An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks
Abstract
:1. Introduction
- Buffer Overflow: A buffer overflow is a condition that exists when a program can put more data in the buffer than its allocated size. According to [8], “buffer overflow attacks played a major role in the propagation of malicious worms from machine to machine”.
- Phishing: This is one of the most used attacks in the cybersecurity world. Social engineering techniques are mostly used in phishing attacks [9]. Attackers persuade or lure users to share private information that can be used later to exploit their personal accounts, such as banking, credit cards, social security information, and personal assets. They can also use this information to damage their computer system.
- Ransomware: Ransomware is malware that captures the victim’s data or device and renders it unusable till some ransom amount is paid. There are two types of ransomwares: locker and cryptographic [10]. Locker ransomware is intended to lock computer access to users or delete files. Cryptographic ransomware encrypts files with hacker keys and demands a ransom to recover files. The main goal of ransomware is to extort money from victims.
- Denial of Service (DoS): DoS [11] is an attack that can flood a victim’s server with a variety of packets, such as UDP, SYN, HTTP, and ICMP. The goal is to slow down or crash the machine completely. The same attack can be carried out on a server using distributed systems known as distributed denial of service (DDoS) [11] to accomplish a larger and faster attack on a victim.
- Man in the Middle (MitM): MitM [12] involves an attacker successfully inserting themselves between two communicating parties. The attack can be conducted within the same network or on the Internet. There are a variety of ways to conduct a MITM attack using protocols such as ARP, DNS, ICMP, DHCP, SSL/TLS, and BGP.
- Password: This is the most common and obvious way to attack computer systems or smartphones. The attackers use a variety of techniques, including brute force, dictionary, phishing, shoulder surfing, key loggers, video recording, replay, credential surfing, and password spraying [13].
- Trojan Horse: This is a malicious program in the guise of a standard harmless program. It can initiate actions without the user’s approval once it is installed. Trojan horse attacks involve hiding a hacking program and dispatching it at the right time. There are many such Trojan horse techniques [14], including ArcBombs, Backdoors, Banking Trojans, Clickers, DDoS, Downloaders, Droppers, FakeAV, Game Thieves, Instant Messaging, Loaders, Mail Finders, Notifiers, Proxies, Password-stealing ware, and SMS. Almost any software is vulnerable to Trojan horse attacks.
- Virus: A virus is malicious code that attaches to a host’s executable file. The code executes whenever the file is opened. When the infected file is sent across computer systems, the virus spreads [15]. They are usually spread through emails or shared mass storage devices.
- Worm: A worm is a type of malware that replicates itself and spreads across computers without any interaction from the user [16]. They consume memory and network resources, thus causing the system to hang. They can also allow access to attackers remotely.
- Spyware: This is software secretly installed on the victim’s computer or a computer belonging to an organization that monitors and gathers information on a user’s online activity, websites visited, and other personal information. Spyware, also known as privacy-invasive software, is a prevalent issue in today’s computing landscape, often installed without a user’s full knowledge or consent [17].
- Adware: This is a kind of spyware that runs unwanted advertisements and may contain malware that can get installed on the user’s computer when the user clicks on the links [18]. It could also be installed due to unintentional drive-by downloads.
- Rootkit: This is a software tool used to take over control of the intended computer and run commands on it with administrator privileges as it operates inside or near the kernel. It can hide keyloggers that capture the keystrokes and steal information such as passwords, credit card numbers, and online banking details [19].
- Botnet: A botnet is a group of interconnected malicious computers that coordinate to attack other machines [20]. A single attacker (botmaster) can create an interconnected robot network (a botnet) with malicious code and control it for attacking. The attacker can initiate various types of cyberattacks, such as DDoS, phishing, click fraud, and spam.
- Data Breach: A data breach is when unauthorized personnel gain access to sensitive data or confidential information. Some examples of sensitive data include social security information, bank accounts, healthcare data, and corporate information. Sensitive information can be stored in paper files, hard disks, thumb drives, and intellectual property. In these attacks, the confidentiality of breached data is lost [21].
- Advanced Persistent Threat (APT): An APT remains undetected for an extended period after an attacker gains unauthorized access to a computer network [22]. This is a sequential and long-term attack that persists in the system. These attackers have a planned goal consisting of theft of data, gaining access to system resources, using social engineering techniques to lure users, staying in the system as long as possible, and moving around the system with the best attacking strategy without being noticed by any existing preventive tools.
- SQL Injection: This attack consists of accepting SQL queries as inputs into a vulnerable database system that leads to exploitation of the database. The malicious SQL query allows the attacker to gain unauthorized access to the database. An SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application [23]. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administrative operations on the database (such as shutting down the DBMS), recover the content of a given file present on the DBMS file system, and in some cases issue commands to the OS.
- Supply Chain: A supply chain attack [24] is one in which many vendors in the chain are rendered vulnerable when a single vendor is compromised. The attackers can obtain maximum benefit by concentrating their attack on a single vendor and then gain access to global data through the chain of connected vendors. A supply chain system consists of many vendors for a given customer. If one of the vendors is breached or attacked in the chain, it may influence other vendors. One of the vendors may have been breached due to security vulnerabilities in their site. When there are many suppliers, one or more of them may be prone to security vulnerabilities. Multiple targets can be compromised from a single vendor.
- URL Interpretation: URL interpretation [25] exploits the vulnerability of URLs by changing and manipulating the URL meaning without changing or altering the syntax, which allows the attackers to access unauthorized data from the server associated with the URL. Attackers can alter and fabricate URL addresses to access victims’ private data and information. It is also known as URL poisoning. An attacker may use this fake URL to gain administrative privileges and launch other attacks.
- Insider Threat: Insider threats [26] happen when employees within an organization have privileged access to critical information and misuse their credentials for personal gain. This could render the organization system vulnerable to security attacks. These employees may have current credentials to access private data at an employer site. They may be seeking financial gains to extort the employer using the accessed private data.
- Eavesdropping: Eavesdropping [27] is stealing transmitted information over an unsecured network. It consists of capturing network traffic. The attacks can be static or modification attacks. In static attacks, the data may be used later to capture valuable information. In modification attacks, the data are only useful if an attacker can modify it while the communication is in progress. A MitM attack can be used with the captured data.
- Cookies: Cookies contain information about a machine, sites browsed, clicks made, location, and possibly login information [28]. Attackers can steal or hijack a cookie and capture this data. When a user visits a website, cookies may be enabled to play advertisements and capture the user’s browser activity. Although cookies help speed up access to visited websites, they help attackers piggyback malicious programs along with legitimate ads.
- Social Engineering: These attacks [29] are used to convince a victim to share private data or perform some actions that will enable an attacker to inject some illegitimate code into the system. This is one of the ways attackers can install malware on the victim’s site.
2. Conventional Systems
2.1. Conventional System Guidelines
- System Approach: Over a 50-year period, computer architectures have been following an evolutionary path in processors and OSs, which are the backbone of all computing and information systems.
- Open Systems: During the 1960–1990 period, most computer and information systems were closed systems and proprietary in nature, thus protecting a given industry’s intellectual property. These systems and their know-how were limited to confidential and authorized users based on their need-to-know policy. Due to the emergence of the Internet and globalization, most of the systems and their knowledge became open to the world. While an open system allows for easier resolution of security vulnerabilities, it also means that attackers and developers have access to the same information, which implies that it is not more secure.
- Global Focus: Many information systems are architected, designed, and implemented for a global market, as this market is much larger than a given country’s local market. This resulted in large-scale commercialization on the Internet and more revenues and profits for related industries.
- Global Users: Computer and information system users are all over the world, and they are not always easily identifiable and trackable.
- Equal Access: With an Internet connection, any global user has access to most information on the Internet; this includes attackers as well.
- Learning and Knowledge: Information about system internals and system security is often posted on the web. This helps the attackers to easily access the information they need at a faster pace. Defenders also put problems and fixes on the Internet as soon as they are discovered. This enables attackers to create new attacks with less effort. The following two quotations from [34] clearly illustrate the side effects of free learning and knowledge on the Internet. (a) “Open-source Intelligence (OSINT) tools could gather data from various publicly available platforms and thus help hackers identify vulnerabilities and develop malware and attack strategies against targeted CI sectors.” (b) “OSINT tools: indirect reconnaissance data, proof-of-concept codes, and educational materials. The thematic results from this study reveal an increasing amount of open-source information useful for malicious attackers against industrial devices, as well as the need for programs, training, and policies required to protect and secure industrial systems and CI”.
- Unrestricted Internet access: Many Internet and web applications are available for all users worldwide with an Internet connection. Advertisements swamp systems almost instantly after access to the Internet. Searching online for a particular product or service immediately results in advertisements for related products or services. The advertisements may continue persistently for an extended period. This may be beneficial for some users to quickly learn about products and services. Still, it has many side effects, including a waste of time for users, distraction from a user’s current tasks, and loss of privacy of email addresses, phone numbers, and other personal information. Personal information shared with online vendors to conduct any transaction on the Internet may be distributed to other vendors.
