Next Article in Journal
Protection of Personal Data in the Context of E-Commerce
Previous Article in Journal
Advancements in Synthetic Generation of Contactless Palmprint Biometrics Using StyleGAN Models
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks

by
Fahad Alotaibi
1,*,
Ramesh K. Karne
1,*,
Alexander L. Wijesinha
1,
Nirmala Soundararajan
2 and
Abhishek Rangi
1
1
Department of Computer & Information Sciences, Towson University, Towson, MD 21204, USA
2
Department of Computer & Physical Sciences, Southeastern Oklahoma State University, Durant, OK 74701, USA
*
Authors to whom correspondence should be addressed.
J. Cybersecur. Priv. 2024, 4(3), 678-730; https://doi.org/10.3390/jcp4030033
Submission received: 12 June 2024 / Revised: 20 August 2024 / Accepted: 10 September 2024 / Published: 18 September 2024

Abstract

:
The Internet has become the primary vehicle for doing almost everything online, and smartphones are needed for almost everyone to live their daily lives. As a result, cybersecurity is a top priority in today’s world. As Internet usage has grown exponentially with billions of users and the proliferation of Internet of Things (IoT) devices, cybersecurity has become a cat-and-mouse game between attackers and defenders. Cyberattacks on systems are commonplace, and defense mechanisms are continually updated to prevent them. Based on a literature review of cybersecurity vulnerabilities, attacks, and preventive measures, we find that cybersecurity problems are rooted in computer system architectures, operating systems, network protocols, design options, heterogeneity, complexity, evolution, open systems, open-source software vulnerabilities, user convenience, ease of Internet access, global users, advertisements, business needs, and the global market. We investigate common cybersecurity vulnerabilities and find that the bare machine computing (BMC) paradigm is a possible solution to address and eliminate their root causes at many levels. We study 22 common cyberattacks, identify their root causes, and investigate preventive mechanisms currently used to address them. We compare conventional and bare machine characteristics and evaluate the BMC paradigm and its applications with respect to these attacks. Our study finds that BMC applications are resilient to most cyberattacks, except for a few physical attacks. We also find that BMC applications have inherent security at all computer and information system levels. Further research is needed to validate the security strengths of BMC systems and applications.

1. Introduction

Cybersecurity has become a national and global problem due to globalization and billions of users (5.3 billion) on the Internet [1]. Also, the proliferation of IoT devices on the Internet has introduced new challenges for cybersecurity. There is a veritable ocean of information concerning cybersecurity spanning across many disciplines and systems. Cyberattacks impact all layers of computing and information, including hardware, software, firmware, applications, policies, and other system components. The three dimensions of cybersecurity consisting of information states (storage, processing, and transmission), security principles (confidentiality, integrity, and availability), and countermeasures (policies and practices, technologies, and users) [2] can be extended to ten dimensions, as shown in Figure 1.
There are many permutations and combinations of this ten-dimensional space. Many releases and versions {2} apply to all other nine dimensions during evolution. Many end-user applications {1} meet user requirements in many areas. Depending on their domains, these end-user applications may be implemented in various computer programming languages {3}. A given end-user application may use a variety of networks and protocols {4} and user interfaces {5}. Most end-user applications run on top of some operating system (OS) {6}, and all computing systems run on some processor architecture such as Intel, AMD, and RISC {7}. Many processor chips exist {8} with multiple cores and other features. There are also many vendors {9} for software, hardware, and other components. Furthermore, there are a variety of cybersecurity methodologies, computer architectures, and implementations {10}. There is heterogeneity and redundancy in the above dimensions and rapid obsolescence. The ever-changing hardware, software, and related products contribute to increased complexity and related cybersecurity issues [3] in computer and information systems, resulting in a waste of resources and human skills, recurring costs, dumping of hardware, and reinventions in many dimensions. The attributes discussed here are mainly due to obsoleting products before their life span [4]. Surprisingly, many other aspects of obsolescence, including planned obsolescence [5,6,7], focus on sustained revenues and profits for the industry. Microprocessor and OS obsolescence are the main contributors to fast changes in computing and information systems.
Cybersecurity vulnerabilities are rooted in many dimensions and layers. Given the multidimensional nature of cybersecurity, it is possible to reduce this space by eliminating some of the dimensions. We present a radical solution that eliminates the OS. When the OS is eliminated, computing is based on the bare machine computing (BMC) paradigm, and applications become BMC applications, as discussed in Section 3 below. This paradigm makes computing devices bare and is inherently secure by design.
Some background on cyberattacks is necessary before discussing our methods to evaluate the BMC paradigm. We have chosen 22 cyberattacks to investigate in our study. In general, an attack always uses one or more vulnerabilities to create an attack. For example, a buffer overflow vulnerability can be used to craft many different types of attacks. Similarly, SQL injection may be used to attack a database system.
  • Buffer Overflow: A buffer overflow is a condition that exists when a program can put more data in the buffer than its allocated size. According to [8], “buffer overflow attacks played a major role in the propagation of malicious worms from machine to machine”.
  • Phishing: This is one of the most used attacks in the cybersecurity world. Social engineering techniques are mostly used in phishing attacks [9]. Attackers persuade or lure users to share private information that can be used later to exploit their personal accounts, such as banking, credit cards, social security information, and personal assets. They can also use this information to damage their computer system.
  • Ransomware: Ransomware is malware that captures the victim’s data or device and renders it unusable till some ransom amount is paid. There are two types of ransomwares: locker and cryptographic [10]. Locker ransomware is intended to lock computer access to users or delete files. Cryptographic ransomware encrypts files with hacker keys and demands a ransom to recover files. The main goal of ransomware is to extort money from victims.
  • Denial of Service (DoS): DoS [11] is an attack that can flood a victim’s server with a variety of packets, such as UDP, SYN, HTTP, and ICMP. The goal is to slow down or crash the machine completely. The same attack can be carried out on a server using distributed systems known as distributed denial of service (DDoS) [11] to accomplish a larger and faster attack on a victim.
  • Man in the Middle (MitM): MitM [12] involves an attacker successfully inserting themselves between two communicating parties. The attack can be conducted within the same network or on the Internet. There are a variety of ways to conduct a MITM attack using protocols such as ARP, DNS, ICMP, DHCP, SSL/TLS, and BGP.
  • Password: This is the most common and obvious way to attack computer systems or smartphones. The attackers use a variety of techniques, including brute force, dictionary, phishing, shoulder surfing, key loggers, video recording, replay, credential surfing, and password spraying [13].
  • Trojan Horse: This is a malicious program in the guise of a standard harmless program. It can initiate actions without the user’s approval once it is installed. Trojan horse attacks involve hiding a hacking program and dispatching it at the right time. There are many such Trojan horse techniques [14], including ArcBombs, Backdoors, Banking Trojans, Clickers, DDoS, Downloaders, Droppers, FakeAV, Game Thieves, Instant Messaging, Loaders, Mail Finders, Notifiers, Proxies, Password-stealing ware, and SMS. Almost any software is vulnerable to Trojan horse attacks.
  • Virus: A virus is malicious code that attaches to a host’s executable file. The code executes whenever the file is opened. When the infected file is sent across computer systems, the virus spreads [15]. They are usually spread through emails or shared mass storage devices.
  • Worm: A worm is a type of malware that replicates itself and spreads across computers without any interaction from the user [16]. They consume memory and network resources, thus causing the system to hang. They can also allow access to attackers remotely.
  • Spyware: This is software secretly installed on the victim’s computer or a computer belonging to an organization that monitors and gathers information on a user’s online activity, websites visited, and other personal information. Spyware, also known as privacy-invasive software, is a prevalent issue in today’s computing landscape, often installed without a user’s full knowledge or consent [17].
  • Adware: This is a kind of spyware that runs unwanted advertisements and may contain malware that can get installed on the user’s computer when the user clicks on the links [18]. It could also be installed due to unintentional drive-by downloads.
  • Rootkit: This is a software tool used to take over control of the intended computer and run commands on it with administrator privileges as it operates inside or near the kernel. It can hide keyloggers that capture the keystrokes and steal information such as passwords, credit card numbers, and online banking details [19].
  • Botnet: A botnet is a group of interconnected malicious computers that coordinate to attack other machines [20]. A single attacker (botmaster) can create an interconnected robot network (a botnet) with malicious code and control it for attacking. The attacker can initiate various types of cyberattacks, such as DDoS, phishing, click fraud, and spam.
  • Data Breach: A data breach is when unauthorized personnel gain access to sensitive data or confidential information. Some examples of sensitive data include social security information, bank accounts, healthcare data, and corporate information. Sensitive information can be stored in paper files, hard disks, thumb drives, and intellectual property. In these attacks, the confidentiality of breached data is lost [21].
  • Advanced Persistent Threat (APT): An APT remains undetected for an extended period after an attacker gains unauthorized access to a computer network [22]. This is a sequential and long-term attack that persists in the system. These attackers have a planned goal consisting of theft of data, gaining access to system resources, using social engineering techniques to lure users, staying in the system as long as possible, and moving around the system with the best attacking strategy without being noticed by any existing preventive tools.
  • SQL Injection: This attack consists of accepting SQL queries as inputs into a vulnerable database system that leads to exploitation of the database. The malicious SQL query allows the attacker to gain unauthorized access to the database. An SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application [23]. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administrative operations on the database (such as shutting down the DBMS), recover the content of a given file present on the DBMS file system, and in some cases issue commands to the OS.
  • Supply Chain: A supply chain attack [24] is one in which many vendors in the chain are rendered vulnerable when a single vendor is compromised. The attackers can obtain maximum benefit by concentrating their attack on a single vendor and then gain access to global data through the chain of connected vendors. A supply chain system consists of many vendors for a given customer. If one of the vendors is breached or attacked in the chain, it may influence other vendors. One of the vendors may have been breached due to security vulnerabilities in their site. When there are many suppliers, one or more of them may be prone to security vulnerabilities. Multiple targets can be compromised from a single vendor.
  • URL Interpretation: URL interpretation [25] exploits the vulnerability of URLs by changing and manipulating the URL meaning without changing or altering the syntax, which allows the attackers to access unauthorized data from the server associated with the URL. Attackers can alter and fabricate URL addresses to access victims’ private data and information. It is also known as URL poisoning. An attacker may use this fake URL to gain administrative privileges and launch other attacks.
  • Insider Threat: Insider threats [26] happen when employees within an organization have privileged access to critical information and misuse their credentials for personal gain. This could render the organization system vulnerable to security attacks. These employees may have current credentials to access private data at an employer site. They may be seeking financial gains to extort the employer using the accessed private data.
  • Eavesdropping: Eavesdropping [27] is stealing transmitted information over an unsecured network. It consists of capturing network traffic. The attacks can be static or modification attacks. In static attacks, the data may be used later to capture valuable information. In modification attacks, the data are only useful if an attacker can modify it while the communication is in progress. A MitM attack can be used with the captured data.
  • Cookies: Cookies contain information about a machine, sites browsed, clicks made, location, and possibly login information [28]. Attackers can steal or hijack a cookie and capture this data. When a user visits a website, cookies may be enabled to play advertisements and capture the user’s browser activity. Although cookies help speed up access to visited websites, they help attackers piggyback malicious programs along with legitimate ads.
  • Social Engineering: These attacks [29] are used to convince a victim to share private data or perform some actions that will enable an attacker to inject some illegitimate code into the system. This is one of the ways attackers can install malware on the victim’s site.
There are many standards that classify security vulnerabilities and cyberattacks. With respect to these standards, such as CVE [30], CWE [31], and MITRE ATT & CK [32], their root causes and mapping to attacks are based on current systems, products, and software engineering methodologies. Bare machine computing is a different concept and approach. In this paper, we only consider generic attributes that can be compared with the BMC paradigm and its applications. To provide a comprehensive evaluation of the BMC paradigm, we chose to compare conventional systems and BMC systems. First, we identify and discuss conventional system guidelines and conventional system characteristics. Next, we give an overview of the BMC paradigm, the compilation process in BMC development, and the integration of direct hardware interfaces in BMC code. We include code snippets that give insight into how BMC applications directly control the hardware. Then, we identify and discuss BMC system guidelines and characteristics and compare them with conventional system guidelines and characteristics to determine the resilience or exposure of each system to cybersecurity vulnerabilities. Using the above 22 common cyberattacks, we examine their primary root causes and preventive mechanisms given in the existing literature. We evaluate the BMC paradigm with respect to these cyberattacks by analyzing how the attacks are related to their root causes and preventive mechanisms. We then look at the applicability of root causes and preventive mechanisms to BMC systems. This enables us to evaluate the security strengths of the BMC paradigm and its ability to resist these cyberattacks. We also discuss the significant contributions of this research. Our evaluation using the relevant existing literature demonstrates that BMC systems are more resilient than conventional systems to cybersecurity vulnerabilities. Overall, this comparison highlights the advantages of using the BMC paradigm to build more secure computing systems.
The rest of this article is organized as follows: Section 2 provides an overview of conventional computing systems, including their applications, guidelines, and characteristics. Section 3 provides details on BMC systems, including their background, guidelines, and characteristics. It also establishes a knowledge base for evaluating the security potential of BMC systems. Section 4 compares BMC systems and conventional computing systems with respect to cybersecurity vulnerabilities using the respective guidelines and characteristics. Section 5 identifies cyberattacks’ root causes and preventive mechanisms and evaluates the resilience of BMC systems to these cyberattacks. Section 6 discusses the significant contributions of this study. Section 7 concludes the article and suggests more research in secure computing systems.

2. Conventional Systems

Conventional systems evolved from mainframes, resulting in desktops, laptops, smartphones, and IoT devices. Most of these systems use some form of an OS or kernel. During the mainframe era, there was no Internet and no online users. The OS was used as a mediator for many users and application programs to provide their services. The OS protected itself from users and protected users from each other. As computers evolved over the years, OSs continued to play a significant role in building computer and information systems. Later, when the Internet became the primary vehicle for communication between users, communication merged with computing, thus extending the OS’s role to provide communication. Now, most computing systems have computing and communication on a single device. For example, smartphones perform computing, communication, and control as part of the same system, and they are seamlessly homogenized to work on the Internet. Smartphones resulted in user-centric computing serving client applications.
Figure 2 illustrates how computer applications use system calls or APIs provided by the OS. Application programmers are isolated from hardware and focus on writing applications in each programming language. There is heterogeneity at every level, including communication protocols, system libraries, device drivers, third-party software, network interface cards, standards, OSs, and computer architectures. They follow an evolutionary path and continue changing and enhancing products rapidly.
During this evolution, open systems, standards, free software, free access, remote control of devices, and globalization proliferated worldwide, resulting in billions of users [1] and the IoT [33]. A given application’s security depends on the security of the underlying OS and may be compromised due to OS vulnerabilities [2]. As OS versions and releases often change, its platform-related entities change accordingly. These fast changes in hardware and software may also introduce more security vulnerabilities.
Figure 3 illustrates a typical application development process and its development and execution environments. A given application only controls the functional flow and plays no role in maintaining an execution environment. When an application is created, it is linked with the system or external libraries. When an application is running, its execution is dependent on a variety of OS components. In addition, there may be other applications running in a multi-programming model. Today’s Internet applications running on a device may be affected by cookies, network programs, sockets, shared memory, and background downloads. As the current OS provides computing, communication, and control in each box, a running application may be exposed to the side effects of the host OS and other applications running at the same time.
Conventional system properties are typically classified into two categories: system guidelines and system characteristics.

