syntactically self-describing but not semantically self-describing [3]. If polymorphic messages are to be the basis of communication, there has to be some agreement on the meaning of the messages. Messaging semantics will be sorted out by the efforts of various standards bodies, by acceptance of conventions, and by much evolutionary trial and error. Yet none of these are completely satisfactory - standards are slow, conventions conflict, and evolution is messy. Nonetheless, if biology is any guide, evolution will dominate.
Messaging semantics in multicellular organisms evolve under constraints from all aspects of the message process at once. An individual organism begins with a fertilized egg that divides. Its daughter cells all share the same DNA. These daughter cells differentiate, staying physically co-located. Hence, the organism’s DNA codes for all aspects of the messaging behavior, both the behavior of the “sending” cell, i.e., how and when it synthesizes and exports a given messenger molecule, and the shape and lifetime of the messenger molecule [4]. The behavior of the “receiving” cell(s), i.e., those that have binding sites for a given molecule, depends upon which biochemical pathways are triggered by receipt of the molecule. If the semantics of a given message transfer are not beneficial or at least neutral to the health of the whole organism, the whole organism is at higher risk of death before it can pass the DNA on to the next generation. Thus survival of the fittest, which operates at the whole organism level, simultaneously punishes poor “syntax” and muddled “semantics” by culling mistakes at either end of the communication.
A single corporate network infrastructure may play an evolutionary role similar to that of a single multicellular organism. That is, it is a unitary, logically contiguous, dedicated collection of computers that supports the whole organization, for good or ill. Its routers, firewalls, VPN links, LDAP servers, DMZs, and specialized application servers must share an agreed upon and internally compatible architecture and implementation. And the semantics of pairwise collaborations must be sensible. The corporate IT staff work to ensure this. If the system is not up to the job, disaster may well ensue for the whole organization. A corporation with a seriously flawed Web Services infrastructure may simply go out of business, thus failing to pass on its ineffective infrastructure architecture and semantics. Bank mergers are a classic case. A bank’s competitiveness often depends in large part upon its IT infrastructure, which is a carefully (or not so carefully) crafted multicellular computing organism. The weaker bank, when acquired by a stronger one, typically must remake its IT infrastructure to be compatible with the winning bank’s architecture. This sort of system evolves its messaging architecture in a manner similar to that of a multicellular organism, by a remorseless process of survival of the fittest.
The evolution of message semantics in the open Internet is more complicated, not to say haphazard. A person’s computer may play a different role in many different sets of multi-computer collaborations, some for private uses and some in their role as an employee, customer, or supplier in business relationships. This is similar to the more fluid and ambiguous semantics in ecologies of organisms where a single organism plays many different roles in different ecological collaborations. Predators recognize prey, and vice versa, by all sorts of chemical signals. So, chemical signals mean one thing between individuals of the same species and another to their predators or prey. For example, the musky smells of animals travel on the wind. Thus predators attack from downwind so as not to warn the prey. The “come hither” scent of a desert mouse is intended to attract a mate. That it also attracts a hungry snake is not simply an unfortunate accident. The snake co-evolves with the mouse. In a similar manner, especially valuable services (Google, eBay, Amazon, Twitter) support an API with defined semantics that attracts third party services. Or services with plentiful and demographically valuable users attract competing services that will offer the same API with the same semantics to attract those users. Successful poachers of either sort can then add to the API and the semantics in an attempt to freeze out competitors. Nonetheless, such co-evolution can result in richer and more useful semantics.
Some efforts, such as UDDI have attempted to provide a semantic “yellow pages” service as a rendezvous point for finding services with the “right” semantics and to organize such semantic information into useful taxonomies. So far, these efforts have been premature, over-engineered and overly complex. It has been like attempting to start a telephone Yellow Pages before there are enough phones to matter. So, the semantics problem in the Internet remains difficult.
Alan Kay [5] proposes that the semantics travel with the message by using objects as the message carrier rather than just data. An object carries both data and the code that provides some of the meaning. Security issues would be handled by assuming that the machines are specialized as object engines that provide separate address spaces for all objects so that one cannot interfere with another. However, object collaboration still requires some shared understanding of the semantics of the polymorphic messages. Reflexive systems, those in which metadata is available with which objects can “reason” about message interfaces of other objects, might be agreed upon and such reasoning might support the bootstrapping of enough semantics to dramatically speed the evolution of useful ways of collaboration. Or, SOA brokers could match up “compatible” parties. This object approach might offer real advantages, however it is a radical departure from the way our current machines work and would require substantial evangelism and investment to succeed. Nonetheless, one day perhaps some classes of computer applications might work very well in such general object engines
[1] Note that new hardware capabilities from Intel and AMD allow memory to be marked “no execute” which may eventually make buffer-overruns less of a problem.
[2] In July, 2009, a security researcher discovered a way to use SMS messages to completely take over an iPhone without any interaction with the phone's owner. (See interview with Charlie Miller, the discoverer of the iPhone exploit). He also found exploits for Android and Windows Mobile smart phones. He explains the basics of the iPhone exploit thus: "You can send a long [SMS] message in a series of messages and the phone will reconstruct it into a one long string. It accesses an array based on a value from the data. In the case where it thinks it reads -1, it actually accesses the memory before the array, not in the array. By setting things up just right and being tricky, you can actually leverage this to gain complete control of the device. The entire attack takes just over 500 messages, although the victim doesn't know they are being sent because they don't show up on the phone. Most of these messages have to do with setting things up 'just right.' Sixteen of them actually access the array out of bounds."[3] XML does not encode semantics. Only the syntax is self describing. When people read XML, they subconsciously perceive the tags as carrying semantic information because the tags are usually human-readable words. The receiving computers cannot derive any meaning from those words. Semantics remains in the minds of the reader and writer of the text, not in the XML itself. Imagine, as a thought experiment, reading XML in which all the tags have been encrypted. The encryption removes none of the information in the XML but does remove the illusion of semantics.
[4] Intracellular mechanisms degrade almost all proteins including messagenger molecules, some quite rapidly. A molecular message's half-life determines its range and the duration of its effect - that is, messenger half-life is an explicit aspect of message management that evolves along with the functioning of the sending and receiving cells and of the organism as a whole.
[5] This paragraph is based on a personal communication with Alan Kay. Multicellular computing was the context for that discussion. He has long championed the view that “dumb” data should be avoided. In principle, I agree with him. The difficulty is in how to prevent the embedded "smarts" from providing an avenue of entry to viruses and other malware.