- Layered Systems: All computer and information systems are layered with respect to architectures, protocols, interfaces, and security. Attackers may exploit these layers to suit their attack environment.
- Heterogeneity: Current computer and information systems encourage heterogeneity at every stage of building computer and information systems, assuming that it will promote innovation and productivity [35]. Instead, heterogeneity and incompatibility at every level interfere with the main goal of building end-user applications. With today’s high-performance processors coupled with cheap hardware, due to heterogeneity, tweaking small improvements may not pay off as much as before. There is a need to reduce heterogeneity by developing basic building blocks for computing at every level that are long-lived. Heterogeneity exists in processors, OSs, protocols, user interfaces, programming languages, hardware, software, including third-party software, and more. This increases the complexity of computers and information systems [36] and provides more avenues for attackers to exploit cybersecurity vulnerabilities.
- User/Developer Convenience: User convenience takes higher priority over other design issues in defining system guidelines. For example, it is convenient for users to choose a short-length PIN code for bank transactions, which may not be secure. Online teaching is convenient for faculty and students, but it may not be secure. As it is convenient for businesses to use the Internet for all transactions, physical security and privacy may be ignored. Many online transactions require personal information, causing a loss of privacy. In fact, without a smartphone, it is impossible to do many Internet transactions today. These actions may indirectly result in system vulnerabilities and cybersecurity weaknesses. In addition, developer conveniences, such as using a different programming language for a special purpose, using DLLs, downloading files and software, remote logins, remote administration, and third-party software, may also affect cybersecurity [37].
- Training: All users and customers must obtain training as needed.
- Software Installation: This is conducted online due to convenience and frequent changes.
- Wi-Fi: Wireless connections are commonly used for computing devices such as a mouse, keyboard, headphones, and Internet access. Most Internet transactions are conducted using Wi-Fi and often with a smartphone.
- Scripts and Batch Files: Scripts and batch files are used by administrators locally and remotely for convenience. This enables them to work remotely.
- Attachments and Links: Email attachments are commonly used for convenience. Web links are also allowed in the emails for user convenience.
- Social Media Platforms: They have become a part of everyday lives due to globalization, enabling speedy communication and sharing of information online.
- Advertisements: There are advertisements appearing continually in social media, smartphones, TVs, computers, and websites.
- Unsolicited Web Sites: Mostly for commercial and marketing reasons, unsolicited links to websites frequently appear in email and other Internet applications. It is not easy to distinguish between a link to a good site or a bad one.
- Automated Tools: Automated tools such as Wireshark and reverse engineering tools such as Object-dump are available on the Internet. There are many such tools available for attackers to use.
- Cookies: Cookies are used to track visits to websites for marketing purposes and user convenience, but they can also be used to launch malware.
2.2. Conventional System Characteristics
- OS/Kernel/Embedded: Most systems have an OS or kernel. They can also be embedded systems. Due to the complexity and size of modern OSs, lean operating systems were designed to improve security and reduce complexity. Some middleware (e.g., the OS) makes software systems easy to build and isolates programmers from hardware intricacies.
- Applications: Computer and information system applications are platform-centric and computing device-dependent. No proper abstractions have been used to build applications. Thus, applications are redundant on different platforms. A web browser on a smartphone is different from that on a PC. Email systems are also different on various platforms. Due to this redundancy and lack of proper abstractions, an end-user application may be duplicated many times, resulting in a large application space.
- Programming Languages: Multiple programming languages are used in conventional systems. Different languages are often chosen based on the type of application, programmer’s skills, convenience, and performance. Performance may not make much difference as current processor speeds are increasing in a short period.
- Executables: Different operating systems support different executable formats. Some applications may have many executables, thus creating multiple address spaces. Inter-module communication may require message passing between modules.
- Linking: Dynamic linking is used for many reasons. It reduces the executable sizes, as some modules can be linked at runtime. It is also convenient, as the compiler does not know where the system libraries and other modules are loaded in memory at compile-time. In addition, in multi-module design, the interfaces to other modules are not known at compile time.
- Loading: Dynamic loading and linking are related. Dynamic loading at run time is also very convenient, as noted above for linking. In modern OSs, dynamic loading and linking (DLL) is commonly used to make the executables smaller and to enable use of external modules as needed at run time.
- Multi-tasking: Multi-tasking or multi-programming is necessary for all computing systems, as the CPU cannot be kept busy all the time. Most programs need I/O; they cannot run when an I/O request is pending. In conventional systems, when one program is idle, other programs and the OS can run. A given program may not be running alone until its completion.
- System Calls/API: OSs provide system calls to communicate with the hardware. OSs also provide APIs, enabling programmers to access hardware interfaces. System calls use interrupts to invoke OS services.
- Sockets: Operating systems provide socket interfaces to communicate between processes within a node or with a remote node.
- Open Ports: When a packet arrives at an OS, it uses the destination port number in the packet to deliver the packet to its application. A given application running in the machine uses a designated port number to communicate with other nodes. There may be some ports open in an OS to accommodate unexpected applications running in the machine.
- During Execution: In an OS environment, a given application, other applications, and OS processes and threads run concurrently. Some of them may interact with others intentionally or unintentionally.
- Event/Interrupt Driven: Most conventional systems use event-based and interrupt-based processing.
- Shared Memory/Message Passing: Both are used for local communication, and message passing is used for remote communication.
- Concurrency Control: Inter-process communication in an OS environment may require concurrency control mechanisms. Locking and semaphores are used to handle concurrency.
- I/O: Most I/O is interrupt-driven in an OS.
- Third-Party Software: Usually, there is software from many vendors in current systems.
- Network Interfaces: Protocols such as TCP or QUIC have many interactions between a server and a client during connection establishment, data transfer, and connection termination. Security protocols such as TLS also require many interactions to ensure secure data transfer.
- Internet Communication: In conventional systems, most communications are conducted through the global Internet. There are billions of users on the Internet while a given communication is in progress.
- Internet Downloads: For convenience and data sharing, users download software, applications, files, pictures, private data, etc. on the Internet. During downloads, a user may have to enter personal data, resulting in a loss of privacy.
- IoT: The IoT is growing at an exponential rate. Currently, there are 17 billion IoT devices [38].
3. Bare Machine Computing (BMC) Systems
3.1. BMC Paradigm
3.2. Compilation Process
3.3. Sample Direct Hardware Interfaces
3.3.1. Creating, Inserting, and Running a Task
3.3.2. Reading and Processing an Ethernet Packet
3.4. Summary of the Above Code Snippets
3.5. Properties of the BMC Paradigm
3.5.1. BMC System Guidelines
- System Approach: It is a revolutionary approach that was invented to address obsolescence and security problems. It makes applications independent from the execution environment, and all computing devices are bare.
- Open/Closed System: It is a closed system. Injecting an attacker’s code is not possible. Open source must not be confused with open systems. The BMC is a closed system. The computing box is bare, and the application running in the bare box is not accessible to hackers. In case hackers create a similar system, they can only hack their own system, not others. If we make an open system, security vulnerabilities are easy to fix, but hackers and developers are at the same knowledge level.
- Global Focus: It has a local focus. It is architected, designed, and implemented to avoid global users.
- User USBs: There are dual USBs (the first for booting and the second for an application suite). Both USBs must be physically secured.
- Equal Access: All bare users have equal access.
- Education and Knowledge: Restricted to authorized bare users.
- Layers: There are no layers at any level.
- Bare Internet: To make BMC viable, a bare Internet concept [43] is introduced. In a bare Internet, all intermediate nodes, such as routers and gateways, must be bare, and they must be physically secured. At present, a bare Internet is overlaid on the existing Internet.
- Heterogeneity: No heterogeneity is allowed in programming languages, hardware, and software. The security of systems and applications is more controllable.
- User/Developer Convenience: User convenience takes lower priority over other design issues in defining system guidelines. For example, a system administrator must physically distribute user accounts to guarantee the authentication of users. This is not convenient, but all other electronic means may not be secure. The BMC systems are not global, and the users are limited within a given domain-specific application. These systems are designed for secure domains, not for a global world. Non-bare users can use conventional systems if BMC systems do not fit their needs. BMC systems provide an alternative approach to current computing systems.
- Training: All authorized bare users must have consistent training and education.
- Software Installation: Online installation is not allowed. There is nothing to install in a bare machine. The user carries secure USBs. These USBs are distributed to authorized bare users by physical means.
- Wi-Fi: Wi-Fi is currently not supported due to its security issues.
- Script and Batch Files: These are not allowed.
- Attachments and Links: Attachments and links are not allowed in emails.
- Social Media Platforms: There is no support for social media applications. Social media can use the conventional Internet, which is isolated from a bare Internet. This approach will reduce the number of users on a bare Internet.
- Advertisements: Advertisements are not allowed. All domain-specific applications and their users are properly authorized and tracked on a bare Internet.
- Unsolicited Websites: Only access to authenticated bare websites is allowed.
- Automated Tools: Automated tools are designed to work with only bare computing devices and applications. Their use is restricted to bare users only.
- Cookies: No cookies are allowed.