2.1. Conventional System Guidelines

In our literature review spanning many references, some of which are included in this article, we have identified 20 conventional system guidelines as described below. This list is not exhaustive; however, it serves as a basis for comparison with BMC system guidelines.
  • System Approach: Over a 50-year period, computer architectures have been following an evolutionary path in processors and OSs, which are the backbone of all computing and information systems.
  • Open Systems: During the 1960–1990 period, most computer and information systems were closed systems and proprietary in nature, thus protecting a given industry’s intellectual property. These systems and their know-how were limited to confidential and authorized users based on their need-to-know policy. Due to the emergence of the Internet and globalization, most of the systems and their knowledge became open to the world. While an open system allows for easier resolution of security vulnerabilities, it also means that attackers and developers have access to the same information, which implies that it is not more secure.
  • Global Focus: Many information systems are architected, designed, and implemented for a global market, as this market is much larger than a given country’s local market. This resulted in large-scale commercialization on the Internet and more revenues and profits for related industries.
  • Global Users: Computer and information system users are all over the world, and they are not always easily identifiable and trackable.
  • Equal Access: With an Internet connection, any global user has access to most information on the Internet; this includes attackers as well.
  • Learning and Knowledge: Information about system internals and system security is often posted on the web. This helps the attackers to easily access the information they need at a faster pace. Defenders also put problems and fixes on the Internet as soon as they are discovered. This enables attackers to create new attacks with less effort. The following two quotations from [34] clearly illustrate the side effects of free learning and knowledge on the Internet. (a) “Open-source Intelligence (OSINT) tools could gather data from various publicly available platforms and thus help hackers identify vulnerabilities and develop malware and attack strategies against targeted CI sectors.” (b) “OSINT tools: indirect reconnaissance data, proof-of-concept codes, and educational materials. The thematic results from this study reveal an increasing amount of open-source information useful for malicious attackers against industrial devices, as well as the need for programs, training, and policies required to protect and secure industrial systems and CI”.
  • Unrestricted Internet access: Many Internet and web applications are available for all users worldwide with an Internet connection. Advertisements swamp systems almost instantly after access to the Internet. Searching online for a particular product or service immediately results in advertisements for related products or services. The advertisements may continue persistently for an extended period. This may be beneficial for some users to quickly learn about products and services. Still, it has many side effects, including a waste of time for users, distraction from a user’s current tasks, and loss of privacy of email addresses, phone numbers, and other personal information. Personal information shared with online vendors to conduct any transaction on the Internet may be distributed to other vendors.
  • Layered Systems: All computer and information systems are layered with respect to architectures, protocols, interfaces, and security. Attackers may exploit these layers to suit their attack environment.
  • Heterogeneity: Current computer and information systems encourage heterogeneity at every stage of building computer and information systems, assuming that it will promote innovation and productivity [35]. Instead, heterogeneity and incompatibility at every level interfere with the main goal of building end-user applications. With today’s high-performance processors coupled with cheap hardware, due to heterogeneity, tweaking small improvements may not pay off as much as before. There is a need to reduce heterogeneity by developing basic building blocks for computing at every level that are long-lived. Heterogeneity exists in processors, OSs, protocols, user interfaces, programming languages, hardware, software, including third-party software, and more. This increases the complexity of computers and information systems [36] and provides more avenues for attackers to exploit cybersecurity vulnerabilities.
  • User/Developer Convenience: User convenience takes higher priority over other design issues in defining system guidelines. For example, it is convenient for users to choose a short-length PIN code for bank transactions, which may not be secure. Online teaching is convenient for faculty and students, but it may not be secure. As it is convenient for businesses to use the Internet for all transactions, physical security and privacy may be ignored. Many online transactions require personal information, causing a loss of privacy. In fact, without a smartphone, it is impossible to do many Internet transactions today. These actions may indirectly result in system vulnerabilities and cybersecurity weaknesses. In addition, developer conveniences, such as using a different programming language for a special purpose, using DLLs, downloading files and software, remote logins, remote administration, and third-party software, may also affect cybersecurity [37].
  • Training: All users and customers must obtain training as needed.
  • Software Installation: This is conducted online due to convenience and frequent changes.
  • Wi-Fi: Wireless connections are commonly used for computing devices such as a mouse, keyboard, headphones, and Internet access. Most Internet transactions are conducted using Wi-Fi and often with a smartphone.
  • Scripts and Batch Files: Scripts and batch files are used by administrators locally and remotely for convenience. This enables them to work remotely.
  • Attachments and Links: Email attachments are commonly used for convenience. Web links are also allowed in the emails for user convenience.
  • Social Media Platforms: They have become a part of everyday lives due to globalization, enabling speedy communication and sharing of information online.
  • Advertisements: There are advertisements appearing continually in social media, smartphones, TVs, computers, and websites.
  • Unsolicited Web Sites: Mostly for commercial and marketing reasons, unsolicited links to websites frequently appear in email and other Internet applications. It is not easy to distinguish between a link to a good site or a bad one.
  • Automated Tools: Automated tools such as Wireshark and reverse engineering tools such as Object-dump are available on the Internet. There are many such tools available for attackers to use.
  • Cookies: Cookies are used to track visits to websites for marketing purposes and user convenience, but they can also be used to launch malware.

2.2. Conventional System Characteristics

The following characteristics were obtained from our literature review of the security papers listed in this article. We have identified 20 conventional system characteristics as described below. This list is by no means exhaustive; however, it serves as a basis for comparison with BMC system characteristics.
  • OS/Kernel/Embedded: Most systems have an OS or kernel. They can also be embedded systems. Due to the complexity and size of modern OSs, lean operating systems were designed to improve security and reduce complexity. Some middleware (e.g., the OS) makes software systems easy to build and isolates programmers from hardware intricacies.
  • Applications: Computer and information system applications are platform-centric and computing device-dependent. No proper abstractions have been used to build applications. Thus, applications are redundant on different platforms. A web browser on a smartphone is different from that on a PC. Email systems are also different on various platforms. Due to this redundancy and lack of proper abstractions, an end-user application may be duplicated many times, resulting in a large application space.
  • Programming Languages: Multiple programming languages are used in conventional systems. Different languages are often chosen based on the type of application, programmer’s skills, convenience, and performance. Performance may not make much difference as current processor speeds are increasing in a short period.
  • Executables: Different operating systems support different executable formats. Some applications may have many executables, thus creating multiple address spaces. Inter-module communication may require message passing between modules.
  • Linking: Dynamic linking is used for many reasons. It reduces the executable sizes, as some modules can be linked at runtime. It is also convenient, as the compiler does not know where the system libraries and other modules are loaded in memory at compile-time. In addition, in multi-module design, the interfaces to other modules are not known at compile time.
  • Loading: Dynamic loading and linking are related. Dynamic loading at run time is also very convenient, as noted above for linking. In modern OSs, dynamic loading and linking (DLL) is commonly used to make the executables smaller and to enable use of external modules as needed at run time.
  • Multi-tasking: Multi-tasking or multi-programming is necessary for all computing systems, as the CPU cannot be kept busy all the time. Most programs need I/O; they cannot run when an I/O request is pending. In conventional systems, when one program is idle, other programs and the OS can run. A given program may not be running alone until its completion.
  • System Calls/API: OSs provide system calls to communicate with the hardware. OSs also provide APIs, enabling programmers to access hardware interfaces. System calls use interrupts to invoke OS services.
  • Sockets: Operating systems provide socket interfaces to communicate between processes within a node or with a remote node.
  • Open Ports: When a packet arrives at an OS, it uses the destination port number in the packet to deliver the packet to its application. A given application running in the machine uses a designated port number to communicate with other nodes. There may be some ports open in an OS to accommodate unexpected applications running in the machine.
  • During Execution: In an OS environment, a given application, other applications, and OS processes and threads run concurrently. Some of them may interact with others intentionally or unintentionally.
  • Event/Interrupt Driven: Most conventional systems use event-based and interrupt-based processing.
  • Shared Memory/Message Passing: Both are used for local communication, and message passing is used for remote communication.
  • Concurrency Control: Inter-process communication in an OS environment may require concurrency control mechanisms. Locking and semaphores are used to handle concurrency.
  • I/O: Most I/O is interrupt-driven in an OS.
  • Third-Party Software: Usually, there is software from many vendors in current systems.
  • Network Interfaces: Protocols such as TCP or QUIC have many interactions between a server and a client during connection establishment, data transfer, and connection termination. Security protocols such as TLS also require many interactions to ensure secure data transfer.
  • Internet Communication: In conventional systems, most communications are conducted through the global Internet. There are billions of users on the Internet while a given communication is in progress.
  • Internet Downloads: For convenience and data sharing, users download software, applications, files, pictures, private data, etc. on the Internet. During downloads, a user may have to enter personal data, resulting in a loss of privacy.
  • IoT: The IoT is growing at an exponential rate. Currently, there are 17 billion IoT devices [38].

3. Bare Machine Computing (BMC) Systems

This section describes the BMC paradigm [39] and gives some insight into BMC system development. The following subsections provide some details on building applications using this paradigm. A variety of real-world BMC applications have been built, demonstrating the feasibility of this paradigm. BMC is an alternative approach for building computer applications without running a centralized kernel or an OS. The BMC paradigm provides other benefits, including significantly reducing obsolescence and cybersecurity risks.

3.1. BMC Paradigm

The BMC paradigm was originally motivated by the rapid obsolescence [4] and continuously emerging security vulnerabilities in computer and information systems. Obsolescence impacts computers and information systems, causing hardware and software to be replaced before their useful life span. The topic of obsolescence is not within the scope of this paper. The BMC approach resembles computing when it started in the 1960s using bare hardware operated with switches and buttons. In current technology, hardware is cheap, provides many functionalities, and allows more logic to be placed on a single chip. It also allows computing devices to be bare, as a processor can provide needed hardware interfaces to application programmers.
In a BMC system, as shown in Figure 4, applications directly communicate with the hardware without any middleware. For example, suppose we want to print the text “Hello” on the screen. Figure 5 illustrates how a programmer can directly control writing on the screen without using an OS. This simple example shows how a programmer can directly access the hardware through C++ -> C -> assembly as a single thread of execution without interruption. It also shows how a programmer views the underlying hardware in the BMC paradigm. It is possible to automate this process to make it user-friendly for developers. In this example, the assembly call writes string data to the video memory location at 0x000b8000. A BMC programmer controls all the code shown here. There are no other dependencies in the BMC code. This philosophy is carried throughout the development process of any BMC application. Using this approach, we can write all direct hardware interfaces needed for information systems applications and development. Eventually, these direct hardware interfaces can be built on the processor chip. If the output must go to graphics memory, the same logic is used with the help of a bare graphics driver. A BMC system is not the same as a bare metal system or embedded Linux [40], as BMC is a general-purpose computing paradigm. BMC servers are not the same as bare-metal servers or virtual servers in the cloud [41], which require some OS to provide services.
The BMC paradigm is based on an application-oriented approach. It divides all computer applications into domain-specific applications using object-oriented abstractions. Examples include banking, online transactions, manufacturing, payroll, desktop and office applications, accounting, email, chat, and browsers. A given domain-specific application may contain one or more applications bundled as a single domain application suite used at a given time. One such example is text processing, spreadsheets, and Internet search. Each domain-specific application suite contains all the necessary code to run on a given bare machine. Although BMC currently chooses Intel processors and their instruction set architecture, it can be adapted to work with any other computer architecture as needed. The BMC paradigm assumes hardware integrity. The paradigm is applicable to any computing device, including a smartphone.
In BMC, the first step is to make the computing device bare. This means it has no operating system, no hard disk (such as mass storage), and uses the BIOS for now. Eventually, the BIOS can be bundled with the associated application suite. The code can run on older or newer Intel processors, which are ×86 and ×64 compatible. The second step is to write the software in C/C++ and a small amount of assembly code where needed. The BMC paradigm is based on a single programming language environment. Boot, loader, and interrupts are written in assembly. One or more applications can be compiled as an application suite, generating a single monolithic executable. This is statically compiled and linked with no external software or libraries. The small executable contains all the required code to run its application suite. A given application suite executable is typically less than 2 MB. It carries the necessary bare drivers [42] and code to support the required functions. There are no kernel or system calls and no OS-related management functions.
The application programmer controls the hardware and required interfaces, and the application suite directly communicates with the hardware without using any middleware. The BMC paradigm also uses bare devices to communicate on the Internet, forming a bare Internet [43]. Only authorized bare users can communicate on bare Internet.
Each application suite can define its own memory map, as shown in Figure 6. This memory map shows how content in an application suite USB is copied into main memory. The boot code from sector 0 is copied into memory location address 0×7c00 (for IBM Compatible PCs). The start program from the USB is copied at memory location 0×600 and includes two header sectors. The start program is loaded in the real memory area. After the boot program runs, it jumps to 0×3900 in real memory to run the start program. When the start program runs, it copies the domain-specific application suite executable from the USB into the memory location starting at 0×00111000, which is above 1 MB and is in protected memory. When the start program is completed, it starts executing at 0×00111000 (which is a main () entry point). All these numbers are extracted by using Microsoft tools to identify entry points and other components in the executable. Notice that there is no need for virtual memory in BMC systems, as there is no OS and only a few applications are bundled and run at a time. Each domain-specific application suite has its own characteristics and can be loaded in custom locations in memory accordingly. This process can also be automated in BMC systems. The above memory map can be customized for domain-specific application suites, which shows simplicity and flexibility in building BMC applications.
As per our knowledge, there is no true bare machine research/development/product like BMC. However, there is ample related work in making the OS lean, moving OS functions to application space, bypassing the OS to gain fast access to hardware resources, and designing an OS for IoT devices. Examples include the exokernel OS architecture enabling applications to manage the hardware and improve performance [44]; Tiny-OS for low-power wireless devices [45]; and Palacios and Kitten, a lightweight OS and VMM (virtual machine monitor) for high-performance computing [46]. Microkernel and related approaches [47,48] keep only essential OS services in the kernel to increase performance in applications such as cloud computing. IO-Lite and kernel bypass techniques [49] provide direct I/O access to applications to speed up I/O. For data center servers, a customized OS [50] can be used to bypass kernel services. RIOT is a small OS suited for IoT devices [51]. Tradeoffs in designing minimalist instead of functionality-rich platforms are analyzed in [52]. The BMC approach is a minimalist approach, where there is no OS or kernel.

3.2. Compilation Process

This section illustrates compilation and the BMC development process. It shows that developing BMC applications is simple and independent of other development environments, which change often. It also shows that the BMC application suite is a single monolithic executable with one address space for a given set of applications. All the batch files used are shown in Figure 7.
Currently, the development process in the BMC uses batch files and takes complete control by using a particular version of Visual Studio (VS 64-bit) as it changes often. These batch files allow us to conduct a compilation process independent of any version of the OS release. At present, we use a Visual Studio/bin directory to compile and link our bare code. The development environment does not use/lib and/include files. A boot.asm has a boot code, and entry.asm has an entry code for the 64-bit application suite. The asmb.bat file is used to generate these binary files, which are written in the NASM assembler. The mk.bat file is used to create a bootable USB, which has boot, entry, and test64.exe (application suite). The PEfmt tool is written for BMC to properly organize code and data segments as needed for the Microsoft PE format.
The asm.bat file is used to compile MASM assembly code that provides direct hardware interfaces. There is a cpp.bat file in every directory that has C/C++ code. The cpp.bat file shown below is for the main directory in the application suite. Similarly, there is a separate cpp.bat file in each directory, where there is C/C++ code. The object files from each directory are used together to run a link process. The ln.bat file creates an application suite executable named test64.exe. This description of batch files refers to creating a multicore web server using the BMC paradigm. This total control of compiling, linking, and creating a static executable prevents other malware from being linked with this application suite at run time.

3.3. Sample Direct Hardware Interfaces

Some sample direct hardware interfaces, such as tasking, reading data from an Ethernet buffer, and processing a received packet, are discussed in the following sections. The code snippets demonstrate how the BMC code integrates all components seamlessly without any layers. It also shows that a programmer controls all hardware elements and software structures, such as Ethernet buffers.

3.3.1. Creating, Inserting, and Running a Task

The code snippets in Figure 8 from a 32-bit application suite for a web server show how a task is created in the BMC paradigm. Notice that task generation is bundled with the application suite and is not visible to outsiders, which prevents intrusion into the code. This code is generated, statically compiled, and linked. A given application suite decides the task creation and its control flow. The deleting task is not shown here. The code is self-explanatory and follows chronological order.

3.3.2. Reading and Processing an Ethernet Packet

In the BMC paradigm, device drivers are part of an application suite. They are written to work without using any OS system calls or API. All device drivers must be written from scratch and are known as bare device drivers. There are two data structures in the Ethernet driver, known as the transmit and receive descriptor lists. These are circular lists with 4096 entries. When a packet arrives, the hardware sets a bit known as descriptor done (DD). Application programmers can read this bit to check if a packet is received. Similarly, when a packet is transmitted, the hardware sets the transmitter DD bit. An application program can examine these DD bits to communicate with the Ethernet control hardware.
For receiving a packet, if a given slot’s DD bit is set, then this packet will be read and passed onto the application, as shown in Figure 9. The function isRDescDone0() in Code Snippet 1 shows how an application can peek into the Ethernet receive buffer for an HTTP GET request and copy the GET data into another buffer. After copying the data, it calls discardPacket() to reset the DD bit. Code Snippet 2 shows how a received packet invokes the RcvCall1() function to process a request, and Code Snippet 3 shows how it calls the IPHandler() function. Code Snippet 4 illustrates how it calls the UDPHandler() function, and Code Snippet 5 shows the processing of the UDP packet with comments, as this step has a large amount of code, which is not shown here. In essence, this code demonstrates that all the Ethernet packet processing is done as a single thread of execution without any layers. In addition, this is application code designed and controlled by an application programmer without the intervention of any middleware. It is event-driven with polling to receive packets. Send is not shown as it is like receive.

3.4. Summary of the Above Code Snippets

In the above Section 3.1, Section 3.2 and Section 3.3, we discussed the use of direct hardware interfaces, the BMC development methodology, and some application code snippets. It is evident from these discussions that this approach is different from conventional methods. When a machine is made bare, the programmer controls software development at compile time and run time. The programmer also controls run-time behavior and does not allow any unintended functions to interfere with a given application suite. Hardware interfaces are included at development time, and flow control cannot be altered at runtime by other applications. This is truly an application-oriented model with a security-by-design approach. The task creation code shows how it is intertwined with an application suite, thus allowing the system to perform only intended tasks. The Ethernet peeking demonstrates that all device drivers are also seamlessly integrated with a given application suite. The packet processing shows how Ethernet, IP, and UDP are integrated as a single thread of execution instead of going through different layers. In this approach, packet processing goes through a simple invocation of calls from one protocol to another. Overall, a given application suite is custom-designed and simple; there is only one user mode; the machine is bare and has no valuable resources; and the programmer has control at all stages.

3.5. Properties of the BMC Paradigm

There have been many real-world applications built to demonstrate the feasibility of bare systems using the BMC paradigm, including chat [43], Web servers [53], USB drivers [42], and Web mail servers with TLS [54]. These real systems are used to identify system guidelines and system characteristics.

