Safe Execution: Patents & Possible Pasts
What if something you’re working on right now is patentable?
Back in 2005 I wanted to get peer review for the Safe Execution Environment for downloadable native applications I was building as a Senior Engineer for Qtopia, so I gave a paper on it at the Open Source Developers Conference in Melbourne that year. The conference site is gone now (the link above is to the Internet Archive of the site) so I’d like to bookmark this before its lost to the sands of time.
Here’s a screenshot:
I’m not going to go over the details of the architecture here, as there’s a lot more in my whitepaper and on Qtopia’s website (which is still up by the way!). There’s also a great article on Linux Journal about SXE by my Trolltech colleague Lorn Potter.
We shipped the Qtopia Greenphone in 2006 with the SXE onboard, and it was a ground-breaking device at the time. It was a linux powered feature phone with a colour screen able to receive natively built apps from remote servers a year or two before the iPhone and Android phones were announced by Apple and Google respectively. Off the back of the Greenphone release Trolltech was snapped up by Nokia in an $153m acquisition in 2008. At the time Nokia was feverishly working to expand its Linux smart device offering and wanted Trolltech’s expertise in the area.
Now isn’t this interesting. Fast forward a decade or so.
While reading an article on Qualcomm’s patent wars I noticed buried in the prose a reference to their 2006 patent for a Safe Execution Environment for downloadable software. The patent was filed in 2001 according to the Patent Office records.
The Qualcomm technology had some minor differences: SXE was about preventing the native processes spawned from a binary application on the device, to ensure they were not able to access system resources other than those stipulated by a predefined policy, where as Qualcomm’s was about removing such an application from the device.
Another thing: was Qualcomm really talking about native apps with their 2006 patent? Qualcomm’s patent is as far as I can tell equally applicable to Java Midlet or MIDP applications which was “state of the art” at the time of the Greenphone. Java being non-native did not perform as well for demanding applications and coming up with a secure solution for native apps was top of mind. Of course its something that Apple drove to huge success with the iPhone from 2007.
In that case the security profile breaches would have been detected by a Java runtime, rather than a Linux kernel as is the case for the SXE. I wonder if Qualcomm’s engineers were thinking of native apps when they came up with this in 2001 and applied for the patent? Did they actually demonstrate it with code, I wonder?
The parts of the SXE and the Qualcomm invention that are common are that the process policy was contracted and agreed on by negotiation between the handset and the application server, and these were signed to prevent tampering.
I’m fascinated to discover that this patent exists because at the time I was consulting with my colleagues across Trolltech as the SXE touched a lot of the Qtopia stack, and the legal team drew me aside and talked to me about patents. The idea of going for patents was dismissed by the legal team because I had given a public paper about the idea. You can’t patent something that isn’t secret.
At the time I was Trolltech Brisbane’s go-to person on application security and what I knew was that you don’t get security by obscurity: you talk about it publicly, and that meant peer review. So hence the conference paper in 2005.
Prior to that meeting with Trolltech legal it had never occurred to me that what we were doing might count as an invention. To me the combination of the Mandatory Access Control provisions in the Linux kernel, a key transport Linux kernel patch that I wrote to carry security tokens from trusted kernel space in to user space and the client-server policy negotiation were all just obvious parts of a the architecture that were required to do what we wanted: run third-party applications natively and safely.
Also I had not yet heard Eben Moglen of the Free Software Foundation speak so eloquently on the value of software patents to open source organisations, not least because they can form part of a defensive patent suite. So I was not a fan of software patents at that time.
In any case — the whole thing is a sea of “what if” wonderings.
Object lesson for me: is what I’m working on patentable?
Maybe I don’t want to think like that, but how am I going to feel when I find some company is making a mint from an invention very similar to one of mine a decade later? How am I going to feel when it turns out my own in production software has been patented out of existence by a bunch of patent trolls and I have no defensive patents of my own?
And of course what would today look like in the other possible past — where I hadn’t given the above conference paper and Trolltech had patented the tech?