3.5.2. BMC Characteristics
- OS/Kernel/Embedded: The OS/kernel/embedded concept is eliminated. There is no such centralized program; each domain-specific application is a self-controlled, self-managed, and self-executed entity. There is no interaction with entities outside an application suite. As there is no OS/kernel, a user carries a flash drive with boot code and a domain-specific application suite. Figure 6 shows a memory map for a flash drive containing a client’s UDP-based chat program.
- Applications: All computer applications are polarized as domain-specific entities. They are independent of any platform. In conventional systems, they are dependent on platforms and execution environments.We have developed and demonstrated numerous domain-specific applications, including web sites, webmail, email, VoIP, text-only browsers, editors, file systems, database applications, and chat. In these systems, there are bare servers and clients that run on bare machines. For example, in the chat domain, there are physically vetted users who communicate in their own domain. All these users are vetted and use bare machines. We use context-based authentication to validate users. This is one example of a domain. All the above domain applications were tested on the Internet with bare servers and clients. On the Internet, domain-specific applications are used to communicate securely within a domain using bare devices.
- Programming Languages: A single programming language (C/C++) is used to write applications, thus avoiding all heterogeneity in writing applications.
- Executable: It is a single monolithic executable, which implies a single address space. Only one executable format is allowed.
- Linking: Uses static linking, which prevents expanding the code segment to load foreign code. This provides ultimate security for the BMC applications, as malware code cannot be linked.
- Loading: Uses static loading, which prevents extending the code segment to load malware code.
- Multi-tasking: Multi-tasking is offered within an application suite controlled by an application programmer through events and its control flow.
- System Calls/API: There are no system calls or APIs available to the outside world (outside an application suite). It uses a direct hardware API, integrated within an application suite.
- Sockets: No sockets exist in the BMC paradigm, as there is no OS. Remote computer communication is implemented within a process and hidden inside an application suite.
- 10.
- Open Ports: There are no open ports in BMC programs. As it is a domain-specific application suite, IP addresses and port numbers are managed within each application code in a hardcoded manner. This is not visible outside the application suite. When a packet arrives, its corresponding event (pre-defined) will call an appropriate method to process it.
- 11.
- During Execution: During execution, only one application suite runs. There is no interaction with other application suites or external modules in a bare computing device. No exploits are possible for an attacker.
- 12.
- Event/Interrupt Driven: The application suite is event-driven. Limited user interrupts are used for input.
- 13.
- Shared Memory/Message Passing: Only a shared memory approach is used within an application suite.
- 14.
- Concurrency Control: Concurrency control is avoided by using circular lists. The code is simpler and more directly accessible to the program.
- 15.
- I/O: There are direct hardware APIs that are hidden within an application suite.
- 16.
- Third-Party Software: There is no third-party software used in applications.
- 17.
- Network Interfaces: All network interfaces are hidden from the outside world. Attackers cannot use this direct hardware API.
- 18.
- Internet Communication: Communication on the Internet is restricted to a bare Internet and its bare users only.
- 19.
- Internet Downloads: No downloads are allowed.
- 20.
- IoT: All IoT devices must be bare computing devices and follow the BMC paradigm and its characteristics as described in this paper.
- 21.
- Application Program Control: A given application has its own control flow as intended at design time.
- 22.
- Computing Device: A computing device (PC, laptop, smartphone, or other) is bare, meaning that it has no intelligence, no OS, and no mass storage. It cannot boot or run until external media runs the boot code and loads an application suite controlled by the owner. The bare device has no valuable resources. Thus, a bare computing device can be used by any user at any time. When one application suite is running, another one cannot run; therefore, there is no intrusion from other applications. There is nothing in the bare computing device to be attacked, as there are no valuable resources when it is not running. When a bare device is running, it must be physically secured by the owner. Physical security at the bare box is not convenient, but it is required to guarantee security of the device and the running application suite.
- 23.
- Users: Only bare users can communicate with each other. For a given domain-specific application, there are a limited number of bare users. They must be physically authorized, authenticated, and controllable. We have not defined any formal methods for authentication at this point; however, we can use existing models in banking, driver’s license, etc.Our BMC system is totally controlled by its owner, with physical security. If a trusted user changes roles and tries to exploit other bare systems, this user can only damage his/her own system and not those of others. This is because an owner’s valuable resources can only be accessed by the owner’s application suite. When a BMC application suite is running, it is a closed system that performs only intended functions. In addition, when the roles of trusted users change, their privileges are changed in the system.
- 24.
- Messages: Each message is encrypted, integrity-protected, and authenticated using credentials physically given to authorized users by an administrator.
- 25.
- User-Secured USBs: Uses two USBs, one bootable and one with an encrypted application suite. These USBs must be physically secured by a user.
- 26.
- BIOS/Firmware: Bundled with a domain-specific application suite (not implemented currently).
- 27.
- Protocols: A bare machine connects to a network via wired Ethernet. Network protocols are limited to IP and UDP (TCP/TLS is used for demonstration only) implemented within the bare application. Other protocols are not available outside the application running on the machine. Each application communicates only with its peers to ensure reliability and proper functionality. Furthermore, protocols are integrated within the application, and there are no protocol layers as in a conventional system. The attacker does not have the path to invoke these protocols. Although an attacker can spoof IP addresses, such packets will fail user authentication and be dropped. Every packet has bare user authentication, encryption, an integrity check, and replay protection.
- 28.
- Passwords: No password files are stored on bare machines. Context-based authentication is used in bare systems.
3.5.3. BMC Limitations
- It is not a general-purpose global system.
- It requires physical security.
- It needs all users to be authenticated and vetted.
- It uses a domain-specific application approach (by dividing applications into domains).
- Only users within a domain can communicate.
- When domain-specific users change roles, their authentication privileges are revoked.
- All nodes in the network must be bare to guarantee high security.
- Uses the bare Internet, where all nodes are bare and physical security is assumed.
4. Comparison of Conventional and BMC Systems
5. Cyberattacks and Analysis
5.1. Overview of Selected Cyberattacks
5.1.1. Buffer Overflow
- Lack of bounds checking in functions.
- Lack of input validation and sanitization by programmers.
- Consistently update OSs, programming languages, and compilers to their latest versions.
- Implement code protection mechanisms.
- Use safe functions; validate and sanitize input data.
- Employ static code analysis tools.
- Provide consistent training and reviews.
5.1.2. Phishing Attack
- Clicking links can trigger malware downloads or redirect to malicious websites.
- Downloading files can contain malicious code.
- Running downloaded code can execute malware and cause attacks.
- Messages from unauthenticated users may trigger attacks.
- Email addresses are easily obtained, aiding targeted attacks.
- Email attachments are a common phishing attack vector.
- Website phishing can mimic legitimate sites for credential theft.
- Check website URLs.
- Scrutinize website design.
- Beware of urgency-based tactics.
- Enable two-factor authentication (2FA).
- Report suspicious activity.
- Utilize access control lists (ACLs).
- Employ email filtering.
- Use machine learning-based detection.
- Maintain regular backups.
- Prioritize strong passwords.
- Educate employees on cybersecurity awareness.
- Develop incident response plans.
- Provide consistent training and reviews.
5.1.3. Ransomware
- Downloading email attachments.
- Downloading files from untrusted websites.
- Allowing downloaded code to run automatically.
- Attacker accessing OS APIs.
- Attacker exploiting hardware vulnerabilities (TPM: Trusted Platform Model, BIOS, firmware).
- Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
- Deploy IDS (Intrusion Detection System) and IPS (Intrusion Prevention System).
- Utilize TPM. (Note: it was also found that TPM has security vulnerabilities).
- Maintain regular backups.
- Implement blacklist-based detection: block known malicious domains and IP addresses.
- Employ advanced ransomware detection: Use rule-based, statistical, machine learning-based, or hybrid techniques.
- Change the file extensions randomly.
- Provide consistent training and reviews.
5.1.4. Denial of Service (DoS) and Distributed Denial of Service (DDoS)
- Allowing attackers to use a legitimate machine and infect it.
- Allowing attackers to flood requests.
- Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
- Information entropy.
- Machine learning-based methods.
- Artificial neural networks (ANN).
- Statistical analysis.
- Flow statistics.
- Rate Limiting.
- TCP Proxies.
- Provide consistent training and reviews.
5.1.5. Man-in-the-Middle (MITM)
- Attacker using public Wi-Fi access points.
- Using a secure socket layer provided by the OS.
- Exploiting protocol vulnerabilities in ARP, DHCP, DNS, ICMP, and IP.
- Using open-source automation tools.
- Using open-source OSs.
- Lack of proper authentication measures to validate users.
- Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
- Enable two-factor authentication (2FA).
- ARP Spoofing Detection: cryptographic, voting-based, hardware, server-based, host-based solutions.
- DNS Spoofing Detection: entropy-based, cryptographic, artificial neural network (ANN) solutions.
- IP Spoofing Defense: router-based, host-based, hybrid solutions.
- SSL/TLS Solutions: detecting forged certificates, certificate pinning, multipath probing, forcing SSL/TLS connections, friendly MITM, TLS extensions.