3.5.1. BMC System Guidelines

  • System Approach: It is a revolutionary approach that was invented to address obsolescence and security problems. It makes applications independent from the execution environment, and all computing devices are bare.
  • Open/Closed System: It is a closed system. Injecting an attacker’s code is not possible. Open source must not be confused with open systems. The BMC is a closed system. The computing box is bare, and the application running in the bare box is not accessible to hackers. In case hackers create a similar system, they can only hack their own system, not others. If we make an open system, security vulnerabilities are easy to fix, but hackers and developers are at the same knowledge level.
  • Global Focus: It has a local focus. It is architected, designed, and implemented to avoid global users.
  • User USBs: There are dual USBs (the first for booting and the second for an application suite). Both USBs must be physically secured.
  • Equal Access: All bare users have equal access.
  • Education and Knowledge: Restricted to authorized bare users.
  • Layers: There are no layers at any level.
  • Bare Internet: To make BMC viable, a bare Internet concept [43] is introduced. In a bare Internet, all intermediate nodes, such as routers and gateways, must be bare, and they must be physically secured. At present, a bare Internet is overlaid on the existing Internet.
  • Heterogeneity: No heterogeneity is allowed in programming languages, hardware, and software. The security of systems and applications is more controllable.
  • User/Developer Convenience: User convenience takes lower priority over other design issues in defining system guidelines. For example, a system administrator must physically distribute user accounts to guarantee the authentication of users. This is not convenient, but all other electronic means may not be secure. The BMC systems are not global, and the users are limited within a given domain-specific application. These systems are designed for secure domains, not for a global world. Non-bare users can use conventional systems if BMC systems do not fit their needs. BMC systems provide an alternative approach to current computing systems.
  • Training: All authorized bare users must have consistent training and education.
  • Software Installation: Online installation is not allowed. There is nothing to install in a bare machine. The user carries secure USBs. These USBs are distributed to authorized bare users by physical means.
  • Wi-Fi: Wi-Fi is currently not supported due to its security issues.
  • Script and Batch Files: These are not allowed.
  • Attachments and Links: Attachments and links are not allowed in emails.
  • Social Media Platforms: There is no support for social media applications. Social media can use the conventional Internet, which is isolated from a bare Internet. This approach will reduce the number of users on a bare Internet.
  • Advertisements: Advertisements are not allowed. All domain-specific applications and their users are properly authorized and tracked on a bare Internet.
  • Unsolicited Websites: Only access to authenticated bare websites is allowed.
  • Automated Tools: Automated tools are designed to work with only bare computing devices and applications. Their use is restricted to bare users only.
  • Cookies: No cookies are allowed.

3.5.2. BMC Characteristics

  • OS/Kernel/Embedded: The OS/kernel/embedded concept is eliminated. There is no such centralized program; each domain-specific application is a self-controlled, self-managed, and self-executed entity. There is no interaction with entities outside an application suite. As there is no OS/kernel, a user carries a flash drive with boot code and a domain-specific application suite. Figure 6 shows a memory map for a flash drive containing a client’s UDP-based chat program.
  • Applications: All computer applications are polarized as domain-specific entities. They are independent of any platform. In conventional systems, they are dependent on platforms and execution environments.
    We have developed and demonstrated numerous domain-specific applications, including web sites, webmail, email, VoIP, text-only browsers, editors, file systems, database applications, and chat. In these systems, there are bare servers and clients that run on bare machines. For example, in the chat domain, there are physically vetted users who communicate in their own domain. All these users are vetted and use bare machines. We use context-based authentication to validate users. This is one example of a domain. All the above domain applications were tested on the Internet with bare servers and clients. On the Internet, domain-specific applications are used to communicate securely within a domain using bare devices.
  • Programming Languages: A single programming language (C/C++) is used to write applications, thus avoiding all heterogeneity in writing applications.
  • Executable: It is a single monolithic executable, which implies a single address space. Only one executable format is allowed.
  • Linking: Uses static linking, which prevents expanding the code segment to load foreign code. This provides ultimate security for the BMC applications, as malware code cannot be linked.
  • Loading: Uses static loading, which prevents extending the code segment to load malware code.
  • Multi-tasking: Multi-tasking is offered within an application suite controlled by an application programmer through events and its control flow.
  • System Calls/API: There are no system calls or APIs available to the outside world (outside an application suite). It uses a direct hardware API, integrated within an application suite.
  • Sockets: No sockets exist in the BMC paradigm, as there is no OS. Remote computer communication is implemented within a process and hidden inside an application suite.
For example, attackers use sockets to create man-in-the-middle attacks. In the BMC paradigm, sockets are not used as we build domain-specific applications with no open ports, not allowing users to create their own threads or processes. That is, items such as sockets are not needed in implementing BMC applications. The BMC paradigm inherently does not need such security-prone facilities as it does not have an OS. This approach is different from the “security through obscurity” concept. There are many such facilities that are not needed in the BMC paradigm, which offers inherent security in BMC applications. The following quote also supports your concern.
10.
Open Ports: There are no open ports in BMC programs. As it is a domain-specific application suite, IP addresses and port numbers are managed within each application code in a hardcoded manner. This is not visible outside the application suite. When a packet arrives, its corresponding event (pre-defined) will call an appropriate method to process it.
11.
During Execution: During execution, only one application suite runs. There is no interaction with other application suites or external modules in a bare computing device. No exploits are possible for an attacker.
12.
Event/Interrupt Driven: The application suite is event-driven. Limited user interrupts are used for input.
13.
Shared Memory/Message Passing: Only a shared memory approach is used within an application suite.
14.
Concurrency Control: Concurrency control is avoided by using circular lists. The code is simpler and more directly accessible to the program.
15.
I/O: There are direct hardware APIs that are hidden within an application suite.
16.
Third-Party Software: There is no third-party software used in applications.
17.
Network Interfaces: All network interfaces are hidden from the outside world. Attackers cannot use this direct hardware API.
18.
Internet Communication: Communication on the Internet is restricted to a bare Internet and its bare users only.
19.
Internet Downloads: No downloads are allowed.
20.
IoT: All IoT devices must be bare computing devices and follow the BMC paradigm and its characteristics as described in this paper.
21.
Application Program Control: A given application has its own control flow as intended at design time.
22.
Computing Device: A computing device (PC, laptop, smartphone, or other) is bare, meaning that it has no intelligence, no OS, and no mass storage. It cannot boot or run until external media runs the boot code and loads an application suite controlled by the owner. The bare device has no valuable resources. Thus, a bare computing device can be used by any user at any time. When one application suite is running, another one cannot run; therefore, there is no intrusion from other applications. There is nothing in the bare computing device to be attacked, as there are no valuable resources when it is not running. When a bare device is running, it must be physically secured by the owner. Physical security at the bare box is not convenient, but it is required to guarantee security of the device and the running application suite.
23.
Users: Only bare users can communicate with each other. For a given domain-specific application, there are a limited number of bare users. They must be physically authorized, authenticated, and controllable. We have not defined any formal methods for authentication at this point; however, we can use existing models in banking, driver’s license, etc.
Our BMC system is totally controlled by its owner, with physical security. If a trusted user changes roles and tries to exploit other bare systems, this user can only damage his/her own system and not those of others. This is because an owner’s valuable resources can only be accessed by the owner’s application suite. When a BMC application suite is running, it is a closed system that performs only intended functions. In addition, when the roles of trusted users change, their privileges are changed in the system.
In the bare machine computing model, each bare box and an application suite is owned by an owner, and it is physically secured. If an outsider or insider gained the same knowledge as the original developer, then they could reconstruct a similar system of their own. However, they will be using their own system at their own location. All valuable resources are accessible only by the owner and stored in an owner’s detachable mass storage. Moreover, if they come through the network, they will not be able to access resources, as only trusted users are allowed to communicate within the domain. Users within the domain are vetted and authenticated to communicate within the group for each transaction. In this model, all users in the group must be physically trusted. This system cannot solve insider attacks and physical security violations. All the bare nodes in the system as well as on the network must be bare and physically secure. This is a harsh requirement, but it is necessary to build highly secure systems.
24.
Messages: Each message is encrypted, integrity-protected, and authenticated using credentials physically given to authorized users by an administrator.
25.
User-Secured USBs: Uses two USBs, one bootable and one with an encrypted application suite. These USBs must be physically secured by a user.
26.
BIOS/Firmware: Bundled with a domain-specific application suite (not implemented currently).
27.
Protocols: A bare machine connects to a network via wired Ethernet. Network protocols are limited to IP and UDP (TCP/TLS is used for demonstration only) implemented within the bare application. Other protocols are not available outside the application running on the machine. Each application communicates only with its peers to ensure reliability and proper functionality. Furthermore, protocols are integrated within the application, and there are no protocol layers as in a conventional system. The attacker does not have the path to invoke these protocols. Although an attacker can spoof IP addresses, such packets will fail user authentication and be dropped. Every packet has bare user authentication, encryption, an integrity check, and replay protection.
28.
Passwords: No password files are stored on bare machines. Context-based authentication is used in bare systems.
The above BMC system guidelines and characteristics impose many restrictions for user options. This does not mean that the BMC applications have limited their user functionality. Any features or functions offered by conventional systems can also be provided by BMC applications. The functional requirements, design, and implementation are conducted in many ways to achieve the highest security possible by design. In many cases, a given functionality, protocols, and interfaces are hidden in an application. This is referred to as an A-to-A (application-to-application) approach.
For example, email attachments and downloads are not allowed in BMC characteristics. Users can still receive an attachment as a set of packets without explicitly providing attachment features. A sender and a receiver of an email application handle the disassembly and assembly of packets in their respective applications with a hidden knowledge of file characteristics. All emails and additional packets are encrypted when transmitted on a network. At the receiving site, it is ensured that this file data cannot be executed. Thus, attachments are handled differently than in conventional systems. Many other convenient features in conventional systems are implemented in BMC applications in a hidden manner.
Similarly, in BMC, software downloads are not allowed. All software that runs on a bare machine must be physically installed on a bootable USB by an authorized vendor for an authorized bare user. It is not convenient for bare users, but it is the most secure way to design BMC applications.
As per the following quotation, “In recent years, more advanced versions of “security through obscurity” have gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception. NIST’s cyber resiliency framework, 800–160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment” [55].
BMC code can run on older and new Intel processors without any (or just a few) changes. The variety and breadth of the BMC work [43,53,54,56] show that it is possible to build similar systems for secure applications in computer and information systems. The BMC paradigm can thus be an alternative to existing OS-based platforms and applications with security by design.

3.5.3. BMC Limitations

As described before, the bare machine computing paradigm has unique system guidelines and characteristics to reduce obsolescence and provide inherent security in computer and information systems. However, this approach has its own limitations, as listed below:
  • It is not a general-purpose global system.
  • It requires physical security.
  • It needs all users to be authenticated and vetted.
  • It uses a domain-specific application approach (by dividing applications into domains).
  • Only users within a domain can communicate.
  • When domain-specific users change roles, their authentication privileges are revoked.
  • All nodes in the network must be bare to guarantee high security.
  • Uses the bare Internet, where all nodes are bare and physical security is assumed.

4. Comparison of Conventional and BMC Systems

This section compares system guidelines in Table 1 (20 items) and system characteristics in Table 2 (28 items). The system guidelines are informal requirements or policies needed to build a system. The system characteristics are inherent properties of a system. Some system guidelines and characteristics may be prone to security attacks. Some system guidelines and characteristics may be resilient to security attacks. Thus, we define two terms to compare conventional and BMC systems: PECSV indicates possible exposure to cybersecurity vulnerabilities, and PRCSV designates possible resilience to cybersecurity vulnerabilities. The references obtained from the literature review are shown in the tables to determine possible vulnerabilities and resiliency in BMC systems.
Using these two tables, we make the following observations. In Table 1, in conventional system guidelines, 15 out of 20 have possible exposure to cybersecurity vulnerabilities, whereas in BMC systems, 17 out of 20 have possible resilience to cybersecurity vulnerabilities. Similarly, in Table 2, in conventional system characteristics, 17 out of 28 have possible exposure to cybersecurity vulnerabilities, whereas in BMC systems, 26 out of 28 have possible resilience to cybersecurity vulnerabilities. Overall, BMC systems show possible resiliency, and conventional systems indicate possible exposure to cybersecurity vulnerabilities. This indicates that BMC systems are inherently secure by design.

5. Cyberattacks and Analysis

An attack can have many stages, such as reconnaissance, weaponization, delivery, exploitation, installation, command, and control (C2), and actions on objectives [94]. An attacker may select the stages in their attack methodology based on suitability for their execution plan. Each cyberattack can be traced to one or more root causes in an information system: hardware, software, firmware, OS, protocols, layers, complexity, programming language, humans, and more. Most of the literature on cybersecurity indicate that after an attack, it is typical to focus on the symptoms of an attack and fix the problem as needed. Many times, the roots of an attack may still exist and manifest as a new attack. This process goes on as a “cat and mouse” game in a never-ending cycle. It is essential to find and remove the root causes of cyberattacks to eliminate them. In current information systems, cyberattack roots are inherently hidden in the architecture, protocols, policies, procedures, objectives, requirements, design, and implementation of these systems. Thus, it is harder to remove them as it assumes global markets and users. The cyberattack space is infinitely large, as shown in Figure 1, and it is difficult to comprehend and address all possibilities for a given cyberattack. Eliminating the roots of cyberattacks may require revolutionary and non-evolutionary approaches, which are not the focus of current cybersecurity research.

5.1. Overview of Selected Cyberattacks

In this section, we analyzed the chosen 22 cyberattacks. The related work and the definitions of this cyberattack are provided in Section 2.1. We identified each attack’s preventive mechanisms and some root causes using the existing literature. These root causes will help to compare the security strengths and weaknesses of conventional and BMC approaches.

5.1.1. Buffer Overflow

The following root causes and preventive methods are derived from [8,95].
Root Causes:
  • Lack of bounds checking in functions.
  • Lack of input validation and sanitization by programmers.
Preventive Mechanisms:
  • Consistently update OSs, programming languages, and compilers to their latest versions.
  • Implement code protection mechanisms.
  • Use safe functions; validate and sanitize input data.
  • Employ static code analysis tools.
  • Provide consistent training and reviews.

5.1.2. Phishing Attack

The following root causes and preventive methods are derived from [9,96].
Root Causes:
  • Clicking links can trigger malware downloads or redirect to malicious websites.
  • Downloading files can contain malicious code.
  • Running downloaded code can execute malware and cause attacks.
  • Messages from unauthenticated users may trigger attacks.
  • Email addresses are easily obtained, aiding targeted attacks.
  • Email attachments are a common phishing attack vector.
  • Website phishing can mimic legitimate sites for credential theft.
Preventive Mechanisms:
  • Check website URLs.
  • Scrutinize website design.
  • Beware of urgency-based tactics.
  • Enable two-factor authentication (2FA).
  • Report suspicious activity.
  • Utilize access control lists (ACLs).
  • Employ email filtering.
  • Use machine learning-based detection.
  • Maintain regular backups.
  • Prioritize strong passwords.
  • Educate employees on cybersecurity awareness.
  • Develop incident response plans.
  • Provide consistent training and reviews.

5.1.3. Ransomware

The following root causes and preventive methods are derived from [10,77,91,97,98].
Root Causes:
  • Downloading email attachments.
  • Downloading files from untrusted websites.
  • Allowing downloaded code to run automatically.
  • Attacker accessing OS APIs.
  • Attacker exploiting hardware vulnerabilities (TPM: Trusted Platform Model, BIOS, firmware).
  • Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
Preventive Mechanisms:
  • Deploy IDS (Intrusion Detection System) and IPS (Intrusion Prevention System).
  • Utilize TPM. (Note: it was also found that TPM has security vulnerabilities).
  • Maintain regular backups.
  • Implement blacklist-based detection: block known malicious domains and IP addresses.
  • Employ advanced ransomware detection: Use rule-based, statistical, machine learning-based, or hybrid techniques.
  • Change the file extensions randomly.
  • Provide consistent training and reviews.

5.1.4. Denial of Service (DoS) and Distributed Denial of Service (DDoS)

The following root causes and preventive methods are derived from [11,99].
Root Causes:
  • Allowing attackers to use a legitimate machine and infect it.
  • Allowing attackers to flood requests.
  • Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
Preventive Mechanisms:
  • Information entropy.
  • Machine learning-based methods.
  • Artificial neural networks (ANN).
  • Statistical analysis.
  • Flow statistics.
  • Rate Limiting.
  • TCP Proxies.
  • Provide consistent training and reviews.

5.1.5. Man-in-the-Middle (MITM)

The following root causes and preventive methods are derived from [12,78,100].
Root Causes:
  • Attacker using public Wi-Fi access points.
  • Using a secure socket layer provided by the OS.
  • Exploiting protocol vulnerabilities in ARP, DHCP, DNS, ICMP, and IP.
  • Using open-source automation tools.
  • Using open-source OSs.
  • Lack of proper authentication measures to validate users.
  • Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
Preventive Mechanisms:
  • Enable two-factor authentication (2FA).
  • ARP Spoofing Detection: cryptographic, voting-based, hardware, server-based, host-based solutions.
  • DNS Spoofing Detection: entropy-based, cryptographic, artificial neural network (ANN) solutions.
  • IP Spoofing Defense: router-based, host-based, hybrid solutions.
  • SSL/TLS Solutions: detecting forged certificates, certificate pinning, multipath probing, forcing SSL/TLS connections, friendly MITM, TLS extensions.
  • Provide consistent training and reviews.

5.1.6. Password Attack

The following root causes and preventive methods are derived from [13,101].
Root Causes:
  • Exploiting OS vulnerabilities.
  • Attacker modifying the number of password entry limits.
  • Attacker accessing password files.
  • Attacker accessing OS APIs.
  • Attacker accessing system calls.
  • Weak or predictable passwords.
Preventive Mechanisms:
  • Conduct penetration testing.
  • Enable two-factor authentication (2FA).
  • Enforce and manage strong password policies.
  • Monitor activity for suspicious behavior.
  • Employ a layered defense for a strong security posture.
  • Limit attempts to enter a correct password.
  • Change passwords frequently.
  • Avoid using the same password for multiple accounts.
  • Avoid passwords that are vulnerable to dictionary attacks.
  • Use a password manager.
  • Do not write down passwords.
  • Consider password-less authentication techniques.
  • Provide consistent training and reviews.

5.1.7. Trojan Horse

The following root causes and preventive methods are derived from [14,102,103].
Root Causes:
  • Users download either files or software.
  • Running the downloaded code automatically.
  • Exploiting OS vulnerabilities.
  • Attacker accessing system calls.
  • Attacker accessing OS APIs.
  • An attacker using auto-run-in script files.
Preventive Mechanisms:
  • Avoid opening suspicious emails.
  • Download software only from verified publishers.
  • Scan URLs before clicking.
  • Use antivirus software.
  • Deploy honeypots.
  • Provide consistent training and reviews.

5.1.8. Virus

The following root causes and preventive methods are derived from [15,104,105].
Root Causes:
  • User downloading email attachments.
  • User downloading software.
  • Users accessing fake websites.
  • User using an infected USB or other mass storage device.
  • Allowing script files in emails.
  • Attacker using batch files.
  • Exploiting OS vulnerabilities.
Preventive Mechanisms:
  • Antivirus software.
  • Firewalls.
  • Keeping OSs up to date.
  • Regularly backing up digital records.
  • Scanning systems and USBs.
  • Provide consistent training and reviews.

5.1.9. Worms

The following root causes and preventive methods are derived from [16,106].
Root Causes:
  • Downloading software.
  • Downloading email attachments.
  • Accessing fake websites.
  • Using an infected USB or other mass storage device.
  • Allowing script files in emails.
  • Attackers using batch files.
  • Exploiting OS vulnerabilities.
Preventive Mechanisms:
  • Antivirus software.
  • Firewalls.
  • Keeping OSs up to date.
  • Frequent backups of digital records.
  • Scanning systems and USBs for malware.
  • Provide consistent training and reviews.

5.1.10. Spyware

The following root causes and preventive methods are derived from [17,107].
Root Causes:
  • Downloading software.
  • Downloading email attachments.
  • Accessing fake websites.
  • Using an infected USB or other mass storage device.
  • Allowing script files in emails.
  • Attackers using batch files.
  • Exploiting OS vulnerabilities.
Preventive Mechanisms:
  • Spyware detection algorithms.
  • Antivirus software.
  • Firewalls.
  • Keeping OSs up to date.
  • Regularly backing up digital records.
  • Scanning systems and USBs for malware.
  • Provide consistent training and reviews.

5.1.11. Adware

The following root causes and preventive methods are derived from [18,108].
Root Causes:
  • Marketing.
Preventive Mechanisms:
  • Uninstall adware.
  • Reset web browser settings.
  • Delete web browser caches and cookies.
  • Use antivirus software.
  • Provide consistent training and reviews.

5.1.12. Rootkit

The following root causes and preventive methods are derived from [19,109].
Root Causes:
  • Installing software online.
  • Downloading software.
  • Exploiting OS vulnerabilities.
  • Accessing fake websites.
  • Using an infected USB or other mass storage device.
  • Using devices with infected firmware.
  • Firmware vulnerabilities.
  • Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
Preventive Mechanisms:
  • Antivirus software.
  • Firewalls.
  • Rootkit scanners.
  • Avoiding phishing scams.
  • Keeping OSs up to date.
  • Provide consistent training and reviews.

5.1.13. Botnet

The following root causes and preventive methods are derived from [20,110].
Root Causes:
  • Software vulnerabilities.
  • Downloading software.
  • Using an infected USB or other mass storage device.
  • Open ports.
Preventive Mechanisms:
  • Using an IDS (Intrusion Detection System) and an IPS (Intrusion Prevention System).
  • Firewalls.
  • Enforce and manage strong password policies.
  • Access Control Lists (ACLs).
  • AI and automation tools for security.
  • Using bot managers.
  • Enable two-factor authentication (2FA).
  • Provide consistent training and reviews.

5.1.14. Data Breach

The following root causes and preventive methods are derived from [21,111].
Root Causes:
  • User mistakes or negligence.
  • Malicious insiders.
  • Lack of physical security.
  • Downloading software.
Preventive Mechanisms:
  • Regularly back up digital records.
  • Cryptography.
  • Identity and access management (IAM), such as strong password policies.
  • Incident Response Plan (IRP).
  • Enable two-factor authentication.
  • AI and automation tools for security.
  • Provide consistent training and reviews.

5.1.15. Advanced Persistent Threats (APT)

The following root causes and preventive methods are derived from [22,112].
Root Causes:
  • Downloading software.
  • Clicking on email attachments.
  • Using an infected USB or other mass storage device.
  • Accessing fake websites.
  • Exploiting OS vulnerabilities.
  • Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
Preventive Mechanisms:
  • Access Control Lists (ACLs).
  • Controlling external media use.
  • Protecting valuable data.
  • Managing endpoint security.
  • Implementing Network Access Control (NAC).
  • Blocking high-risk applications.
  • Blocking known malware servers.
  • Analyzing security breaches for prevention.
  • Network and host hardening.
  • Provide consistent training and reviews.

5.1.16. SQL Injection

The following root causes and preventive methods are derived from [23,113].
Root Causes:
  • System privileges are granted to the DBMS.
  • DBMS bypassing OS controls.
  • Failure to validate and authenticate user-entered data.
Preventive Mechanisms:
  • Input validation and sanitization.
  • Using prepared statements.
  • Firewalls.
  • Controlling database permissions.
  • Scanning code for SQL vulnerabilities.
  • Using a secure ORM framework.
  • Using properly constructed stored procedures.
  • Applying the principle of least privilege to database accounts.
  • Prohibiting default root or admin access to applications.
  • Changing DBMS accounts from defaults to something else.
  • Provide consistent training and reviews.

5.1.17. Supply Chain

The following root causes and preventive methods are derived from [24,114].
Root Causes:
  • Providing backdoors in software and hardware.
  • Exploiting OS vulnerabilities.
  • Open-source code.
  • Downloading software.
  • Using an infected USB or other mass storage device.
  • Users accessing fake websites.
Preventive Mechanisms:
  • Implement honey tokens.
  • Secure privileged access management (PAM).
  • Implement a Zero Trust Architecture (ZTA).
  • Identify potential insider threats.
  • Identify and protect vulnerable resources.
  • Minimize access to sensitive data.
  • Implement strict shadow IT rules.
  • Conduct regular third-party risk assessments.
  • Monitor vendor networks for vulnerabilities.
  • Identify all third-party data leaks.
  • Disable backdoors.
  • Provide consistent training and reviews.

5.1.18. URL Interpretation

The following root causes and preventive methods are derived from [25,115].
Root Causes:
  • Attacker accessing private files through a URL link.
Preventive Mechanisms:
  • Input validation and sanitization.
  • URL encoding to prevent malicious characters.
  • Avoid using user input directly in code.
  • Implement strict access permissions.
  • Enable two-factor authentication (2FA).
  • Provide consistent training and reviews.

5.1.19. Insider Threats

The following root causes and preventive methods are derived from [26,116].
Root Causes:
  • Failure to apply strong security policies to private data.
  • User mistakes or negligence.
  • Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
Preventive Mechanisms:
  • Implement proper access management.
  • Employ user behavior analytics to access private data.
  • Use offensive security measures.
  • Provide consistent training and reviews.

5.1.20. Eavesdropping

The following root causes and preventive methods are derived from [27,117].
Root Causes:
  • Freely available online automation tools.
  • Open Wi-Fi access at public places.
Preventive Mechanisms:
  • Cryptography.
  • Provide consistent training and reviews.

5.1.21. Cookies

The following root causes and preventive methods are derived from [28,118].
Root Causes:
  • Marketing tools and techniques online.
  • Attackers intruding into machines.
  • Exploiting vulnerable protocols to steal cookies.
Preventive Mechanisms:
  • Do not enable cookies and disable options in browser settings.
  • Provide consistent training and reviews.

5.1.22. Social Engineering

The following root causes and preventive methods are derived from [29,119].
Root Causes:
  • Marketing tools and techniques online.
  • Attackers are intruding into machines.
  • Social platforms and networks.
Preventive Mechanisms:
  • Do not click on malicious links.
  • Do not download malicious software.
  • Do not enable cookies and disable options in browser settings.
  • Do not engage in conversations with unknown users.
  • Provide consistent training and reviews.

5.2. Description and Analysis of Selected Cyberattacks

This section analyzes the data collected on the 22 selected cyberattacks described in Section 5.1. Each cyberattack has root causes and preventive mechanisms, as shown in the cybersecurity literature review.

5.2.1. Root Causes for the 22 Cyberattacks

This section provides all elements of analysis and evaluation of BMC for cybersecurity. The 22 cyberattacks have some common root causes, as described in Section 5.1. All these root causes were collected in a list, and duplicates were eliminated. The new list resulted in the 53 root causes listed in Table 3. As these root causes are derived from the 22 chosen cyberattacks, this list may not be a complete list of all root causes that may exist in the field of cyberattacks. The names of the root causes are slightly modified to make them more readable while preserving the original meaning.

5.2.2. Preventive Mechanisms for the 22 Selected Cyberattacks

The 22 chosen cyberattacks have some common preventive mechanisms, as described in Section 5.1. All these preventive mechanisms were collected in a list, and duplicates were eliminated. The new list has 97 individual preventive mechanisms, which are listed in Table 4. As these preventive mechanisms are derived from the 22 chosen cyberattacks, this list may not be a complete list of all preventive mechanisms that may exist in the field of cyberattacks. The names of the preventive mechanisms are modified to make them more readable while preserving the original meaning.

5.3. Analysis of Cyberattacks

This section provides a discussion and analysis of 22 cyberattacks, root causes, preventive mechanisms, and an evaluation of the BMC paradigm regarding cybersecurity vulnerabilities.

5.3.1. Root Causes vs. Cyberattacks

There are 22 chosen cyberattacks and 53 identified root causes. Figure 10 shows a graph between the root causes and their corresponding cyberattacks. This figure shows how many times a given root cause appears in the number of cyberattacks.
Observations: When a root cause occurs in many cyberattacks, it needs more attention to address it. That does not mean less frequency of root causes is not important. The following discussions refer to Figure 10, where more frequent occurrences of root causes are the focus.
OS vulnerabilities (#33) are identified as a root cause of cyberattacks at 9/22, or 40%. These vulnerabilities are a common source of attacks due to their complexity and their role as middleware for all applications. Many OS design features are offered due to convenience and evolution, which may be exploited by an attacker. Also, OS versions and releases change often [2], while users continue to use older versions. Attackers have more OS vulnerability space by mixing old and new version releases.
System calls are part of an OS that is provided to build user applications and does not allow users to access the hardware directly. The OS middleware handles hardware control using a mode bit. An attacker may escalate the mode bit privilege and take over the system. An API is provided for convenience to system programmers and helps to port the code across many platforms. APIs can be used by attackers to exploit OS vulnerabilities. There are many other examples that illustrate OS vulnerabilities at many levels of an OS.
Fake websites (#43) are identified as a root cause of cyberattacks in 7/22, or 31%. Fake websites can be created easily with the existing procedures. These links can be put into emails and lure users to access a fake website. There are many phishing attacks that cause users to access fake websites.
Downloads (#48) are identified as a root cause of cyberattacks in 10/22, or 45%. This indicates that many attacks can be triggered by downloads. Attackers can attach malware to a download file, thus causing a cybersecurity vulnerability. Downloads are essential and used for convenience, which is a vulnerable feature.
Infected USBs (#51) are identified as a root cause of cyberattacks in 7/22, or 31%. It is easy to infect removable devices, and thus it contributes to more vulnerabilities. Once an infected USB is plugged in, it may spread malicious software and make a file system inaccessible or crash a system.
Other root causes can be read from the graph, and it can be observed that their frequency of occurrence in cyberattacks is smaller. Some root causes with smaller frequencies may also be important based on their effectiveness in a cyberattack. All root causes must be addressed and removed from the system to achieve a higher level of security.
Many other root causes, such as downloads, script files, and sockets/open ports, depend upon the underlying OS. This is an indirect involvement of the OS, which is not directly counted in OS vulnerabilities. Otherwise, OS vulnerabilities may be higher than what is shown in this section (40%).

5.3.2. Preventive Mechanisms vs. Cyberattacks

There are 22 chosen cyberattacks and 97 preventive mechanisms. Figure 11 shows a graph between the preventive mechanisms and their corresponding cyberattacks. This figure shows preventive mechanism usage in different types of cyberattacks.
Observations: Some observations from this graph are the following: If a preventive mechanism is used in more attacks, it indicates that it is more important to implement it. The preventive mechanism of consistent training and reviews (#18) is used for all cyberattacks. The preventive mechanisms, including antivirus software (#4), two-factor authentication (#32), firewalls (#34), and regularly backing up digital records (#69), have a frequency of occurrence of 6/22 (or 27%). The preventive mechanism “keep OS up to date” (#49) has a frequency of occurrence of 4/22 (or 18%). The preventive mechanism “scanning system and USB” has a frequency of occurrence of 3/22 (or 13.6%). Other preventive measures have a frequency of occurrence of less than 9%. Notice that none of these preventive mechanisms guarantee 100% protection from any cyberattack.

5.3.3. Conventional Root Causes Applicable to BMC Systems

Table 3 shows a list of root causes collected in Section 5.1. As these root causes are derived from conventional systems, we need to validate their applicability to BMC systems. Table 5 illustrates the applicability of the root causes to BMC systems with relevant references and justifications. Figure 12 shows that 8/53 = 15% of root causes are applicable to BMC systems.
For BMC systems, using Table 1, system guidelines, 17 out of 20 are resilient to cybersecurity vulnerabilities. Similarly, using Table 2, system characteristics: 26 out of 28 are resilient to cybersecurity vulnerabilities. This makes it likely that BMC systems are resilient to cyberattacks by design.

5.3.4. Conventional Preventive Mechanisms Applicable to BMC Systems

The 97 preventive mechanisms, listed in Table 4, are studied in this section. The applicability of these preventive mechanisms to BMC systems is listed in Table 6, with some justifications. As shown in Figure 13, about 63% of these preventive mechanisms are applicable to BMC systems, as these mechanisms are very general in nature.
The remaining preventive mechanisms are not applicable, as most of them are related to the OS. Table 1 and Table 2 illustrate the resiliency to cybersecurity vulnerabilities by design in BMC systems. Thus, additional preventive methods do not apply.

5.3.5. The Cyberattacks vs. the BMC Paradigm

Table 7 provides a final evaluation of the security strengths of the BMC paradigm and its applications using BMC system guidelines, characteristics, and conventional preventive measures as discussed before. Using the BMC approach, out of 22 cyberattacks studied, only two of them do not have protection. These two cyberattacks are related to physical security and the trust of insiders, which are applicable to all systems.

6. Significant Contributions

The BMC paradigm results in a new approach to developing computer applications. If all computing devices are bare, including PCs, laptops, and smartphones, there are no resources to protect other than the hardware. Bare machines are ownerless and usable by any user at any time by loading their own bare applications. There is nothing to compromise on a bare machine other than a running application. A bare machine and bare machine applications can survive for a long period of time without obsolescence. A single bare machine can serve many users in a time-shared manner, one user at a time, without dedicating an individual machine to each user. The BMC paradigm forces applications to use abstractions and extensions instead of obsoleting them before their normal life span. The focus on end-user applications instead of computer platforms will reduce waste, dumping, and the obsolescence of hardware, software, and people skills.
When the OS is eliminated, all OS vulnerabilities are eliminated. While a given BMC application suite is running, other applications cannot interfere with it since they cannot run at the same time. A BMC application suite runs only intended functions and nothing else. BMC systems are inherently secure by design and are likely to prevent many cybersecurity attacks. This paper will put a seed in the ground for building future systems that are highly secure. This paper also provides an alternative to conventional systems to build highly secure systems.
Conventional systems are centralized, based on some flavor of an OS, and are potentially exposed to cybersecurity vulnerabilities by their design. Since BMC systems are closed systems, application information on system internals and security mechanisms is not readily available except through reverse engineering. Such information may only be useful for devising attacks against one BMC application, as other applications may have completely different characteristics. The absence of an OS enables applications and their hardware interfaces to be customized to improve security. Only a port currently used by an application can be targeted by a DoS or DDoS attack. There are no OS interfaces or protocols to easily compromise since they are hidden and integrated with the application. BMC systems are not accessible by unauthorized global users unless they steal the credentials of legitimate bare users. The inability to download software and open email attachments and the unavailability of free and open specifications limit cybersecurity vulnerabilities in BMC systems.
In a bare Internet, all devices are bare, and all authorized users are authenticated. This offers an alternative to the current Internet, which is designed for a global market and global users. The Internet is large, complex, and global in nature, whereas a bare Internet is small and only serves a limited population of bare users. Solving cybersecurity problems on the current Internet using global solutions is not practical. In a bare Internet, it is possible to divide and conquer security problems by isolating bare users from the rest of the Internet.
This work serves as a foundation for building secure computer and information systems based on the BMC paradigm. BMC systems are simple, secure by design, and easy to build. The BMC approach enables novel computer architectures and innovative information system design to support domain-specific applications that are independent of computer platforms.