- Provide consistent training and reviews.
5.1.6. Password Attack
- Exploiting OS vulnerabilities.
- Attacker modifying the number of password entry limits.
- Attacker accessing password files.
- Attacker accessing OS APIs.
- Attacker accessing system calls.
- Weak or predictable passwords.
- Conduct penetration testing.
- Enable two-factor authentication (2FA).
- Enforce and manage strong password policies.
- Monitor activity for suspicious behavior.
- Employ a layered defense for a strong security posture.
- Limit attempts to enter a correct password.
- Change passwords frequently.
- Avoid using the same password for multiple accounts.
- Avoid passwords that are vulnerable to dictionary attacks.
- Use a password manager.
- Do not write down passwords.
- Consider password-less authentication techniques.
- Provide consistent training and reviews.
5.1.7. Trojan Horse
- Users download either files or software.
- Running the downloaded code automatically.
- Exploiting OS vulnerabilities.
- Attacker accessing system calls.
- Attacker accessing OS APIs.
- An attacker using auto-run-in script files.
- Avoid opening suspicious emails.
- Download software only from verified publishers.
- Scan URLs before clicking.
- Use antivirus software.
- Deploy honeypots.
- Provide consistent training and reviews.
5.1.8. Virus
- User downloading email attachments.
- User downloading software.
- Users accessing fake websites.
- User using an infected USB or other mass storage device.
- Allowing script files in emails.
- Attacker using batch files.
- Exploiting OS vulnerabilities.
- Antivirus software.
- Firewalls.
- Keeping OSs up to date.
- Regularly backing up digital records.
- Scanning systems and USBs.
- Provide consistent training and reviews.
5.1.9. Worms
- Downloading software.
- Downloading email attachments.
- Accessing fake websites.
- Using an infected USB or other mass storage device.
- Allowing script files in emails.
- Attackers using batch files.
- Exploiting OS vulnerabilities.
- Antivirus software.
- Firewalls.
- Keeping OSs up to date.
- Frequent backups of digital records.
- Scanning systems and USBs for malware.
- Provide consistent training and reviews.
5.1.10. Spyware
- Downloading software.
- Downloading email attachments.
- Accessing fake websites.
- Using an infected USB or other mass storage device.
- Allowing script files in emails.
- Attackers using batch files.
- Exploiting OS vulnerabilities.
- Spyware detection algorithms.
- Antivirus software.
- Firewalls.
- Keeping OSs up to date.
- Regularly backing up digital records.
- Scanning systems and USBs for malware.
- Provide consistent training and reviews.
5.1.11. Adware
- Marketing.
- Uninstall adware.
- Reset web browser settings.
- Delete web browser caches and cookies.
- Use antivirus software.
- Provide consistent training and reviews.
5.1.12. Rootkit
- Installing software online.
- Downloading software.
- Exploiting OS vulnerabilities.
- Accessing fake websites.
- Using an infected USB or other mass storage device.
- Using devices with infected firmware.
- Firmware vulnerabilities.
- Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
- Antivirus software.
- Firewalls.
- Rootkit scanners.
- Avoiding phishing scams.
- Keeping OSs up to date.
- Provide consistent training and reviews.
5.1.13. Botnet
- Software vulnerabilities.
- Downloading software.
- Using an infected USB or other mass storage device.
- Open ports.
- Using an IDS (Intrusion Detection System) and an IPS (Intrusion Prevention System).
- Firewalls.
- Enforce and manage strong password policies.
- Access Control Lists (ACLs).
- AI and automation tools for security.
- Using bot managers.
- Enable two-factor authentication (2FA).
- Provide consistent training and reviews.
5.1.14. Data Breach
- User mistakes or negligence.
- Malicious insiders.
- Lack of physical security.
- Downloading software.
- Regularly back up digital records.
- Cryptography.
- Identity and access management (IAM), such as strong password policies.
- Incident Response Plan (IRP).
- Enable two-factor authentication.
- AI and automation tools for security.
- Provide consistent training and reviews.
5.1.15. Advanced Persistent Threats (APT)
- Downloading software.
- Clicking on email attachments.
- Using an infected USB or other mass storage device.
- Accessing fake websites.
- Exploiting OS vulnerabilities.
- Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
- Access Control Lists (ACLs).
- Controlling external media use.
- Protecting valuable data.
- Managing endpoint security.
- Implementing Network Access Control (NAC).
- Blocking high-risk applications.
- Blocking known malware servers.
- Analyzing security breaches for prevention.
- Network and host hardening.
- Provide consistent training and reviews.
5.1.16. SQL Injection
- System privileges are granted to the DBMS.
- DBMS bypassing OS controls.
- Failure to validate and authenticate user-entered data.
- Input validation and sanitization.
- Using prepared statements.
- Firewalls.
- Controlling database permissions.
- Scanning code for SQL vulnerabilities.
- Using a secure ORM framework.
- Using properly constructed stored procedures.
- Applying the principle of least privilege to database accounts.
- Prohibiting default root or admin access to applications.
- Changing DBMS accounts from defaults to something else.
- Provide consistent training and reviews.
5.1.17. Supply Chain
- Providing backdoors in software and hardware.
- Exploiting OS vulnerabilities.
- Open-source code.
- Downloading software.
- Using an infected USB or other mass storage device.
- Users accessing fake websites.
- Implement honey tokens.
- Secure privileged access management (PAM).
- Implement a Zero Trust Architecture (ZTA).
- Identify potential insider threats.
- Identify and protect vulnerable resources.
- Minimize access to sensitive data.
- Implement strict shadow IT rules.
- Conduct regular third-party risk assessments.
- Monitor vendor networks for vulnerabilities.
- Identify all third-party data leaks.
- Disable backdoors.
- Provide consistent training and reviews.
5.1.18. URL Interpretation
- Attacker accessing private files through a URL link.
- Input validation and sanitization.
- URL encoding to prevent malicious characters.
- Avoid using user input directly in code.
- Implement strict access permissions.
- Enable two-factor authentication (2FA).
- Provide consistent training and reviews.
5.1.19. Insider Threats
- Failure to apply strong security policies to private data.
- User mistakes or negligence.
- Freely available educational resources on cybersecurity vulnerabilities and attack techniques.
- Implement proper access management.
- Employ user behavior analytics to access private data.
- Use offensive security measures.
- Provide consistent training and reviews.
5.1.20. Eavesdropping
- Freely available online automation tools.
- Open Wi-Fi access at public places.
- Cryptography.
- Provide consistent training and reviews.
5.1.21. Cookies
- Marketing tools and techniques online.
- Attackers intruding into machines.
- Exploiting vulnerable protocols to steal cookies.
- Do not enable cookies and disable options in browser settings.
- Provide consistent training and reviews.
5.1.22. Social Engineering
- Marketing tools and techniques online.
- Attackers are intruding into machines.
- Social platforms and networks.
- Do not click on malicious links.
- Do not download malicious software.
- Do not enable cookies and disable options in browser settings.
- Do not engage in conversations with unknown users.
- Provide consistent training and reviews.
5.2. Description and Analysis of Selected Cyberattacks
5.2.1. Root Causes for the 22 Cyberattacks
5.2.2. Preventive Mechanisms for the 22 Selected Cyberattacks
5.3. Analysis of Cyberattacks
5.3.1. Root Causes vs. Cyberattacks
5.3.2. Preventive Mechanisms vs. Cyberattacks
5.3.3. Conventional Root Causes Applicable to BMC Systems
5.3.4. Conventional Preventive Mechanisms Applicable to BMC Systems
5.3.5. The Cyberattacks vs. the BMC Paradigm
6. Significant Contributions
7. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Statista. Number of Internet and Social Media Users Worldwide as of January 2024. Available online: https://www.statista.com/statistics/617136/digital-population-worldwide/ (accessed on 27 March 2024).
- Aslan, Ö.; Aktuğ, S.S.; Ozkan-Okay, M.; Yilmaz, A.A.; Akin, E. A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions. Electronics 2023, 12, 1333. [Google Scholar] [CrossRef]
- Alenezi, M.; Zarour, M. On the Relationship between Software Complexity and Security. IJSEA 2020, 11, 51–60. [Google Scholar] [CrossRef]
- Mellal, M.A. Obsolescence—A review of the literature. Technol. Soc. 2020, 63, 101347. [Google Scholar] [CrossRef]
- Zallio, M.; Berry, D. Design and Planned Obsolescence. Theories and Approaches for Designing Enabling Technologies. Des. J. 2017, 20, S3749–S3761. [Google Scholar] [CrossRef]
- Aladeojebi, T.K. Planned Obsolescence. IRJSE 2013, 4, 1504–1508. [Google Scholar]
- Malinauskaite, J.; Erdem, F.B. Planned Obsolescence in the Context of a Holistic Legal Sphere and the Circular Economy. Oxf. J. Leg. Stud. 2021, 41, 719–749. [Google Scholar] [CrossRef]
- Drozd, M.; Barabas, M.; Gregr, M.; Chmelar, P. Buffer overflow attacks data acquisition. In Proceedings of the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems, Prague, Czech Republic, 15–17 September 2011; pp. 775–779. [Google Scholar] [CrossRef]
- Zieni, R.; Massari, L.; Calzarossa, M.C. Phishing or Not Phishing? A Survey on the Detection of Phishing Websites. IEEE Access 2023, 11, 18499–18519. [Google Scholar] [CrossRef]
- Razaulla, S.; Fachkha, C.; Markarian, C.; Gawanmeh, A.; Mansoor, W.; Fung, B.C.M.; Assi, C. The Age of Ransomware: A Survey on the Evolution, Taxonomy, and Research Directions. IEEE Access 2023, 11, 40698–40723. [Google Scholar] [CrossRef]
- Tripathi, N.; Hubballi, N. Application Layer Denial-of-Service Attacks and Defense Mechanisms: A Survey. ACM Comput. Surv. 2021, 54, 86. [Google Scholar] [CrossRef]
- Conti, M.; Dragoni, N.; Lesyk, V. A Survey of Man In The Middle Attacks. IEEE Commun. Surv. Tutor. 2016, 18, 3. [Google Scholar] [CrossRef]
- Alkhwaja, I.; Albugami, M.; Alkhwaja, A.; Alghamdi, M.; Abahussain, H.; Alfawaz, F.; Almurayh, A.; Min-Allah, N. Password Cracking with Brute Force Algorithm and Dictionary Attack Using Parallel Programming. Appl. Sci. 2023, 13, 5979. [Google Scholar] [CrossRef]
- National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. Guide to Malware Incident Prevention and Handling for Desktops and Laptops; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2013. Available online: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf (accessed on 27 January 2024).
- Khan, H.A.; Syed, A.; Mohammad, A.; Halgamuge, M.N. Computer virus and protection methods using lab analysis. In Proceedings of the IEEE 2nd International Conference on Big Data Analysis (ICBDA), Beijing, China, 10–12 March 2017; pp. 882–886. [Google Scholar] [CrossRef]
- Saudi, M.M.; Cullen, A.J.; Woodward, M.E. STAKCERT Framework in Eradicating Worms Attack. In Proceedings of the International Conference on CyberWorlds, Bradford, UK, 7–11 September 2009; pp. 257–264. [Google Scholar] [CrossRef]
- Naser, M.; Abu Al-Haija, Q. Spyware Identification for Android Systems Using Fine Trees. Information 2023, 14, 102. [Google Scholar] [CrossRef]
- Umar, F.; Khurana, S.S.; Singh, P.; Kumar, M. An Empirical Study on Detection of Android Adware Using Machine Learning Techniques. Multimed Tools Appl. 2024, 83, 38753–38792. [Google Scholar] [CrossRef]
- Kühnhauser, W.E. Root Kits—An operating systems viewpoint. SIGOPS Oper. Syst. Rev. 2004, 38, 12–23. [Google Scholar] [CrossRef]
- Owen, H.; Zarrin, J.; Pour, S.M. A Survey on Botnets, Issues, Threats, Methods, Detection and Prevention. J. Cybersecur. Priv. 2022, 2, 74–88. [Google Scholar] [CrossRef]
- Fleury-Charles, A.; Chowdhury, M.M.; Rifat, N. Data Breaches: Vulnerable Privacy. In Proceedings of the IEEE International Conference on Electro Information Technology (eIT), Mankato, MN, USA, 19–21 May 2022; pp. 538–543. [Google Scholar] [CrossRef]
- Gan, C.; Lin, J.; Huang, D.-W.; Zhu, Q.; Tian, L. Advanced Persistent Threats and Their Defense Methods in Industrial Internet of Things: A Survey. Mathematics 2023, 11, 3115. [Google Scholar] [CrossRef]
- Alghawazi, M.; Alghazzawi, D.; Alarifi, S. Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review. J. Cybersecur. Priv. 2022, 2, 764–777. [Google Scholar] [CrossRef]
- Sobb, T.; Turnbull, B.; Moustafa, N. Supply Chain 4.0: A Survey of Cyber Security Challenges, Solutions and Future Directions. Electronics 2020, 9, 1864. [Google Scholar] [CrossRef]
- Sharma, P.; Nagpal, B. A Study on URL Manipulation Attack Methods and Their Countermeasures. IJETCSE 2015, 15, 116–119. [Google Scholar]
- Saxena, N.; Hayes, E.; Bertino, E.; Ojo, P.; Choo, K.-K.R.; Burnap, P. Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses. Electronics 2020, 9, 1460. [Google Scholar] [CrossRef]
- Kim, M.; Suh, T. Eavesdropping Vulnerability and Countermeasure in Infrared Communication for IoT Devices. Sensors 2021, 21, 8207. [Google Scholar] [CrossRef] [PubMed]
- Sivakorn, S.; Polakis, I.; Keromytis, A.D. The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2016; pp. 724–742. [Google Scholar] [CrossRef]
- Salahdine, F.; Kaabouch, N. Social Engineering Attacks: A Survey. Future Internet 2019, 11, 89. [Google Scholar] [CrossRef]
- CVE—Common Vulnerabilities and Exposures. MITRE Corporation. Available online: https://cve.mitre.org/ (accessed on 17 July 2024).
- CWE—Common Weakness Enumeration. MITRE Corporation. Available online: https://cwe.mitre.org/ (accessed on 17 July 2024).
- MITRE ATT&CK®. MITRE Corporation. Available online: https://attack.mitre.org/ (accessed on 17 July 2024).
- IoT Business News. State of IoT 2023: Number of Connected IoT Devices Growing 16% to 16.0 Billion Globally—Wi-Fi, Bluetooth, and Cellular Driving the Market. Available online: https://iotbusinessnews.com/2023/05/25/34645-state-of-iot-2023-number-of-connected-iot-devices-growing-16-to-16-0-billion-globally-wi-fi-bluetooth-and-cellular-driving-the-market/ (accessed on 27 January 2024).
- Zhang, Y.; Frank, R.; Warkentin, N.; Zakimi, N. Accessible from the open web: A qualitative analysis of the available open-source information involving cyber security and critical infrastructure. J. Cybersecur. 2022, 8, tyac003. [Google Scholar] [CrossRef]
- Mafamane, R.; Ouadou, M.; Hassani, A.T.J.; Minaoui, K. Study of the heterogeneity problem in the Internet of Things and Cloud Computing integration. In Proceedings of the 2020 10th International Symposium on Signal, Image, Video and Communications (ISIVC), Saint-Etienne, France, 7–9 April 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Evolution of Computing. The Problem of Growing Complexity in the Evolution of Computing. Available online: https://evolutionofcomputing.org/Multicellular/ProblemStatement.html (accessed on 27 January 2024).
- Umejiaku, A.P.; Dhakal, P.; Sheng, V.S. Balancing Password Security and User Convenience: Exploring the Potential of Prompt Models for Password Generation. Electronics 2023, 12, 2159. [Google Scholar] [CrossRef]
- Statista. Number of Internet of Things (IoT) Connected Devices Worldwide from 2019 to 2023, with Forecasts from 2022 to 2030. Available online: https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/ (accessed on 27 March 2024).
- Okafor, U.; Karne, R.K.; Wijesinha, A.L.; Appiah-Kubi, P. Eliminating the Operating System via the Bare Machine Computing Paradigm. In Proceedings of the Fifth International Conference on Future Computational Technologies and Applications, Valencia, Spain, 27 May–1 June 2013; pp. 1–6. [Google Scholar]
- MisCircuitos. Difference between Bare Metal vs. Embedded Linux. Available online: https://miscircuitos.com/difference-between-bare-metal-vs-embedded-linux/ (accessed on 27 January 2024).
- IBM. What is a Bare Metal Server? Available online: https://www.ibm.com/topics/bare-metal-dedicated-servers (accessed on 27 January 2024).