7. Conclusions

We evaluated the BMC paradigm for its resilience against 22 popular cyberattacks. We collected data for these attacks and identified their root causes and preventive methods. As most of these attacks target conventional systems with some form of an OS, we identified conventional system guidelines and characteristics and compared them with BMC system guidelines and characteristics. In addition, we provided some background on BMC applications and examined code snippets to give more insight into the BMC paradigm.
We found that in conventional system guidelines, 15 out of 20 have possible exposure to cybersecurity vulnerabilities, whereas in BMC systems, 17 out of 20 have possible resilience to cybersecurity vulnerabilities. Similarly, in conventional system characteristics, 17 out of 28 have possible exposure to cybersecurity vulnerabilities, whereas in BMC systems, 26 out of 28 have possible resilience to cybersecurity vulnerabilities. Overall, BMC systems show possible resiliency, and conventional systems indicate possible exposure to cybersecurity vulnerabilities.
The following observations are made on root causes versus cyberattacks. Root cause contributions for OS vulnerabilities are 40%, fake websites are 31%, downloads are 45%, and infected USBs are 31%. This clearly indicates the dominance of operating systems in cyberattacks. Similarly, the following observations are made on preventive mechanisms versus cyberattacks. The preventive mechanism contribution for consistent training and reviews is 100%. The preventive mechanism contributions for antivirus software, two-factor authentication, firewalls, and regularly backing up digital records are 27% for each. The preventive mechanism contribution for “keeping OS up to date” is 18%. The preventive mechanism contributions for “scanning system and USB” are 13.6%. Other preventive mechanisms have contributions less than 9%. Notice that none of these preventive mechanisms guarantee 100% protection from any cyberattack.
We also noted that for the BMC systems, the applicability of the root causes is 15%, and the applicability of preventive mechanisms is 63%.
We conducted a comprehensive evaluation of the BMC paradigm using the selected attacks and their root causes, which showed that 20 out of 22 attacks are preventable by using this paradigm. The other two attacks, namely data breaches and insider threats, are not preventable as they are caused by insiders who misuse their trust. We described significant contributions of this research, which justify use of the BMC paradigm for building real-world applications with intrinsic security. Future studies should further investigate the inherent security strengths of the BMC paradigm and the resilience of BMC applications against possible cyberattacks.

Author Contributions

Conceptualization, F.A., R.K.K., A.L.W., N.S. and A.R.; methodology, F.A., R.K.K., A.L.W., N.S. and A.R.; validation, F.A., R.K.K., A.L.W. and N.S.; investigation, F.A., R.K.K., A.L.W., N.S. and A.R.; resources, F.A., R.K.K., A.L.W., N.S. and A.R.; writing—original draft, R.K.K.; writing—review and editing, F.A., R.K.K., A.L.W. and N.S.; supervision, R.K.K. and A.L.W. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Data are contained within the article.

Acknowledgments

The authors acknowledge that the Grammarly AI tool was used to check and correct English grammar and mistakes.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Statista. Number of Internet and Social Media Users Worldwide as of January 2024. Available online: https://www.statista.com/statistics/617136/digital-population-worldwide/ (accessed on 27 March 2024).
  2. Aslan, Ö.; Aktuğ, S.S.; Ozkan-Okay, M.; Yilmaz, A.A.; Akin, E. A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions. Electronics 2023, 12, 1333. [Google Scholar] [CrossRef]
  3. Alenezi, M.; Zarour, M. On the Relationship between Software Complexity and Security. IJSEA 2020, 11, 51–60. [Google Scholar] [CrossRef]
  4. Mellal, M.A. Obsolescence—A review of the literature. Technol. Soc. 2020, 63, 101347. [Google Scholar] [CrossRef]
  5. Zallio, M.; Berry, D. Design and Planned Obsolescence. Theories and Approaches for Designing Enabling Technologies. Des. J. 2017, 20, S3749–S3761. [Google Scholar] [CrossRef]
  6. Aladeojebi, T.K. Planned Obsolescence. IRJSE 2013, 4, 1504–1508. [Google Scholar]
  7. Malinauskaite, J.; Erdem, F.B. Planned Obsolescence in the Context of a Holistic Legal Sphere and the Circular Economy. Oxf. J. Leg. Stud. 2021, 41, 719–749. [Google Scholar] [CrossRef]
  8. Drozd, M.; Barabas, M.; Gregr, M.; Chmelar, P. Buffer overflow attacks data acquisition. In Proceedings of the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems, Prague, Czech Republic, 15–17 September 2011; pp. 775–779. [Google Scholar] [CrossRef]
  9. Zieni, R.; Massari, L.; Calzarossa, M.C. Phishing or Not Phishing? A Survey on the Detection of Phishing Websites. IEEE Access 2023, 11, 18499–18519. [Google Scholar] [CrossRef]
  10. Razaulla, S.; Fachkha, C.; Markarian, C.; Gawanmeh, A.; Mansoor, W.; Fung, B.C.M.; Assi, C. The Age of Ransomware: A Survey on the Evolution, Taxonomy, and Research Directions. IEEE Access 2023, 11, 40698–40723. [Google Scholar] [CrossRef]
  11. Tripathi, N.; Hubballi, N. Application Layer Denial-of-Service Attacks and Defense Mechanisms: A Survey. ACM Comput. Surv. 2021, 54, 86. [Google Scholar] [CrossRef]
  12. Conti, M.; Dragoni, N.; Lesyk, V. A Survey of Man In The Middle Attacks. IEEE Commun. Surv. Tutor. 2016, 18, 3. [Google Scholar] [CrossRef]
  13. Alkhwaja, I.; Albugami, M.; Alkhwaja, A.; Alghamdi, M.; Abahussain, H.; Alfawaz, F.; Almurayh, A.; Min-Allah, N. Password Cracking with Brute Force Algorithm and Dictionary Attack Using Parallel Programming. Appl. Sci. 2023, 13, 5979. [Google Scholar] [CrossRef]
  14. National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. Guide to Malware Incident Prevention and Handling for Desktops and Laptops; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2013. Available online: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf (accessed on 27 January 2024).
  15. Khan, H.A.; Syed, A.; Mohammad, A.; Halgamuge, M.N. Computer virus and protection methods using lab analysis. In Proceedings of the IEEE 2nd International Conference on Big Data Analysis (ICBDA), Beijing, China, 10–12 March 2017; pp. 882–886. [Google Scholar] [CrossRef]
  16. Saudi, M.M.; Cullen, A.J.; Woodward, M.E. STAKCERT Framework in Eradicating Worms Attack. In Proceedings of the International Conference on CyberWorlds, Bradford, UK, 7–11 September 2009; pp. 257–264. [Google Scholar] [CrossRef]
  17. Naser, M.; Abu Al-Haija, Q. Spyware Identification for Android Systems Using Fine Trees. Information 2023, 14, 102. [Google Scholar] [CrossRef]
  18. Umar, F.; Khurana, S.S.; Singh, P.; Kumar, M. An Empirical Study on Detection of Android Adware Using Machine Learning Techniques. Multimed Tools Appl. 2024, 83, 38753–38792. [Google Scholar] [CrossRef]
  19. Kühnhauser, W.E. Root Kits—An operating systems viewpoint. SIGOPS Oper. Syst. Rev. 2004, 38, 12–23. [Google Scholar] [CrossRef]
  20. Owen, H.; Zarrin, J.; Pour, S.M. A Survey on Botnets, Issues, Threats, Methods, Detection and Prevention. J. Cybersecur. Priv. 2022, 2, 74–88. [Google Scholar] [CrossRef]
  21. Fleury-Charles, A.; Chowdhury, M.M.; Rifat, N. Data Breaches: Vulnerable Privacy. In Proceedings of the IEEE International Conference on Electro Information Technology (eIT), Mankato, MN, USA, 19–21 May 2022; pp. 538–543. [Google Scholar] [CrossRef]
  22. Gan, C.; Lin, J.; Huang, D.-W.; Zhu, Q.; Tian, L. Advanced Persistent Threats and Their Defense Methods in Industrial Internet of Things: A Survey. Mathematics 2023, 11, 3115. [Google Scholar] [CrossRef]
  23. Alghawazi, M.; Alghazzawi, D.; Alarifi, S. Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review. J. Cybersecur. Priv. 2022, 2, 764–777. [Google Scholar] [CrossRef]
  24. Sobb, T.; Turnbull, B.; Moustafa, N. Supply Chain 4.0: A Survey of Cyber Security Challenges, Solutions and Future Directions. Electronics 2020, 9, 1864. [Google Scholar] [CrossRef]
  25. Sharma, P.; Nagpal, B. A Study on URL Manipulation Attack Methods and Their Countermeasures. IJETCSE 2015, 15, 116–119. [Google Scholar]
  26. Saxena, N.; Hayes, E.; Bertino, E.; Ojo, P.; Choo, K.-K.R.; Burnap, P. Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses. Electronics 2020, 9, 1460. [Google Scholar] [CrossRef]
  27. Kim, M.; Suh, T. Eavesdropping Vulnerability and Countermeasure in Infrared Communication for IoT Devices. Sensors 2021, 21, 8207. [Google Scholar] [CrossRef] [PubMed]
  28. Sivakorn, S.; Polakis, I.; Keromytis, A.D. The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2016; pp. 724–742. [Google Scholar] [CrossRef]
  29. Salahdine, F.; Kaabouch, N. Social Engineering Attacks: A Survey. Future Internet 2019, 11, 89. [Google Scholar] [CrossRef]
  30. CVE—Common Vulnerabilities and Exposures. MITRE Corporation. Available online: https://cve.mitre.org/ (accessed on 17 July 2024).
  31. CWE—Common Weakness Enumeration. MITRE Corporation. Available online: https://cwe.mitre.org/ (accessed on 17 July 2024).
  32. MITRE ATT&CK®. MITRE Corporation. Available online: https://attack.mitre.org/ (accessed on 17 July 2024).
  33. IoT Business News. State of IoT 2023: Number of Connected IoT Devices Growing 16% to 16.0 Billion Globally—Wi-Fi, Bluetooth, and Cellular Driving the Market. Available online: https://iotbusinessnews.com/2023/05/25/34645-state-of-iot-2023-number-of-connected-iot-devices-growing-16-to-16-0-billion-globally-wi-fi-bluetooth-and-cellular-driving-the-market/ (accessed on 27 January 2024).
  34. Zhang, Y.; Frank, R.; Warkentin, N.; Zakimi, N. Accessible from the open web: A qualitative analysis of the available open-source information involving cyber security and critical infrastructure. J. Cybersecur. 2022, 8, tyac003. [Google Scholar] [CrossRef]
  35. Mafamane, R.; Ouadou, M.; Hassani, A.T.J.; Minaoui, K. Study of the heterogeneity problem in the Internet of Things and Cloud Computing integration. In Proceedings of the 2020 10th International Symposium on Signal, Image, Video and Communications (ISIVC), Saint-Etienne, France, 7–9 April 2021; pp. 1–6. [Google Scholar] [CrossRef]
  36. Evolution of Computing. The Problem of Growing Complexity in the Evolution of Computing. Available online: https://evolutionofcomputing.org/Multicellular/ProblemStatement.html (accessed on 27 January 2024).
  37. Umejiaku, A.P.; Dhakal, P.; Sheng, V.S. Balancing Password Security and User Convenience: Exploring the Potential of Prompt Models for Password Generation. Electronics 2023, 12, 2159. [Google Scholar] [CrossRef]
  38. Statista. Number of Internet of Things (IoT) Connected Devices Worldwide from 2019 to 2023, with Forecasts from 2022 to 2030. Available online: https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/ (accessed on 27 March 2024).
  39. Okafor, U.; Karne, R.K.; Wijesinha, A.L.; Appiah-Kubi, P. Eliminating the Operating System via the Bare Machine Computing Paradigm. In Proceedings of the Fifth International Conference on Future Computational Technologies and Applications, Valencia, Spain, 27 May–1 June 2013; pp. 1–6. [Google Scholar]
  40. MisCircuitos. Difference between Bare Metal vs. Embedded Linux. Available online: https://miscircuitos.com/difference-between-bare-metal-vs-embedded-linux/ (accessed on 27 January 2024).
  41. IBM. What is a Bare Metal Server? Available online: https://www.ibm.com/topics/bare-metal-dedicated-servers (accessed on 27 January 2024).
  42. Karne, R.K.; Wijesinha, A.L.; Liang, S.; Appiah-Kubi, P. A Bare PC Mass Storage USB Driver. Int. J. Comput. Appl. 2013, 21, 32. [Google Scholar]
  43. Alotaibi, F.; Karne, R.K.; Wijesinha, A.; Soundararajan, N.; Rangi, A. A Chat Application on a Bare Internet. In Proceedings of the 2024 IEEE 48th Annual Computers, Software, and Applications (COMPSAC), Osaka, Japan, 2–4 July 2024; pp. 2411–2416. [Google Scholar]
  44. Engler, D.R. The Exokernel Operating System Architecture. Ph.D. Thesis, Massachusetts Institute of Technology, Cambridge, MA, USA, 1998. [Google Scholar]
  45. Levis, P. Experiences from a decade of TinyOS development. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, Hollywood, CA, USA, 8–10 October 2012; pp. 207–220. [Google Scholar]
  46. Lange, J.; Pedretti, K.; Hudson, T.; Dinda, P.; Cui, Z.; Xia, L.; Bridges, P.; Gocke, A.; Jaconette, S.; Levenhagen, M.; et al. Palacios and Kitten: New High Performance Operating Systems For Scalable Virtualized and Native Supercomputing. In Proceedings of the 2010 IEEE International Symposium on Parallel & Distributed Processing (IPDPS), Atlanta, GA, USA, 19–23 April 2010; pp. 1–12. [Google Scholar] [CrossRef]
  47. Isaac, O.; Okokpujie, K.; Akinwumi, H.; Juwe1, J.; Otunuya, H.; Alagbe, O. An Overview of Microkernel Based Operating Systems. IOP Conf. Ser. Mater. Sci. Eng. 2021, 1107, 012052. [Google Scholar] [CrossRef]
  48. Kong, X.; Chen, J.; Bai, W.; Xu, Y.; Elhaddad, M.; Raindel, S.; Padhye, J.; Lebeck, A.R.; Zhuo, D. Understanding RDMA Microarchitecture Resources for Performance Isolation. In Proceedings of the 20th USENIX Symposium on Networked Systems Design and Implementation, Boston, MA, USA, 17–19 April 2023; pp. 31–48. [Google Scholar]
  49. Pai, V.S.; Druschel, P.; Zwaenepoel, W. IO-Lite: A Unified I/O Buffering and Caching System. ACM Trans. Comput. Syst. 2000, 18, 37–66. [Google Scholar] [CrossRef]
  50. Zhang, I.; Liu, J.; Austin, A.; Roberts, M.L.; Badam, A. I’m Not Dead Yet! The Role of the Operating System in a Kernel-Bypass Era. In Proceedings of the Workshop on Hot Topics in Operating Systems, Bertinoro, Italy, 13–15 May 2019; pp. 73–80. [Google Scholar] [CrossRef]
  51. Baccelli, E.; Gündogan, C.; Hahm, O.; Kietzmann, P.; Lenders, M.S.; Petersen, H.; Schleiser, K.; Schmidt, T.C.; Wählisch, M. RIOT: An Open Source Operating System for Low-End Embedded Devices in the IoT. IEEE Internet Things J. 2018, 5, 6. [Google Scholar] [CrossRef]
  52. Sen, S.; Guérin, R.; Hosanagar, K. Functionality-rich Versus Minimalist Platforms: A Two-sided Market Analysis. ACM SIGCOMM Comput. Commun. Rev. 2011, 41, 36–43. [Google Scholar] [CrossRef]
  53. Soundararajan, N.; Karne, R.; Wijesinha, A.; Ordouie, N.; Chang, H. Design Issues in Running a Webserver on Bare PC Multi-Core Architecture. In Proceedings of the 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), Madrid, Spain, 13–17 July 2020; pp. 555–564. [Google Scholar] [CrossRef]
  54. Appiah-Kubi, P.; Karne, R.K.; Wijesinha, A.L. A Bare PC TLS Webmail Server. In Proceedings of the 2012 International Conference on Computing, Networking and Communications (ICNC), Maui, HI, USA, 30 January–2 February 2012; pp. 149–153. [Google Scholar] [CrossRef]
  55. Wikipedia. Available online: https://en.wikipedia.org/wiki/Security_through_obscurity (accessed on 20 August 2024).
  56. Alotaibi, F.; Karne, R.K.; Wijesinha, A. A Stateless Bare PC Web Server. In Proceedings of the 19th International Conference on Web Information Systems and Technologies (WEBIST 2023), Rome, Italy, 15–17 November 2023; pp. 406–413. [Google Scholar] [CrossRef]
  57. The SSL Store. Executing a Man-in-the-Middle Attack in Just 15 Minutes. Available online: https://www.thesslstore.com/blog/man-in-the-middle-attack-2 (accessed on 27 March 2024).
  58. Alwis, C.D.; Porambage, P.; Dev, K.; Gadekallu, T.R.; Liyanage, M. A Survey on Network Slicing Security: Attacks, Challenges, Solutions and Research Directions. IEEE Commun. Surv. Tutor. 2024, 26, 534–570. [Google Scholar] [CrossRef]
  59. Harrison, R. Reducing complexity in securing heterogeneous networks. Netw. Secur. 2015, 10, 11–13. [Google Scholar] [CrossRef]
  60. Li, L.; Daoyuan, L.; Bissyandé, T.F.; Klein, J.; Trao, Y.L.; Lo, D.; Cavallaro, L. Understanding Android app piggybacking: A systematic study of malicious code grafting. IEEE Trans. Inf. Forensics Secur. 2017, 12, 1269–1284. [Google Scholar] [CrossRef]
  61. Alhamry, M.; Elmedany, W. Exploring Wi-Fi WPA2 KRACK Vulnerability: A Review Paper. In Proceedings of the 2022 International Conference on Data Analytics for Business and Industry (ICDABI), Sakhir, Bahrain, 25–26 October 2022; pp. 766–772. [Google Scholar]
  62. Vondráček, M.; Pluskal, J.; Ryšavý, O. Automated Man-in-the-Middle Attack Against Wi-Fi Networks. J. Digit. Forensic. Secur. Law 2018, 13, 9. [Google Scholar] [CrossRef]
  63. Pan, Z.; Shen, W.; Wang, X.; Yang, Y.; Chang, R.; Liu, Y.; Liu, C.; Liu, Y.; Ren, K. Ambush From All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines. IEEE Trans. Dependable Secur. Comput. 2024, 21, 403–418. [Google Scholar] [CrossRef]
  64. Duman, S.; Büchler, M.; Egele, M.; Kirda, E. Pellucid Attachment: Protecting Users from Attacks via E-mail Attachments. IEEE Trans. Dependable Secure Comput. 2023, 21, 1342–1354. [Google Scholar] [CrossRef]
  65. Hakak, S.; Khan, W.Z.; Imran, M.; Choo, K.R.; Shoaib, M. Have You Been a Victim of COVID-19-Related Cyber Incidents? Survey, Taxonomy, and Mitigation Strategies. IEEE Access 2020, 8, 124134–124144. [Google Scholar] [CrossRef]
  66. Cengiz, A.B.; Kalem, G.; Boluk, P.S. The Effect of Social Media User Behaviors on Security and Privacy Threats. IEEE Access 2022, 10, 57674–57684. [Google Scholar] [CrossRef]
  67. Chang, V.; Golightly, L.; Xu, Q.A.; Boonmee, T.; Liu, B.S. Cybersecurity for children: An investigation into the application of social media. Enterp. Inf. Syst. 2023, 17, 2188122. [Google Scholar] [CrossRef]
  68. Masri, R.; Aldwairi, M. Automated malicious advertisement detection using VirusTotal, URLVoid, and TrendMicro. In Proceedings of the 2017 8th International Conference on Information and Communication Systems (ICICS), Irbid, Jordan, 4–6 April 2017; pp. 336–341. [Google Scholar] [CrossRef]
  69. Pooranian, Z.; Conti, M.; Haddadi, H.; Tafazolli, R. Online Advertising Security: Issues, Taxonomy, and Future Directions. IEEE Commun. Surv. Tut. 2020, 23, 2494–2524. [Google Scholar] [CrossRef]
  70. Shantanu, B.; Janet, J.; Arul Kumar, R.J. Malicious URL Detection: A Comparative Study. In Proceedings of the 2021 International Conference on Artificial Intelligence and Smart Systems (ICAIS), Coimbatore, India, 25–27 March 2021; pp. 1147–1151. Available online: https://ieeexplore.ieee.org/document/9396014 (accessed on 20 August 2024).
  71. Aljabri, M.; Altamimi, H.S.; Albelali, S.A.; Al-Harbi, M.; Alhuraib, H.T.; Alotaibi, N.K.; Alahmadi, A.A.; Alhaidari, F.; Mohammad, R.M.A.; Salah, K. Detecting Malicious URLs Using Machine Learning Techniques: Review and Research Directions. IEEE Access 2022, 10, 121395–121417. [Google Scholar] [CrossRef]
  72. Cunningham, B.; Fuller, E.; Little, C.; Schack, T.; Dykstra, T.; Hoagberg, M.; Miles, G.; Rogers, R. Network Security Evaluation Using the NSA IEM; Syngress: Rockland, MA, USA, 2005; ISBN 978-1-59749-035-1. [Google Scholar]
  73. Gao, Z.; Ansari, N. Tracing cyber attacks from the practical perspective. IEEE Commun. Mag. 2005, 43, 123–131. [Google Scholar] [CrossRef]
  74. Yang, J. Analysis on cookies and cybersecurity. In Proceedings of the Third International Symposium on Computer Engineering and Intelligent Communications (ISCEIC 2022), Xi’an, China, 16–18 September 2022; Volume 12462, pp. 217–224. [Google Scholar]
  75. Bhurtel, M.; Rawat, D.B. Unveiling the Landscape of Operating System Vulnerabilities. Future Internet 2023, 15, 248. [Google Scholar] [CrossRef]
  76. Jang, M.; Kim, H.; Yun, Y. Detection of DLL Inserted by Windows Malicious Code. In Proceedings of the 2007 International Conference on Convergence Information Technology (ICCIT 2007), Gwangju, Republic of Korea, 21–23 November 2007; pp. 1059–1064. [Google Scholar] [CrossRef]
  77. Alzahrani, S.; Xiao, Y.; Sun, W. An Analysis of Conti Ransomware Leaked Source Codes. IEEE Access 2022, 10, 100178–100193. [Google Scholar] [CrossRef]
  78. Chordiya, A.R.; Majumder, S.; Javaid, A.Y. Man-in-the-Middle (MITM) Attack Based Hijacking of HTTP Traffic Using Open Source Tools. In Proceedings of the 2018 IEEE International Conference on Electro/Information Technology (EIT), Rochester, MI, USA, 3–5 May 2018; pp. 438–443. [Google Scholar] [CrossRef]
  79. Sang, F.L.; Nicomette, V.; Deswarte, Y. I/O Attacks in Intel PC-based Architectures and Countermeasures. In Proceedings of the First SysSec Workshop, Amsterdam, The Netherlands, 6 July 2011; pp. 19–26. [Google Scholar] [CrossRef]
  80. Gozman, D.; Willcocks, L. The emerging Cloud Dilemma: Balancing innovation with cross-border privacy and outsourcing regulations. J. Bus. Res. 2019, 97, 235–256. [Google Scholar] [CrossRef]
  81. Benaroch, M. Third-party induced cyber incidents—Much ado about nothing? J. Cybersecur. 2021, 7, tyab020. [Google Scholar] [CrossRef]
  82. Shah, M.; Soni, V.; Shah, H.; Desai, M. TCP/IP network protocols—Security threats, flaws and defense methods. In Proceedings of the 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 16–18 March 2016; pp. 2693–2699. [Google Scholar]
  83. Liu, R.; Yu, B.; Wang, B.; Ye, J.; Huang, J.; Kong, X. SEEKER: A Root Cause Analysis Method Based on Deterministic Replay for Multi-Type Network Protocol Vulnerabilities. In Proceedings of the 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Wuhan, China, 9–11 December 2022; pp. 131–138. [Google Scholar] [CrossRef]
  84. Geetha, K.; Sreenath, N. SYN flooding attack—Identification and analysis. In Proceedings of the International Conference on Information Communication and Embedded Systems (ICICES2014), Chennai, India, 27–28 February 2014; pp. 1–7. [Google Scholar]
  85. AbdAllah, E.G.; Hassanein, H.S.; Zulkernine, M. A Survey of Security Attacks in Information-Centric Networking. IEEE Commun. Surv. Tut. 2015, 17, 1441–1454. [Google Scholar] [CrossRef]
  86. Kalafut, A.; Acharya, A.; Gupta, M. A study of malware in peer-to-peer networks. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, Brazil, 25–27 October 2006; pp. 327–332. [Google Scholar]
  87. Lalonde Lévesque, F.; Chiasson, S.; Somayaji, A.; Fernandez, J.M. Technological and Human Factors of Malware Attacks: A Computer Security Clinical Trial Approach. ACM Trans. Priv. Secur. 2018, 21, 18. [Google Scholar] [CrossRef]
  88. Faruk, M.J.H.; Shahriar, H.; Valero, M.; Barsha, F.L.; Sobhan, S.; Khan, A.; Whitman, M.; Cuzzocrea, A.; Lo, D.; Rahman, A.; et al. Malware Detection and Prevention using Artificial Intelligence Techniques. In Proceedings of the 2021 IEEE International Conference on Big Data (Big Data), Orlando, FL, USA, 15–18 December 2021; pp. 5369–5377. [Google Scholar] [CrossRef]
  89. Syafitri, W.; Shukur, Z.; Mokhtar, U.A.; Sulaiman, R.; Ibrahim, M.A. Social Engineering Attacks Prevention: A Systematic Literature Review. IEEE Access 2022, 10, 39325–39343. [Google Scholar] [CrossRef]
  90. Shokeen, R.; Shanmugam, B.; Kannoorpatti, K.; Azam, S.; Jonkman, M.; Alazab, M. Vulnerabilities Analysis and Security Assessment Framework for the Internet of Things. In Proceedings of the 2019 Cybersecurity and Cyberforensics Conference (CCC), Melbourne, Australia, 8–9 May 2019; pp. 22–29. [Google Scholar] [CrossRef]
  91. Winter, J.; Dietrich, K. A hijacker’s guide to communication interfaces of the trusted platform module. Comput. Math. Appl. 2013, 65, 748–761. [Google Scholar] [CrossRef]
  92. Ylli, E.; Fejzaj, J. Man in the Middle: Attack and Protection. In Proceedings of the 4th International Conference on Recent Trends and Applications in Computer Science and Information Technology, Tirana, Albania, 21–22 May 2021; pp. 198–204. [Google Scholar]
  93. Otta, S.P.; Panda, S.; Gupta, M.; Hota, C. A Systematic Survey of Multi-Factor Authentication for Cloud Infrastructure. Future Internet 2023, 15, 146. [Google Scholar] [CrossRef]
  94. Lockheed Martin. Gaining the Advantage: Cyber Kill Chain®. Available online: https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf (accessed on 27 January 2024).
  95. Pirry, C.; Marco-Gisbert, H.; Begg, C. A Review of Memory Errors Exploitation in x86-64. Computers 2020, 9, 48. [Google Scholar] [CrossRef]
  96. Alabdan, R. Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet 2020, 12, 168. [Google Scholar] [CrossRef]
  97. Oz, H.; Aris, A.; Levi, A.; Uluagac, A.S. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Comput. Surv. 2022, 54, 238. [Google Scholar] [CrossRef]
  98. Yamany, B.; Elsayed, M.S.; Jurcut, A.D.; Abdelbaki, N.; Azer, M.A. A Holistic Approach to Ransomware Classification: Leveraging Static and Dynamic Analysis with Visualization. Information 2024, 15, 46. [Google Scholar] [CrossRef]