- Karne, R.K.; Wijesinha, A.L.; Liang, S.; Appiah-Kubi, P. A Bare PC Mass Storage USB Driver. Int. J. Comput. Appl. 2013, 21, 32. [Google Scholar]
- Alotaibi, F.; Karne, R.K.; Wijesinha, A.; Soundararajan, N.; Rangi, A. A Chat Application on a Bare Internet. In Proceedings of the 2024 IEEE 48th Annual Computers, Software, and Applications (COMPSAC), Osaka, Japan, 2–4 July 2024; pp. 2411–2416. [Google Scholar]
- Engler, D.R. The Exokernel Operating System Architecture. Ph.D. Thesis, Massachusetts Institute of Technology, Cambridge, MA, USA, 1998. [Google Scholar]
- Levis, P. Experiences from a decade of TinyOS development. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, Hollywood, CA, USA, 8–10 October 2012; pp. 207–220. [Google Scholar]
- Lange, J.; Pedretti, K.; Hudson, T.; Dinda, P.; Cui, Z.; Xia, L.; Bridges, P.; Gocke, A.; Jaconette, S.; Levenhagen, M.; et al. Palacios and Kitten: New High Performance Operating Systems For Scalable Virtualized and Native Supercomputing. In Proceedings of the 2010 IEEE International Symposium on Parallel & Distributed Processing (IPDPS), Atlanta, GA, USA, 19–23 April 2010; pp. 1–12. [Google Scholar] [CrossRef]
- Isaac, O.; Okokpujie, K.; Akinwumi, H.; Juwe1, J.; Otunuya, H.; Alagbe, O. An Overview of Microkernel Based Operating Systems. IOP Conf. Ser. Mater. Sci. Eng. 2021, 1107, 012052. [Google Scholar] [CrossRef]
- Kong, X.; Chen, J.; Bai, W.; Xu, Y.; Elhaddad, M.; Raindel, S.; Padhye, J.; Lebeck, A.R.; Zhuo, D. Understanding RDMA Microarchitecture Resources for Performance Isolation. In Proceedings of the 20th USENIX Symposium on Networked Systems Design and Implementation, Boston, MA, USA, 17–19 April 2023; pp. 31–48. [Google Scholar]
- Pai, V.S.; Druschel, P.; Zwaenepoel, W. IO-Lite: A Unified I/O Buffering and Caching System. ACM Trans. Comput. Syst. 2000, 18, 37–66. [Google Scholar] [CrossRef]
- Zhang, I.; Liu, J.; Austin, A.; Roberts, M.L.; Badam, A. I’m Not Dead Yet! The Role of the Operating System in a Kernel-Bypass Era. In Proceedings of the Workshop on Hot Topics in Operating Systems, Bertinoro, Italy, 13–15 May 2019; pp. 73–80. [Google Scholar] [CrossRef]
- Baccelli, E.; Gündogan, C.; Hahm, O.; Kietzmann, P.; Lenders, M.S.; Petersen, H.; Schleiser, K.; Schmidt, T.C.; Wählisch, M. RIOT: An Open Source Operating System for Low-End Embedded Devices in the IoT. IEEE Internet Things J. 2018, 5, 6. [Google Scholar] [CrossRef]
- Sen, S.; Guérin, R.; Hosanagar, K. Functionality-rich Versus Minimalist Platforms: A Two-sided Market Analysis. ACM SIGCOMM Comput. Commun. Rev. 2011, 41, 36–43. [Google Scholar] [CrossRef]
- Soundararajan, N.; Karne, R.; Wijesinha, A.; Ordouie, N.; Chang, H. Design Issues in Running a Webserver on Bare PC Multi-Core Architecture. In Proceedings of the 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), Madrid, Spain, 13–17 July 2020; pp. 555–564. [Google Scholar] [CrossRef]
- Appiah-Kubi, P.; Karne, R.K.; Wijesinha, A.L. A Bare PC TLS Webmail Server. In Proceedings of the 2012 International Conference on Computing, Networking and Communications (ICNC), Maui, HI, USA, 30 January–2 February 2012; pp. 149–153. [Google Scholar] [CrossRef]
- Wikipedia. Available online: https://en.wikipedia.org/wiki/Security_through_obscurity (accessed on 20 August 2024).
- Alotaibi, F.; Karne, R.K.; Wijesinha, A. A Stateless Bare PC Web Server. In Proceedings of the 19th International Conference on Web Information Systems and Technologies (WEBIST 2023), Rome, Italy, 15–17 November 2023; pp. 406–413. [Google Scholar] [CrossRef]
- The SSL Store. Executing a Man-in-the-Middle Attack in Just 15 Minutes. Available online: https://www.thesslstore.com/blog/man-in-the-middle-attack-2 (accessed on 27 March 2024).
- Alwis, C.D.; Porambage, P.; Dev, K.; Gadekallu, T.R.; Liyanage, M. A Survey on Network Slicing Security: Attacks, Challenges, Solutions and Research Directions. IEEE Commun. Surv. Tutor. 2024, 26, 534–570. [Google Scholar] [CrossRef]
- Harrison, R. Reducing complexity in securing heterogeneous networks. Netw. Secur. 2015, 10, 11–13. [Google Scholar] [CrossRef]
- Li, L.; Daoyuan, L.; Bissyandé, T.F.; Klein, J.; Trao, Y.L.; Lo, D.; Cavallaro, L. Understanding Android app piggybacking: A systematic study of malicious code grafting. IEEE Trans. Inf. Forensics Secur. 2017, 12, 1269–1284. [Google Scholar] [CrossRef]
- Alhamry, M.; Elmedany, W. Exploring Wi-Fi WPA2 KRACK Vulnerability: A Review Paper. In Proceedings of the 2022 International Conference on Data Analytics for Business and Industry (ICDABI), Sakhir, Bahrain, 25–26 October 2022; pp. 766–772. [Google Scholar]
- Vondráček, M.; Pluskal, J.; Ryšavý, O. Automated Man-in-the-Middle Attack Against Wi-Fi Networks. J. Digit. Forensic. Secur. Law 2018, 13, 9. [Google Scholar] [CrossRef]
- Pan, Z.; Shen, W.; Wang, X.; Yang, Y.; Chang, R.; Liu, Y.; Liu, C.; Liu, Y.; Ren, K. Ambush From All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines. IEEE Trans. Dependable Secur. Comput. 2024, 21, 403–418. [Google Scholar] [CrossRef]
- Duman, S.; Büchler, M.; Egele, M.; Kirda, E. Pellucid Attachment: Protecting Users from Attacks via E-mail Attachments. IEEE Trans. Dependable Secure Comput. 2023, 21, 1342–1354. [Google Scholar] [CrossRef]
- Hakak, S.; Khan, W.Z.; Imran, M.; Choo, K.R.; Shoaib, M. Have You Been a Victim of COVID-19-Related Cyber Incidents? Survey, Taxonomy, and Mitigation Strategies. IEEE Access 2020, 8, 124134–124144. [Google Scholar] [CrossRef]
- Cengiz, A.B.; Kalem, G.; Boluk, P.S. The Effect of Social Media User Behaviors on Security and Privacy Threats. IEEE Access 2022, 10, 57674–57684. [Google Scholar] [CrossRef]
- Chang, V.; Golightly, L.; Xu, Q.A.; Boonmee, T.; Liu, B.S. Cybersecurity for children: An investigation into the application of social media. Enterp. Inf. Syst. 2023, 17, 2188122. [Google Scholar] [CrossRef]
- Masri, R.; Aldwairi, M. Automated malicious advertisement detection using VirusTotal, URLVoid, and TrendMicro. In Proceedings of the 2017 8th International Conference on Information and Communication Systems (ICICS), Irbid, Jordan, 4–6 April 2017; pp. 336–341. [Google Scholar] [CrossRef]
- Pooranian, Z.; Conti, M.; Haddadi, H.; Tafazolli, R. Online Advertising Security: Issues, Taxonomy, and Future Directions. IEEE Commun. Surv. Tut. 2020, 23, 2494–2524. [Google Scholar] [CrossRef]
- Shantanu, B.; Janet, J.; Arul Kumar, R.J. Malicious URL Detection: A Comparative Study. In Proceedings of the 2021 International Conference on Artificial Intelligence and Smart Systems (ICAIS), Coimbatore, India, 25–27 March 2021; pp. 1147–1151. Available online: https://ieeexplore.ieee.org/document/9396014 (accessed on 20 August 2024).