  99. Saghezchi, F.B.; Mantas, G.; Violas, M.A.; de Oliveira Duarte, A.M.; Rodriguez, J. Machine Learning for DDoS Attack Detection in Industry 4.0 CPPSs. Electronics 2022, 11, 602. [Google Scholar] [CrossRef]
  100. Morsy, S.M.; Nashat, D. D-ARP: An Efficient Scheme to Detect and Prevent ARP Spoofing. IEEE Access 2022, 10, 49142–49153. [Google Scholar] [CrossRef]
  101. Събев, П.; Petrov, M. Android Password Managers and Vault Applications: Data Storage Security Issues Identification. J. Inf. Secur. Appl. 2022, 67, 103152. [Google Scholar] [CrossRef]
  102. Gudipati, V.K.; Vetwal, A.; Kumar, V.; Adeniyi, A.; Abuzneid, A. Detection of Trojan Horses by the analysis of system behavior and data packets. In Proceedings of the 2015 Long Island Systems, Applications and Technology, Farmingdale, NY, USA, 1 May 2015; pp. 1–4. [Google Scholar] [CrossRef]
  103. Chen, N.; Chen, B. Defending against OS-Level Malware in Mobile Devices via Real-Time Malware Detection and Storage Restoration. J. Cybersecur. Priv. 2022, 2, 311–328. [Google Scholar] [CrossRef]
  104. Djenna, A.; Bouridane, A.; Rubab, S.; Marou, I.M. Artificial Intelligence-Based Malware Detection, Analysis, and Mitigation. Symmetry 2023, 15, 677. [Google Scholar] [CrossRef]
  105. Vander–Pallen, M.A.; Addai, P.; Isteefanos, S.; Mohd, T.K. Survey on Types of Cyber Attacks on Operating System Vulnerabilities since 2018 onwards. In Proceedings of the 2022 IEEE World AI IoT Congress (AIIoT), Seattle, WA, USA, 6–9 June 2022; pp. 01–07. [Google Scholar] [CrossRef]
  106. Syeda, D.Z.; Asghar, M.N. Dynamic Malware Classification and API Categorisation of Windows Portable Executable Files Using Machine Learning. Appl. Sci. 2024, 14, 1015. [Google Scholar] [CrossRef]
  107. U.S. Cybersecurity and Infrastructure Security Agency (CISA). Protecting Your Home Computer from Spyware, U.S. Cybersecurity and Infrastructure Security Agency (CISA). 2005. Available online: https://www.cisa.gov/sites/default/files/publications/spywarehome_0905.pdf (accessed on 27 January 2024).
  108. Vasani, V.; Bairwa, A.K.; Joshi, S.; Pljonkin, A.; Kaur, M.; Amoon, M. Comprehensive Analysis of Advanced Techniques and Vital Tools for Detecting Malware Intrusion. Electronics 2023, 12, 4299. [Google Scholar] [CrossRef]
  109. Kumar, S.S.; Valavan, A.P.; Prathiksha, V. Prevention of Kernel Rootkit in Cloud Computing. In Proceedings of the 2023 7th International Conference on Intelligent Computing and Control Systems (ICICCS), Madurai, India, 17–19 May 2023; pp. 732–739. [Google Scholar] [CrossRef]
  110. Thanh Vu, S.N.; Stege, M.; El-Habr, P.I.; Bang, J.; Dragoni, N. A Survey on Botnets: Incentives, Evolution, Detection and Current Trends. Future Internet 2021, 13, 198. [Google Scholar] [CrossRef]
  111. Molitor, D.; Raghupathi, W.; Saharia, A.; Raghupathi, V. Exploring Key Issues in Cybersecurity Data Breaches: Analyzing Data Breach Litigation with ML-Based Text Analytics. Information 2023, 14, 600. [Google Scholar] [CrossRef]
  112. Alshamrani, A.; Myneni, S.; Chowdhary, A.; Huang, D. A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities. IEEE Commun. Surv. Tutor. 2019, 21, 1851–1877. [Google Scholar] [CrossRef]
  113. OWASP Foundation. SQL Injection Prevention Cheat Sheet. Available online: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html (accessed on 27 January 2024).
  114. Fan, L.; Zhang, B.; Xiong, S.; Li, Q. Secure Change Control for Supply Chain Systems via Dynamic Event Triggered Using Reinforcement Learning under DoS Attacks. Electronics 2024, 13, 1136. [Google Scholar] [CrossRef]
  115. S. M. Christey. Chapter 11: Preventing Common Problems. Available online: https://www.cgisecurity.com/owasp/html/ch11s04.html (accessed on 17 July 2024).
  116. Lee, I. Analysis of Insider Threats in the Healthcare Industry: A Text Mining Approach. Information 2022, 13, 404. [Google Scholar] [CrossRef]
  117. Chang, X.; Peng, L.; Zhang, S. Allocation of Eavesdropping Attacks for Multi-System Remote State Estimation. Sensors 2024, 24, 850. [Google Scholar] [CrossRef]
  118. Alharbi, J.A.; Albesher, A.S.; Wahsheh, H.A. An Empirical Analysis of E-Governments’ Cookie Interfaces in 50 Countries. Sustainability 2023, 15, 1231. [Google Scholar] [CrossRef]
  119. Airehrour, D.; Vasudevan Nair, N.; Madanian, S. Social Engineering Attacks and Countermeasures in the New Zealand Banking System: Advancing a User-Reflective Mitigation Model. Information 2018, 9, 110. [Google Scholar] [CrossRef]
Figure 1. Ten dimensions of cybersecurity space.
Figure 1. Ten dimensions of cybersecurity space.
Jcp 04 00033 g001
Figure 2. OS-based system.
Figure 2. OS-based system.
Jcp 04 00033 g002
Figure 3. Conventional application development process.
Figure 3. Conventional application development process.
Jcp 04 00033 g003
Figure 4. BMC-based system.
Figure 4. BMC-based system.
Jcp 04 00033 g004
Figure 5. Hello program using the BMC paradigm. * Refers to a pointer declaration in C++.
Figure 5. Hello program using the BMC paradigm. * Refers to a pointer declaration in C++.
Jcp 04 00033 g005
Figure 6. Memory map.
Figure 6. Memory map.
Jcp 04 00033 g006
Figure 7. Compilation process. * Refers to all file names with the .obj extension in the command rem erase *.obj.
Figure 7. Compilation process. * Refers to all file names with the .obj extension in the command rem erase *.obj.
Jcp 04 00033 g007
Figure 8. Task creation.
Figure 8. Task creation.
Jcp 04 00033 g008
Figure 9. UDP-based protocol.
Figure 9. UDP-based protocol.
Jcp 04 00033 g009aJcp 04 00033 g009b
Figure 10. Root causes vs. cyberattacks.
Figure 10. Root causes vs. cyberattacks.
Jcp 04 00033 g010
Figure 11. Frequency of preventive mechanisms.
Figure 11. Frequency of preventive mechanisms.
Jcp 04 00033 g011
Figure 12. Root causes applicability to BMC.
Figure 12. Root causes applicability to BMC.
Jcp 04 00033 g012
Figure 13. Preventive mechanisms applicability to BMC.
Figure 13. Preventive mechanisms applicability to BMC.
Jcp 04 00033 g013
Table 1. Comparison of System Guidelines.
Table 1. Comparison of System Guidelines.
Seq.System GuidelinesConventional SystemsPECSVBMC SystemsPRCSV
1System ApproachEvolutionary Revolutionary
2Open/Closed OpenJcp 04 00033 i001
Conventional
Guideline 2
ClosedJcp 04 00033 i002 BMC Guideline 2
3Global FocusYes Local Focus
4Global UsersYesJcp 04 00033 i001 [1,2]Local Users
5Equal AccessYes RestrictedJcp 04 00033 i002 BMC Guideline 5
6Free Learning YesJcp 04 00033 i001 [57]Restricted Jcp 04 00033 i002 BMC Guideline 6
7Free InternetYes Bare InternetJcp 04 00033 i002 BMC Guideline 7
8Layered SystemsYesJcp 04 00033 i001 [58]NoJcp 04 00033 i002 BMC Guideline 8
9HeterogeneityYesJcp 04 00033 i001 [59]NoJcp 04 00033 i002 BMC Guideline 9
10User/Developer ConvenienceYesJcp 04 00033 i001 [37]Not Top PriorityJcp 04 00033 i002 BMC Guideline 10
11TrainingYes YesJcp 04 00033 i002 BMC Guideline 11
12Software Installation OnlineYesJcp 04 00033 i001 [60]NoJcp 04 00033 i002 BMC Guideline 12
13Wi-FiYesJcp 04 00033 i001 [61,62]Not Supported YetJcp 04 00033 i002 BMC Guideline 13
14Scripts and Batch FilesYesJcp 04 00033 i001 [63]NoJcp 04 00033 i002 BMC Guideline 14
15Attachments and LinksYesJcp 04 00033 i001 [64,65]NoJcp 04 00033 i002 BMC Guideline 15
16Social MediaYesJcp 04 00033 i001 [66,67]NoJcp 04 00033 i002 BMC Guideline 16
17AdvertisementsYesJcp 04 00033 i001 [68,69]NoJcp 04 00033 i002 BMC Guideline 17
18Unsolicited WebsitesYesJcp 04 00033 i001 [70,71]NoJcp 04 00033 i002 BMC Guideline 18
19Automated Tools YesJcp 04 00033 i001 [72,73]Restricted Jcp 04 00033 i002 BMC Guideline 19
20CookiesYesJcp 04 00033 i001 [74]NoJcp 04 00033 i002 BMC Guideline 20
Jcp 04 00033 i001 PECSV: Possible Exposure to Cybersecurity Vulnerabilities. Jcp 04 00033 i002 PRCSV: Possible Resilience to Cybersecurity Vulnerabilities. N/A: Not Applicable.
Table 2. Comparison of System Characteristics.
Table 2. Comparison of System Characteristics.
Seq.System CharacteristicsConventional SystemsPECSVBMC SystemsPRCSV
1OS/Kernel/EmbeddedYesJcp 04 00033 i001 [75]NoJcp 04 00033 i002
BMC Characteristic 1
2ApplicationsEnvironment-centric Domain-specificJcp 04 00033 i002
BMC Characteristic 2
3Programming LanguagesMany ASM/C/C++BMC Characteristic 3
4ExecutableFormat varies depending on OS Single monolithic executableJcp 04 00033 i002
BMC Characteristic 4
5LinkingDynamic (DLLs)Jcp 04 00033 i001 [76]Static (No DLLs)Jcp 04 00033 i002
BMC Characteristic 5
6LoadingDynamic StaticJcp 04 00033 i002
BMC Characteristic 6
7Multi-taskingYes Yes (Only within a domain-specific application)Jcp 04 00033 i002
BMC Characteristic 7
8System Calls/APIYesJcp 04 00033 i001 [77]No (Direct Hardware Interfaces)Jcp 04 00033 i002
BMC Characteristic 8
9SocketsYesJcp 04 00033 i001 [78]NoJcp 04 00033 i002
BMC Characteristic 9
10Open PortsYesJcp 04 00033 i001 [79]NoJcp 04 00033 i002
BMC Characteristic 10
11During executionA given application, OS, and other applications Only a given domain-specific application-suiteBMC Characteristic 11
12Event/Interrupt drivenBoth Event-drivenJcp 04 00033 i002
BMC Characteristic 12
13Shared memory/Message PassingBoth Shared Memory (Single Address Space)Jcp 04 00033 i002
BMC Characteristic 13
14Concurrency controlSemaphores and other Uses circular lists as buffers, avoids concurrency controlsJcp 04 00033 i002
BMC Characteristic 14
15I/OInterrupt drivenJcp 04 00033 i001 [80]Direct Hardware InterfacesJcp 04 00033 i002
BMC Characteristic 15
16Third-Party SoftwareYesJcp 04 00033 i001 [81,82]NoJcp 04 00033 i002
BMC Characteristic 16
17Network interfacesMany interactions during the session between a client and a serverJcp 04 00033 i001 [83,84]Only a few interactions (Short data sessions)Jcp 04 00033 i002
BMC Characteristic 17
18Communication on the InternetGlobal InternetJcp 04 00033 i001 [85]Bare Internet Jcp 04 00033 i002
BMC Characteristic 18
19Downloads on the InternetYesJcp 04 00033 i001 [86,87,88,89]NoJcp 04 00033 i002
BMC Characteristic 19
20IoTsSmall OS, Embedded NodesJcp 04 00033 i001 [90]Must be bare nodesJcp 04 00033 i002
BMC Characteristic 20
21Computing DeviceValuable Resources (Storage, OS, Other)Jcp 04 00033 i001 ObviousNo valuable resources (Bare)Jcp 04 00033 i002
BMC Characteristic 21
22Application-program ControlNo, OS controls it Yes, Domain-specific application suite controls the control flow as designedJcp 04 00033 i002
BMC Characteristic 22
23UsersGlobal, AllJcp 04 00033 i001 [2]Only Bare Users, AuthorizedJcp 04 00033 i002
BMC Characteristic 23
24MessagesMay not have valid authenticationJcp 04 00033 i001 [2]Each message contains encrypted bare user authenticationJcp 04 00033 i002
BMC Characteristic 24
25User-Secured USBsN/A Uses two USBs, boots, and an encrypted application suiteJcp 04 00033 i002
BMC Characteristic 25
26BIOS/FirmwareNot bundled with OSJcp 04 00033 i001 [91]Bundled with the domain-specific application suiteJcp 04 00033 i002
BMC Characteristic 26
27ProtocolsLayered protocolsJcp 04 00033 i001 [92]Integrated with the application-suiteJcp 04 00033 i002
BMC Characteristic 27
28PasswordsPassword files part of OS structuresJcp 04 00033 i001 [13,93]No password files (authentication stored in program structures)Jcp 04 00033 i002
BMC Characteristic 28
Jcp 04 00033 i001 PECSV: Possible Exposure to Cybersecurity Vulnerabilities. Jcp 04 00033 i002 PRCSV: Possible Resilience to Cybersecurity Vulnerabilities. N/A: Not Applicable.
Table 3. Root Causes.
Table 3. Root Causes.
  • Allowing attackers to flood requests.
  • Allowing script files in emails.
  • Attacker accessing API.
  • Attacker accessing password files.
  • Attacker accessing private files from a URL link.
  • Attacker accessing system calls.
  • Attacker intruding into machines.
  • Attacker can modify the number of password entry limits.
  • Attacker using auto-run in script files.
  • Attacker using batch files.
  • Attacker using cookies.
  • Attacker using public Wi-Fi access point.
  • Attacker using website phishing.
  • DBMS by-passing OS.
  • Email addresses of users are easy to obtain.
  • Enabling adware to use browser apps.
  • Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
  • Freely available online automation tools.
  • Attacker can use a legitimate machine and infect.
  • Hardware vulnerabilities.
  • Including attachments in emails.
  • Lack of bounds checking in functions.
  • Lack of data validation by developers.
  • Lack of physical security.
  • Malicious insiders.
  • Marketing tools and techniques online.
  • Not validating and authenticating user-entered data.
  • Open ports.
  • Open-source automation tools.
  • Open-source code.
  • Open-source OSs.
  • Open Wi-Fi access at public places.
  • OS vulnerabilities.
  • Protocol vulnerabilities in ARP, DHCP, DNS, ICMP, and IP.
  • Providing backdoors in software and hardware.
  • Receiving messages from unauthenticated users.
  • Running downloaded code automatically.
  • Secure sockets layer provided by the OS.
  • Software vulnerabilities.
  • Strong security policies are not applying to private data.
  • System privileges given to DBMS.
  • There is no proper authentication measure to validate users.
  • User accessing fake websites.
  • User clicking an unsolicited link.
  • User downloading a file from an unidentified website.
  • User downloading an unsolicited file.
  • User downloading email attachments.
  • User downloading software.
  • User installing software online.
  • User mistakes or negligence.
  • User using an infected USB.
  • User using infected firmware.
  • Firmware vulnerabilities.
Table 4. Preventive Mechanisms.
Table 4. Preventive Mechanisms.
  • Access control lists (ACL).
  • AI and automation tools.
  • Analyzing security breaches.
  • Anti-virus software.
  • Artificial neural networks.
  • Avoid opening suspicious emails.
  • Avoid using user input directly.
  • Avoiding phishing.
  • Beware of urgency.
  • Blacklist-based.
  • Blocking high-risk applications.
  • Blocking known malware servers.
  • Change file extensions randomly.
  • Change password frequently.
  • Changing DBMS accounts to something else.
  • Check bounds on string functions.
  • Check Website URLs.
  • Provide consistent training and reviews.
  • Controlling database permissions.
  • Controlling external media.
  • Cryptography.
  • Delete web browser caches and cookies.
  • Detection of ARP spoofing.
  • Detection of DNS spoofing.
  • Disable backdoor.
  • Do not click on malicious links.
  • Do not download malicious software.
  • Do not enable cookies and disable options in browser settings.
  • Do not write down passwords.
  • Download software from verified publishers.
  • Email filtering.
  • Enable two-factor authentication.
  • Enforce and manage strong passwords.
  • Firewalls.
  • Flow statistics.
  • Identify all potential insider threats.
  • Identify all third-party data leaks.
  • Identify and protect vulnerable resources.
  • Identity and access management (IAM), such as strong passwords.
  • Implement a Zero Trust Architecture (ZTA).
  • Implement honey tokens.
  • Implement proper access management.
  • Implement strict shadow IT rules.
  • Implementing NAC (Network Access Control).
  • Incident response plan (IRP).
  • Information entropy.
  • Input validation.
  • IP spoofing defense.
  • Keep operating systems up to date.
  • Layered defense for a strong security posture.
  • Limit access permissions.
  • Limit the number of attempts to enter a correct password.
  • Machine learning-based method.
  • Managing endpoint security.
  • Minimize access to sensitive data.
  • Minimizing the privileges that are given to all database accounts.
  • Monitor activity.
  • Monitor vendor networks for vulnerabilities.
  • Network and host hardening.
  • No same password for all accounts.
  • Penetration testing.
  • Perform static code analysis.
  • Plan ahead of security attacks.
  • Prohibiting DBA or admin access to applications.
  • Protect code segment.
  • Protecting valuable data.
  • Ransomware detection techniques.
  • Rate limiting.
  • Regularly backup digital records.
  • Report suspicious activity.
  • Reset web browser settings.
  • Rootkit scanners.
  • Scan URLs.
  • Scanning code for SQL injection vulnerabilities.
  • Scanning system and USBs.
  • Scrutinize website design.
  • Secure privileged access management.
  • Send regular third-party risk assessments.
  • Spyware algorithm detection.
  • SSL/TLS solutions.
  • Statistical analysis.
  • Take password protection seriously.
  • TCP proxies.
  • TPM (Trusted Platform Module).
  • Uninstall adware.
  • URL encoding.
  • Use honeypot.
  • Use the latest OS, programming languages, and compilers.
  • Use offensive security measures.
  • Use password-less authentication.
  • Use password managers.
  • Use user behavior analytics for accessing private data.
  • Using an ORM framework.
  • Using bot manager.
  • Using IDS and IPS.
  • Using prepared statements.
  • Using properly constructed stored procedures.
Table 5. The conventional root causes applicable to BMC systems.
Table 5. The conventional root causes applicable to BMC systems.
Seq.Conventional Root CauseApplicability to BMC
BMC Preventive Mechanism
Reference
1Allowing attackers to flood requestsNO: uses stateless server and lean UDP protocol[56]
2Allowing script files in emailsNO: script files are not allowed in emailsSection 3.5.1
Item #14
3Attacker accessing APINO: Direct Hardware API (HAPI) is not available externally (NO OS)Section 3.5.2
Item #8
4Attacker accessing password filesNO: A single bare machine at a time is used by a single user; no passwords are stored in the bare machine.Section 3.5.2
Item #28
5Attacker accessing private files from a URL linkYES: Uses URL encoding and limits access permissions such as conventional systems.Table 4
Items #51, #86
6Attacker accessing system callsNO: No system calls are available externally; only HAPI is used by applicationsSection 3.5.2
Item #8
7Attackers intruding into machinesNO: A machine is bare; while running one user, another user cannot run an applicationSection 3.5.2
Item #2
8Attacker is able to modify the number of password entry limitsNO: Not ApplicableSection 3.5.2
Item #28
9An attacker using auto-run in script filesNO: script files are not allowedSection 3.5.1
Item #14
10Attacker using batch filesNO: A batch file is not allowed; only bare applications runSection 3.5.1
Item #14
11Attacker using cookiesNO: Cookies are not allowedSection 3.5.1
Item #20
12Attacker using public Wi-Fi access pointNO: Wireless is not allowed at this point.Section 3.5.1
Item #13
13Attacker using Website phishingNO: (1) In emails, website links are not allowed. (2) Only bare-to-bare users communicate on the bare Internet. Although it is applicable but prevented in both of the above two cases.Section 3.5.1
Item #18
14DBMS bypassing OSNO: Not possible (No OS)Section 3.5.2
Item #1
15Email addresses are easily obtainedNO: Issuing of email addresses for bare users is restricted and physically controlled by a bare email administrator.Section 3.5.2
Item #23
16Enabling Adware to use Browser AppsNO: No advertisements are allowed.Section 3.5.1
Item #17
17Freely available educational resources on cybersecurity vulnerabilities and attack techniques.NO: no free education. One of the main reasons for speedy cyberattacks is due to the fastest way to learn attacking techniques freely using the Internet.Section 3.5.1
Item #6
18Freely available online automation toolsNO: A closed system, no freely available automation tools.Section 3.5.1
Item #19
19Allowing attackers to use a legitimate machine and infectNO: All legitimate machines are bare; nothing to infect them.Section 3.5.2
Item #21
20Hardware vulnerabilitiesNO: Cannot get to hardware, as HAPI is not available outside running applications. As the machine is bare, physical attacks can only damage the machine.Section 3.5.2
Item #21
21Including attachments in emailsNO: Attachments are not allowed.Section 3.5.1
Item #15
22Lack of bounds checking in functionsNO: All string functions are strictly enforced for bound checking.Table 4
Item #16
23Lack of data validation by programmersYES: No exposure of attacks; all data entered by users is checked for valid data and data types. Strict data checking is conducted at a programming level. All bare code is developed as one homogeneous entity; there is no third-party software, no external models.Table 4
Item #47
24Lack of physical securityYES: Physical security is required when a user is running an application suite on a bare machine (this is a mandatory requirement in the BMC paradigm). Otherwise, there is no need for physical security because the machine is bare.Section 3.5.2
Item #21
25Malicious insidersYES: All insiders must be properly authorized and trusted; otherwise, there is no security for any system.Section 3.5.2
Item #23
26Marketing tools and techniques onlineNO: Marketing tools and techniques are not online.Section 3.5.1
Item #17
27Not validating and authenticating user entered dataYES: User entered data must be validated and authenticated.Table 4
Item #47
28Open portsNO: There are no open ports.Section 3.5.2
Item #10
29Open-source automation toolsNO: There are no open-source automation tools.Section 3.5.1
Item #19
30Open-source codeNO: Not allowed.Section 3.5.1
Item #2
31Open-source OSsNO: No OS.Section 3.5.2
Item #1