- Aljabri, M.; Altamimi, H.S.; Albelali, S.A.; Al-Harbi, M.; Alhuraib, H.T.; Alotaibi, N.K.; Alahmadi, A.A.; Alhaidari, F.; Mohammad, R.M.A.; Salah, K. Detecting Malicious URLs Using Machine Learning Techniques: Review and Research Directions. IEEE Access 2022, 10, 121395–121417. [Google Scholar] [CrossRef]
- Cunningham, B.; Fuller, E.; Little, C.; Schack, T.; Dykstra, T.; Hoagberg, M.; Miles, G.; Rogers, R. Network Security Evaluation Using the NSA IEM; Syngress: Rockland, MA, USA, 2005; ISBN 978-1-59749-035-1. [Google Scholar]
- Gao, Z.; Ansari, N. Tracing cyber attacks from the practical perspective. IEEE Commun. Mag. 2005, 43, 123–131. [Google Scholar] [CrossRef]
- Yang, J. Analysis on cookies and cybersecurity. In Proceedings of the Third International Symposium on Computer Engineering and Intelligent Communications (ISCEIC 2022), Xi’an, China, 16–18 September 2022; Volume 12462, pp. 217–224. [Google Scholar]
- Bhurtel, M.; Rawat, D.B. Unveiling the Landscape of Operating System Vulnerabilities. Future Internet 2023, 15, 248. [Google Scholar] [CrossRef]
- Jang, M.; Kim, H.; Yun, Y. Detection of DLL Inserted by Windows Malicious Code. In Proceedings of the 2007 International Conference on Convergence Information Technology (ICCIT 2007), Gwangju, Republic of Korea, 21–23 November 2007; pp. 1059–1064. [Google Scholar] [CrossRef]
- Alzahrani, S.; Xiao, Y.; Sun, W. An Analysis of Conti Ransomware Leaked Source Codes. IEEE Access 2022, 10, 100178–100193. [Google Scholar] [CrossRef]
- Chordiya, A.R.; Majumder, S.; Javaid, A.Y. Man-in-the-Middle (MITM) Attack Based Hijacking of HTTP Traffic Using Open Source Tools. In Proceedings of the 2018 IEEE International Conference on Electro/Information Technology (EIT), Rochester, MI, USA, 3–5 May 2018; pp. 438–443. [Google Scholar] [CrossRef]
- Sang, F.L.; Nicomette, V.; Deswarte, Y. I/O Attacks in Intel PC-based Architectures and Countermeasures. In Proceedings of the First SysSec Workshop, Amsterdam, The Netherlands, 6 July 2011; pp. 19–26. [Google Scholar] [CrossRef]
- Gozman, D.; Willcocks, L. The emerging Cloud Dilemma: Balancing innovation with cross-border privacy and outsourcing regulations. J. Bus. Res. 2019, 97, 235–256. [Google Scholar] [CrossRef]
- Benaroch, M. Third-party induced cyber incidents—Much ado about nothing? J. Cybersecur. 2021, 7, tyab020. [Google Scholar] [CrossRef]
- Shah, M.; Soni, V.; Shah, H.; Desai, M. TCP/IP network protocols—Security threats, flaws and defense methods. In Proceedings of the 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 16–18 March 2016; pp. 2693–2699. [Google Scholar]
- Liu, R.; Yu, B.; Wang, B.; Ye, J.; Huang, J.; Kong, X. SEEKER: A Root Cause Analysis Method Based on Deterministic Replay for Multi-Type Network Protocol Vulnerabilities. In Proceedings of the 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Wuhan, China, 9–11 December 2022; pp. 131–138. [Google Scholar] [CrossRef]
- Geetha, K.; Sreenath, N. SYN flooding attack—Identification and analysis. In Proceedings of the International Conference on Information Communication and Embedded Systems (ICICES2014), Chennai, India, 27–28 February 2014; pp. 1–7. [Google Scholar]
- AbdAllah, E.G.; Hassanein, H.S.; Zulkernine, M. A Survey of Security Attacks in Information-Centric Networking. IEEE Commun. Surv. Tut. 2015, 17, 1441–1454. [Google Scholar] [CrossRef]
- Kalafut, A.; Acharya, A.; Gupta, M. A study of malware in peer-to-peer networks. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, Brazil, 25–27 October 2006; pp. 327–332. [Google Scholar]
- Lalonde Lévesque, F.; Chiasson, S.; Somayaji, A.; Fernandez, J.M. Technological and Human Factors of Malware Attacks: A Computer Security Clinical Trial Approach. ACM Trans. Priv. Secur. 2018, 21, 18. [Google Scholar] [CrossRef]
- Faruk, M.J.H.; Shahriar, H.; Valero, M.; Barsha, F.L.; Sobhan, S.; Khan, A.; Whitman, M.; Cuzzocrea, A.; Lo, D.; Rahman, A.; et al. Malware Detection and Prevention using Artificial Intelligence Techniques. In Proceedings of the 2021 IEEE International Conference on Big Data (Big Data), Orlando, FL, USA, 15–18 December 2021; pp. 5369–5377. [Google Scholar] [CrossRef]
- Syafitri, W.; Shukur, Z.; Mokhtar, U.A.; Sulaiman, R.; Ibrahim, M.A. Social Engineering Attacks Prevention: A Systematic Literature Review. IEEE Access 2022, 10, 39325–39343. [Google Scholar] [CrossRef]
- Shokeen, R.; Shanmugam, B.; Kannoorpatti, K.; Azam, S.; Jonkman, M.; Alazab, M. Vulnerabilities Analysis and Security Assessment Framework for the Internet of Things. In Proceedings of the 2019 Cybersecurity and Cyberforensics Conference (CCC), Melbourne, Australia, 8–9 May 2019; pp. 22–29. [Google Scholar] [CrossRef]
- Winter, J.; Dietrich, K. A hijacker’s guide to communication interfaces of the trusted platform module. Comput. Math. Appl. 2013, 65, 748–761. [Google Scholar] [CrossRef]
- Ylli, E.; Fejzaj, J. Man in the Middle: Attack and Protection. In Proceedings of the 4th International Conference on Recent Trends and Applications in Computer Science and Information Technology, Tirana, Albania, 21–22 May 2021; pp. 198–204. [Google Scholar]
- Otta, S.P.; Panda, S.; Gupta, M.; Hota, C. A Systematic Survey of Multi-Factor Authentication for Cloud Infrastructure. Future Internet 2023, 15, 146. [Google Scholar] [CrossRef]
- Lockheed Martin. Gaining the Advantage: Cyber Kill Chain®. Available online: https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf (accessed on 27 January 2024).
- Pirry, C.; Marco-Gisbert, H.; Begg, C. A Review of Memory Errors Exploitation in x86-64. Computers 2020, 9, 48. [Google Scholar] [CrossRef]
- Alabdan, R. Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet 2020, 12, 168. [Google Scholar] [CrossRef]
- Oz, H.; Aris, A.; Levi, A.; Uluagac, A.S. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Comput. Surv. 2022, 54, 238. [Google Scholar] [CrossRef]
- Yamany, B.; Elsayed, M.S.; Jurcut, A.D.; Abdelbaki, N.; Azer, M.A. A Holistic Approach to Ransomware Classification: Leveraging Static and Dynamic Analysis with Visualization. Information 2024, 15, 46. [Google Scholar] [CrossRef]
- Saghezchi, F.B.; Mantas, G.; Violas, M.A.; de Oliveira Duarte, A.M.; Rodriguez, J. Machine Learning for DDoS Attack Detection in Industry 4.0 CPPSs. Electronics 2022, 11, 602. [Google Scholar] [CrossRef]
- Morsy, S.M.; Nashat, D. D-ARP: An Efficient Scheme to Detect and Prevent ARP Spoofing. IEEE Access 2022, 10, 49142–49153. [Google Scholar] [CrossRef]
- Събев, П.; Petrov, M. Android Password Managers and Vault Applications: Data Storage Security Issues Identification. J. Inf. Secur. Appl. 2022, 67, 103152. [Google Scholar] [CrossRef]
- Gudipati, V.K.; Vetwal, A.; Kumar, V.; Adeniyi, A.; Abuzneid, A. Detection of Trojan Horses by the analysis of system behavior and data packets. In Proceedings of the 2015 Long Island Systems, Applications and Technology, Farmingdale, NY, USA, 1 May 2015; pp. 1–4. [Google Scholar] [CrossRef]
- Chen, N.; Chen, B. Defending against OS-Level Malware in Mobile Devices via Real-Time Malware Detection and Storage Restoration. J. Cybersecur. Priv. 2022, 2, 311–328. [Google Scholar] [CrossRef]
- Djenna, A.; Bouridane, A.; Rubab, S.; Marou, I.M. Artificial Intelligence-Based Malware Detection, Analysis, and Mitigation. Symmetry 2023, 15, 677. [Google Scholar] [CrossRef]
- Vander–Pallen, M.A.; Addai, P.; Isteefanos, S.; Mohd, T.K. Survey on Types of Cyber Attacks on Operating System Vulnerabilities since 2018 onwards. In Proceedings of the 2022 IEEE World AI IoT Congress (AIIoT), Seattle, WA, USA, 6–9 June 2022; pp. 01–07. [Google Scholar] [CrossRef]
- Syeda, D.Z.; Asghar, M.N. Dynamic Malware Classification and API Categorisation of Windows Portable Executable Files Using Machine Learning. Appl. Sci. 2024, 14, 1015. [Google Scholar] [CrossRef]
- U.S. Cybersecurity and Infrastructure Security Agency (CISA). Protecting Your Home Computer from Spyware, U.S. Cybersecurity and Infrastructure Security Agency (CISA). 2005. Available online: https://www.cisa.gov/sites/default/files/publications/spywarehome_0905.pdf (accessed on 27 January 2024).
- Vasani, V.; Bairwa, A.K.; Joshi, S.; Pljonkin, A.; Kaur, M.; Amoon, M. Comprehensive Analysis of Advanced Techniques and Vital Tools for Detecting Malware Intrusion. Electronics 2023, 12, 4299. [Google Scholar] [CrossRef]
- Kumar, S.S.; Valavan, A.P.; Prathiksha, V. Prevention of Kernel Rootkit in Cloud Computing. In Proceedings of the 2023 7th International Conference on Intelligent Computing and Control Systems (ICICCS), Madurai, India, 17–19 May 2023; pp. 732–739. [Google Scholar] [CrossRef]
- Thanh Vu, S.N.; Stege, M.; El-Habr, P.I.; Bang, J.; Dragoni, N. A Survey on Botnets: Incentives, Evolution, Detection and Current Trends. Future Internet 2021, 13, 198. [Google Scholar] [CrossRef]
- Molitor, D.; Raghupathi, W.; Saharia, A.; Raghupathi, V. Exploring Key Issues in Cybersecurity Data Breaches: Analyzing Data Breach Litigation with ML-Based Text Analytics. Information 2023, 14, 600. [Google Scholar] [CrossRef]
- Alshamrani, A.; Myneni, S.; Chowdhary, A.; Huang, D. A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities. IEEE Commun. Surv. Tutor. 2019, 21, 1851–1877. [Google Scholar] [CrossRef]
- OWASP Foundation. SQL Injection Prevention Cheat Sheet. Available online: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html (accessed on 27 January 2024).