32Open Wi-Fi access at public placesNO: Wi-Fi is not allowed at this point.Section 3.5.1
Item #13
33OS vulnerabilitiesNO: No OS.Section 3.5.2
Item #1
34Protocol vulnerabilities in ARP, DHCP, DNS, ICMP, and IPNO: We limit our protocols to Ethernet and IP. The other protocols are not available outside the application running on the machine. Furthermore, there are no protocol layers. These protocols are implemented within the bare application. The attacker does not have the path to invoke these protocols. Although IP spoofing can be conducted, the attacker does not have bare user authentication. Bare user authentication is used in every packet, encrypted and validated for each message transmission.Section 3.5.2
Item #27
35Providing backdoors in software and hardwareNO: Do not allow any backdoors.Section 3.5.1
Item #2
36Receiving messages from unauthenticated usersNO: Only communicate with the authentication users.Section 3.5.2
Item #23
37Running a downloaded code automaticallyNO: There is no downloading code, although there is no dynamic linking and loading to run a code. The bare code is statically compiled.Section 3.5.2
Item #5, #6
38Secure socket layer provided by OSNO: No socket concept.Section 3.5.2
Item #9
39Software vulnerabilitiesYES: Buffer overflow was discussed in items 22 and 23. There could be possible programming errors; however, the intruder has no access to modify or exploit injecting new code due to static binding. There are no deserialization issues as intruder has no access to the flow control of application. Overall, any software vulnerabilities cannot cause any harm as the application code is statically bound.Section 3.5.2
Item #5, #6
40Strong security policies not applying to private dataYES: Only if the attacker is an insider.
41System privileges given to DBMSNO: No OS. DBMS is part of an application suite.Section 3.5.2
Item #1
42There is no proper authentication measure to validate usersNO: All users are properly authorized and authenticated.Section 3.5.2
Item #23
43User accessing fake websitesNO: Not applicable (Only access legitimate and authenticated bare websites)Section 3.5.1
Item #18
44User clicking an unsolicited linkNO: No downloads in emails; no website links in emails (only access legitimate and authenticated bare websites using the Bare Internet)Section 3.5.2
Item #19
45User downloading a file from an unidentified websiteNO: No online downloading (only access legitimate and authenticated bare websites using the Bare Internet)Section 3.5.2
Item #19
46User downloading an unsolicited fileNO: No online downloading (only access legitimate and authenticated bare websites using the Bare Internet)Section 3.5.1
Item #18
47User downloading email attachmentsNO: No attachments in emails.Section 3.5.1
Item #15
48User downloading softwareNO: No online downloading for software (Use CDs/USBs from authenticated bare application providers)Section 3.5.2
Item #19
49User installing software onlineNO: No installation software online.Section 3.5.1
Item #12
50User mistakes or negligenceYES: All bare users must be properly trained to handle sensitive data.Section 3.5.1
Item #11
51User using an infected USBNO: Dual USBs (one for booting and second for application). Both USBs must be physically secure.Section 3.5.2
Item #25
52User using infected firmwareNO: Bundled with a domain-specific application suiteSection 3.5.2
Item #26
53Firmware vulnerabilitiesNO: Bundled with a domain-specific application suiteSection 3.5.2
Item #26
Table 6. The conventional preventive mechanisms applicable to the BMC system.
Table 6. The conventional preventive mechanisms applicable to the BMC system.
Seq.Conventional Preventive MechanismsApplicability to BMC
1Access Control Lists (ACL)YES
2AI and automation toolsYES
3Analyzing security breachesYES
4Anti-Virus softwareNO: No OS.
5Artificial neural networksYES
6Avoid opening suspicious emailsYES
7Avoid using user input directlyYES
8Avoiding phishingYES
9Beware of urgencyNO: Not applicable
10Blacklist-BasedNO: Not applicable, not needed since only communicates with trusted bare users.
11Blocking high-risk applicationsNO: only runs intended domain-specific application suite
12Blocking known malware serversNO: No OS; malware cannot be downloaded and it cannot communicate with domain-specific application suite.
13Change file extensions randomlyNO: Not applicable. Attackers Do not have access to file Hardware API (HAPI)
14Change password frequentlyYES
15Changing DBMS accounts to something elseNO: Not applicable. No OS, database application is part of bare domain-specific application suite.
16Check bounds on string functionsYES. Uses only functions with bounds checking.
17Check Website URLsYES
18Consistent trainings and reviewsYES
19Controlling database permissionsYES
20Controlling external mediaYES
21CryptographyYES
22Delete web browser caches and cookiesNO: Not applicable. Cookies are not allowed.
23Detection of ARP SpoofingYES
24Detection of DNS SpoofingYES
25Disable backdoorYES
26Do not click on malicious linksYES
27Do not download malicious softwareNO: Not applicable. Downloads are not allowed.
28Do not enable cookies and disable options in browser settingsNO: cookies are not allowed.
29Do not write down passwordsYES
30Download software from verified publishersNO: Not applicable.
31Email filteringYES
32Enable two-factor authenticationNO: Not applicable.
33Enforce and manage strong passwordsYES
34FirewallsNO: No OS.
35Flow statisticsYES
36Identify all potential insider threatsYES
37Identify all third-party data leaksYES
38Identify and protect vulnerable resourcesYES
39Identity and access management (IAM), such as strong passwordsYES
40Implement a Zero Trust Architecture (ZTA)NO: By default, the BMC system is built based on the Zero Trust concept.
41Implement Honey tokensNO: No OS.
42Implement proper access managementYES
43Implement strict shadow IT rulesNO: Not applicable.
44Implementing NAC (Network Access Control)YES
45Incident Response Plan (IRP)NO: Not applicable.
46Information entropyYES
47Input validationYES: Checks for data type and size.
48IP Spoofing DefenseYES
49Keep operating systems up to dateNO: Not applicable since there is no OS.
50Layered defense for a strong security postureYES
51Limit access permissionsYES
52Limit the number of attempts to enter the correct passwordYES
53Machine Learning-Based MethodYES
54Managing endpoint securityYES
55Minimize access to sensitive dataYES
56Minimizing the privileges that are given to all database accountsNO: Not applicable; no OS, database application is part of bare domain-specific application suite.
57Monitor activityYES
58Monitor vendor networks for vulnerabilitiesYES
59Network and host hardeningYES
60No same password for all accountsYES
61Penetration testingYES: Applicable to applications only, as there is no OS
62Perform static code analysisYES
63Plan ahead of security attacksYES
64Prohibiting DBA or Admin access to applicationsNO: Not applicable
65Protect code segmentYES
66Protecting valuable dataYES
67Ransomware Detection TechniquesNO: Not applicable; no OS.
68Rate LimitingYES
69Regularly backup digital recordsYES
70Report suspicious activityYES
71Reset web browser settingsNO: Not applicable
72Rootkit scannersNO: Not applicable; no OS.
73Scan URLsYES
74Scanning code for SQLI vulnerabilitiesYES
75Scanning system and USBsYES
76Scrutinize website designYES
77Secure Privileged Access ManagementNO: No OS. All user accesses are part of domain-specific suite.
78Send regular third-party risk assessmentsNO: No third-party software allowed.
79Spyware algorithm detectionNO: This algorithm is part of a domain-specific application.
80SSL/TLS SolutionsNO: Not sockets. TLS is part of a domain-specific application.
81Statistical analysisYES
82Take password protection seriouslyYES
83TCP ProxiesNO: Proxies are not allowed.
84TPM (Trusted Platform Module)NO: The BIOS is bundled with application suites.
85Uninstall adwareNO: Not applicable. Adware is not allowed.
86URL encodingYES
87Use HoneypotNO: Not applicable; no OS.
88Use the latest OS, Programming languages, and CompilersNO: Not applicable; no OS. Need to use the latest programming languages and compilers.
89Use offensive security measuresYES
90Use Password-less authenticationYES
91Use password managerNO: Not applicable; no OS.
92Use user behavior analytics for accessing private dataYES
93Using an ORM FrameworkNO: Not applicable
94Using Bot ManagerNO: No OS
95Using IDS and IPSNO: No OS
96Using Prepared StatementsYES
97Using properly constructed stored proceduresYES
Table 7. Evaluation of Bare Machine Computing (BMC) for cyberattacks.
Table 7. Evaluation of Bare Machine Computing (BMC) for cyberattacks.
#Type of AttackRoot CauseBMC (Guidelines, Characteristics, and Preventive Mechanisms)Prevents Root Cause
(Yes/No)
Prevents Attack
(Yes/No)
1Buffer Overflow
  • Lack of bounds checking in functions
Uses only functions with bounds checking.
Table 4, Item 16
YesYes
2.
Lack of input validation and sanitization by programmers
Checks for data type and size.
Table 4, Item 47
Yes
2Phishing
  • User clicking an unsolicited link
No Attachments and Links in emails BMC Guidelines (15)YesYes
2.
User downloading an unsolicited file
No downloads are allowed. BMC Characteristics (19)Yes
3.
Running a downloaded code
4.
Receiving messages from unauthenticated users
Each message contains encrypted bare user authentication, which is given in person. BMC Characteristics (24)Yes
5.
Email addresses of users are easy to obtain
Only bare users can communicate with each other. All bare users must be physically authorized and authenticated. BMC Characteristics (23)Yes
6.
Including attachments in emails
No Attachments and Links in emails BMC Guidelines (15)Yes
7.
Attacker using Website phishing
Only bare users can communicate with each other. All bare users must be physically authorized and authenticated. BMC Characteristics (23)
3Ransomware
  • User downloading email attachments
No downloads are allowed. BMC Characteristics (19)YesYes
2.
User downloading a file from an unidentified Website
3.
Running a downloaded code automatically
4.
Attacker accessing OS API
There are no system calls or APIs available to the outside world (outside an application suite). BMC Characteristics (8)Yes
5.
Attacker exploiting hardware vulnerabilities
A computing device (PC, Laptop, Smartphone, Server, Client, etc.) is bare BMC Characteristics (21)Yes
6.
Freely available educational resources on cybersecurity vulnerabilities and attack techniques
Education and Knowledge: Restricted to authorized bare users.
BMC Guidelines (6)
Yes
4DOS & DDOS
  • Allowing attackers to use a legitimate machine and infect
A computing device (PC, Laptop, Smartphone, Server, Client, etc.) is bare. BMC Characteristics (21)YesYes
2.
Allowing attackers to flood requests
Rate Limiting.
Table 4, Item 68
Yes
3.
Freely available educational resources on cybersecurity vulnerabilities and attack techniques
Free Education: is not allowed. BMC Guidelines (6)Yes
5MitM
  • Attacker using public Wi-Fi access point
Currently Wi-Fi is not supported. BMC Guidelines (13)YesYes
2.
Secure socket layer provided by OS
No sockets exist in the BMC paradigm as there is no OS. BMC Characteristics (1 and 9)Yes
3.
Protocol vulnerabilities in ARP, DHCP, DNS, ICMP, and IP
Network Interfaces and Protocol Vulnerabilities. BMC Characteristics (17 and 27)Yes
4.
Open-source automation tools
Automated tools are designed to work with only bare computing devices and applications. BMC System Guidelines (19)Yes
5.
Open-source OSs
No operating system. BMC Characteristics (1)Yes
6.
There is no proper authentication measure to validate users
Only bare users can communicate with each other. All bare users must be physically authorized and authenticated. BMC Characteristics (23)Yes
7.
Freely available educational resources on cybersecurity vulnerabilities and attack techniques
Education and Knowledge: Restricted to authorized bare users.
BMC Guidelines (6)
Yes
6Password
  • OS vulnerabilities
No operating system. BMC Characteristics (1)YesYes
2.
Attacker modifying the number of password entry limits
No password files are stored in bare machines. BMC Characteristics (28)Yes
3.
Attacker accessing password files
4.
Attacker accessing OS API
There are no system calls or APIs available to the outside world (outside an application suite). BMC Characteristics (8)Yes
5.
Attacker accessing system calls
7Trojan Horse
  • User downloading software
No downloads are allowed. BMC Characteristics (19)YesYes
2.
Running a downloaded code automatically
3.
OS vulnerabilities
No operating system. BMC Characteristics (1)Yes
4.
Attacker accessing system calls
There are no system calls or APIs available to the outside world (outside an application suite). BMC Characteristics (8)Yes
5.
Attacker accessing OS API
6.
An attacker using autorun in script files
Script files are not allowed. BMC Guidelines (14)Yes
8Viruses
  • User downloading email attachments
No downloads are allowed. BMC Characteristics (19)YesYes
2.
User downloading software
3.
User accessing fake websites
Only access to authenticated bare websites. BMC Guidelines (18)Yes
4.
User using an infected USB
Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25)Yes
5.
Allowing script files in emails
Scripts and batch files are not allowed. BMC Guidelines (14)Yes
6.
Attacker using batch files
7.
OS Vulnerabilities
No operating system. BMC Characteristics (1)Yes
9Worms
  • User downloading software
No downloads are allowed. BMC Characteristics (19)YesYes
2.
User downloading email attachments
No Attachments and Links in emails BMC Guidelines (15)Yes
3.
User accessing fake Websites
Only access to authenticated bare websites. BMC Guidelines (18)Yes
4.
User using an infected USB
Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25)Yes
5.
Allowing script files in emails
Script and batch files are not allowed. BMC Guidelines (14)Yes
6.
Attacker using batch files
7.
OS Vulnerabilities
No operating system. BMC Characteristics (1)Yes
10Spyware
  • User downloading software
No downloads are allowed. BMC Characteristics (19)YesYes
2.
User downloading email attachments
No Attachments and Links in emails BMC Guidelines (15)Yes
3.
User accessing fake Websites
Only access to authenticated bare websites. BMC Guidelines (18)Yes
4.
User using an infected USB
Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25)Yes
5.
Allowing script files in emails
Script and batch files are not allowed. BMC Guidelines (14)Yes
6.
Attacker using batch files
Script and batch files are not allowed. BMC Guidelines (14)Yes
7.
OS Vulnerabilities
No operating system. BMC Characteristics (1)Yes
11Adware
  • User downloading software
No downloads are allowed. BMC Characteristics (19)YesYes
2.
User downloading email attachments
No Attachments and Links in emails BMC Guidelines (15)Yes
3.
User accessing fake Websites
Only access to authenticated bare websites. BMC Guidelines (18)Yes
4.
Enabling adware to use browser apps
Advertisements are not allowed. BMC Guidelines (17)Yes
5.
OS Vulnerabilities
No operating system. BMC Characteristics (1)Yes
6.
Attacker using cookies
Cookies are not allowed. BMC Guidelines (20) Yes
12Rootkits
  • User installing software online
Online installation is not allowed. BMC Guidelines (12) Yes
2.
User downloading software
No downloads are allowed. BMC Characteristics (19)Yes
3.
OS Vulnerabilities
No operating system. BMC Characteristics (1)Yes
4.
User accessing fake websites
Only access to authenticated bare websites. BMC Guidelines (18)Yes
5.
User using an infected USB
Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25)Yes
6.
User using infected firmware
Bundled with the domain-specific application suite. BMC Characteristics (26)Yes
7.
Firmware vulnerabilities
8.
Freely available educational resources on cybersecurity vulnerabilities and attack techniques
Education and Knowledge: Restricted to authorized bare users.
BMC Guidelines (6)
Yes
13Botnets
  • Software vulnerabilities
Yes, however, these software vulnerabilities cannot be exploited by the attacker as the domain-specific application suite is statically bounded.
BMC Characteristics (2 and 5)
YesYes
2.
User downloading software
No downloads are allowed. BMC Characteristics (19)Yes
3.
User using an infected USB
Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25)Yes
4.
Open ports
There are no open ports in BMC applications.
BMC Characteristics (10)
Yes
14Data Breaches
  • User mistakes or negligence
Yes: BMC Guidelines (11).
Table 4, Item 18
NoNo, these threats are related to physical security abuse.
2.
Malicious insiders
Yes, all insiders must be properly authorized and trusted. Otherwise, there is no security for any system.
BMC Characteristics (23)
No
3.
Lack of physical security
Yes: Physical security is required when a user is running an application suite on a bare machine (this is a mandatory requirement in the BMC paradigm). Otherwise, there is no need for physical security because the machine is bare.
BMC Characteristics (21)
No
4.
User downloading software
No downloads are allowed. BMC Characteristics (19)Yes
15Advanced Persistent Threats
  • User downloading software
No downloads are allowed. BMC Characteristics (19)Yes
2.
User using an infected USB
Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25)Yes
3.
User accessing fake websites
Only access to authenticated bare websites. BMC Guidelines (18)Yes
4.
OS Vulnerabilities
No operating system. BMC Characteristics (1)Yes
5.
Freely available educational resources on cybersecurity vulnerabilities and attack techniques
Education and Knowledge: Restricted to authorized bare users.
BMC Guidelines (6)
Yes
16SQL Injection
  • System privileges given to DBMS
No operating system. BMC Characteristics (1)YesYes
2.
DBMS by-passing OS
The DBMS is part of the specific-domain application suite. BMC Characteristics (2)Yes
3.
Not validating and authenticating user-entered data
Each message contains encrypted bare user authentication, which is given in person. BMC Characteristics (24)Yes
17Supply Chain
  • Providing backdoors in software and hardware
There are no hardware backdoors, as the devices are bare and physically secured. There are no software backdoors, as the domain-specific application suite can only perform intended functions. BMC Guidelines (2) and BMC Characteristics (2)YesYes
2.
OS Vulnerabilities
No operating system. BMC Characteristics (1)Yes
3.
Open-source code
It is a closed system. BMC Guidelines (2)Yes
4.
User downloading software
No downloads are allowed. BMC Characteristics (19)Yes
5.
User using an infected USB
Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25)Yes
6.
User accessing fake Websites
Only access to authenticated bare websites. BMC Guidelines (18)Yes
18URL Interpretation
  • Attacker accessing private files through a URL link
Uses URL encoding and limited access permissions.
Table 4, Items 51, 86
YesYes
19Insider Threats
  • Strong security policies not applying to private data
Yes, if the attacker is an insiderNoNo
2.
User mistakes or negligence
Yes: BMC Guidelines (11). Table 4, Item 18No
3.
Freely available educational resources on cybersecurity vulnerabilities and attack techniques
Education and Knowledge: Restricted to authorized bare users.
BMC Guidelines (6)
Yes
20Eavesdropping
  • Freely available online automation tools
Automated tools are designed to work with only bare computing devices and applications. BMC System Guidelines (19) YesYes
2.
Open Wi-Fi access at public places
Currently Wi-Fi not supported. BMC Guidelines (13)Yes
21Cookies
  • Marketing tools and techniques online
Advertisements are not allowed. BMC Guidelines (17) YesYes
2.
Attackers are intruding into machines
A computing device (PC, Laptop, Smartphone, Server, Client, etc.) is bare. When one application suite is running, another one cannot run, thus there is no intrusion from other applications. BMC Characteristics (21)Yes
22Social Engineering
  • Marketing tools and techniques online
Advertisements are not allowed. BMC Guidelines (17) YesYes
2.
Attackers are intruding into machines
A computing device (PC, Laptop, Smartphone, Server, Client, etc.) is bare. When one application suite is running, another one cannot run, thus there is no intrusion from other applications. BMC Characteristics (21)Yes
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Alotaibi, F.; Karne, R.K.; Wijesinha, A.L.; Soundararajan, N.; Rangi, A. An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks. J. Cybersecur. Priv. 2024, 4, 678-730. https://doi.org/10.3390/jcp4030033

AMA Style

Alotaibi F, Karne RK, Wijesinha AL, Soundararajan N, Rangi A. An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks. Journal of Cybersecurity and Privacy. 2024; 4(3):678-730. https://doi.org/10.3390/jcp4030033

Chicago/Turabian Style

Alotaibi, Fahad, Ramesh K. Karne, Alexander L. Wijesinha, Nirmala Soundararajan, and Abhishek Rangi. 2024. "An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks" Journal of Cybersecurity and Privacy 4, no. 3: 678-730. https://doi.org/10.3390/jcp4030033

APA Style

Alotaibi, F., Karne, R. K., Wijesinha, A. L., Soundararajan, N., & Rangi, A. (2024). An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks. Journal of Cybersecurity and Privacy, 4(3), 678-730. https://doi.org/10.3390/jcp4030033

Article Metrics

Back to TopTop