- Fan, L.; Zhang, B.; Xiong, S.; Li, Q. Secure Change Control for Supply Chain Systems via Dynamic Event Triggered Using Reinforcement Learning under DoS Attacks. Electronics 2024, 13, 1136. [Google Scholar] [CrossRef]
- S. M. Christey. Chapter 11: Preventing Common Problems. Available online: https://www.cgisecurity.com/owasp/html/ch11s04.html (accessed on 17 July 2024).
- Lee, I. Analysis of Insider Threats in the Healthcare Industry: A Text Mining Approach. Information 2022, 13, 404. [Google Scholar] [CrossRef]
- Chang, X.; Peng, L.; Zhang, S. Allocation of Eavesdropping Attacks for Multi-System Remote State Estimation. Sensors 2024, 24, 850. [Google Scholar] [CrossRef]
- Alharbi, J.A.; Albesher, A.S.; Wahsheh, H.A. An Empirical Analysis of E-Governments’ Cookie Interfaces in 50 Countries. Sustainability 2023, 15, 1231. [Google Scholar] [CrossRef]
- Airehrour, D.; Vasudevan Nair, N.; Madanian, S. Social Engineering Attacks and Countermeasures in the New Zealand Banking System: Advancing a User-Reflective Mitigation Model. Information 2018, 9, 110. [Google Scholar] [CrossRef]
Seq. | System Guidelines | Conventional Systems | PECSV | BMC Systems | PRCSV |
---|---|---|---|---|---|
1 | System Approach | Evolutionary | Revolutionary | ||
2 | Open/Closed | Open | Conventional Guideline 2 | Closed | BMC Guideline 2 |
3 | Global Focus | Yes | Local Focus | ||
4 | Global Users | Yes | [1,2] | Local Users | |
5 | Equal Access | Yes | Restricted | BMC Guideline 5 | |
6 | Free Learning | Yes | [57] | Restricted | BMC Guideline 6 |
7 | Free Internet | Yes | Bare Internet | BMC Guideline 7 | |
8 | Layered Systems | Yes | [58] | No | BMC Guideline 8 |
9 | Heterogeneity | Yes | [59] | No | BMC Guideline 9 |
10 | User/Developer Convenience | Yes | [37] | Not Top Priority | BMC Guideline 10 |
11 | Training | Yes | Yes | BMC Guideline 11 | |
12 | Software Installation Online | Yes | [60] | No | BMC Guideline 12 |
13 | Wi-Fi | Yes | [61,62] | Not Supported Yet | BMC Guideline 13 |
14 | Scripts and Batch Files | Yes | [63] | No | BMC Guideline 14 |
15 | Attachments and Links | Yes | [64,65] | No | BMC Guideline 15 |
16 | Social Media | Yes | [66,67] | No | BMC Guideline 16 |
17 | Advertisements | Yes | [68,69] | No | BMC Guideline 17 |
18 | Unsolicited Websites | Yes | [70,71] | No | BMC Guideline 18 |
19 | Automated Tools | Yes | [72,73] | Restricted | BMC Guideline 19 |
20 | Cookies | Yes | [74] | No | BMC Guideline 20 |
Seq. | System Characteristics | Conventional Systems | PECSV | BMC Systems | PRCSV |
---|---|---|---|---|---|
1 | OS/Kernel/Embedded | Yes | [75] | No | BMC Characteristic 1 |
2 | Applications | Environment-centric | Domain-specific | BMC Characteristic 2 | |
3 | Programming Languages | Many | ASM/C/C++ | BMC Characteristic 3 | |
4 | Executable | Format varies depending on OS | Single monolithic executable | BMC Characteristic 4 | |
5 | Linking | Dynamic (DLLs) | [76] | Static (No DLLs) | BMC Characteristic 5 |
6 | Loading | Dynamic | Static | BMC Characteristic 6 | |
7 | Multi-tasking | Yes | Yes (Only within a domain-specific application) | BMC Characteristic 7 | |
8 | System Calls/API | Yes | [77] | No (Direct Hardware Interfaces) | BMC Characteristic 8 |
9 | Sockets | Yes | [78] | No | BMC Characteristic 9 |
10 | Open Ports | Yes | [79] | No | BMC Characteristic 10 |
11 | During execution | A given application, OS, and other applications | Only a given domain-specific application-suite | BMC Characteristic 11 | |
12 | Event/Interrupt driven | Both | Event-driven | BMC Characteristic 12 | |
13 | Shared memory/Message Passing | Both | Shared Memory (Single Address Space) | BMC Characteristic 13 | |
14 | Concurrency control | Semaphores and other | Uses circular lists as buffers, avoids concurrency controls | BMC Characteristic 14 | |
15 | I/O | Interrupt driven | [80] | Direct Hardware Interfaces | BMC Characteristic 15 |
16 | Third-Party Software | Yes | [81,82] | No | BMC Characteristic 16 |
17 | Network interfaces | Many interactions during the session between a client and a server | [83,84] | Only a few interactions (Short data sessions) | BMC Characteristic 17 |
18 | Communication on the Internet | Global Internet | [85] | Bare Internet | BMC Characteristic 18 |
19 | Downloads on the Internet | Yes | [86,87,88,89] | No | BMC Characteristic 19 |
20 | IoTs | Small OS, Embedded Nodes | [90] | Must be bare nodes | BMC Characteristic 20 |
21 | Computing Device | Valuable Resources (Storage, OS, Other) | Obvious | No valuable resources (Bare) | BMC Characteristic 21 |
22 | Application-program Control | No, OS controls it | Yes, Domain-specific application suite controls the control flow as designed | BMC Characteristic 22 | |
23 | Users | Global, All | [2] | Only Bare Users, Authorized | BMC Characteristic 23 |
24 | Messages | May not have valid authentication | [2] | Each message contains encrypted bare user authentication | BMC Characteristic 24 |
25 | User-Secured USBs | N/A | Uses two USBs, boots, and an encrypted application suite | BMC Characteristic 25 | |
26 | BIOS/Firmware | Not bundled with OS | [91] | Bundled with the domain-specific application suite | BMC Characteristic 26 |
27 | Protocols | Layered protocols | [92] | Integrated with the application-suite | BMC Characteristic 27 |
28 | Passwords | Password files part of OS structures | [13,93] | No password files (authentication stored in program structures) | BMC Characteristic 28 |
|
|
Seq. | Conventional Root Cause | Applicability to BMC BMC Preventive Mechanism | Reference |
---|---|---|---|
1 | Allowing attackers to flood requests | NO: uses stateless server and lean UDP protocol | [56] |
2 | Allowing script files in emails | NO: script files are not allowed in emails | Section 3.5.1 Item #14 |
3 | Attacker accessing API | NO: Direct Hardware API (HAPI) is not available externally (NO OS) | Section 3.5.2 Item #8 |
4 | Attacker accessing password files | NO: A single bare machine at a time is used by a single user; no passwords are stored in the bare machine. | Section 3.5.2 Item #28 |
5 | Attacker accessing private files from a URL link | YES: Uses URL encoding and limits access permissions such as conventional systems. | Table 4 Items #51, #86 |
6 | Attacker accessing system calls | NO: No system calls are available externally; only HAPI is used by applications | Section 3.5.2 Item #8 |
7 | Attackers intruding into machines | NO: A machine is bare; while running one user, another user cannot run an application | Section 3.5.2 Item #2 |
8 | Attacker is able to modify the number of password entry limits | NO: Not Applicable | Section 3.5.2 Item #28 |
9 | An attacker using auto-run in script files | NO: script files are not allowed | Section 3.5.1 Item #14 |
10 | Attacker using batch files | NO: A batch file is not allowed; only bare applications run | Section 3.5.1 Item #14 |
11 | Attacker using cookies | NO: Cookies are not allowed | Section 3.5.1 Item #20 |
12 | Attacker using public Wi-Fi access point | NO: Wireless is not allowed at this point. | Section 3.5.1 Item #13 |
13 | Attacker using Website phishing | NO: (1) In emails, website links are not allowed. (2) Only bare-to-bare users communicate on the bare Internet. Although it is applicable but prevented in both of the above two cases. | Section 3.5.1 Item #18 |
14 | DBMS bypassing OS | NO: Not possible (No OS) | Section 3.5.2 Item #1 |
15 | Email addresses are easily obtained | NO: Issuing of email addresses for bare users is restricted and physically controlled by a bare email administrator. | Section 3.5.2 Item #23 |
16 | Enabling Adware to use Browser Apps | NO: No advertisements are allowed. | Section 3.5.1 Item #17 |
17 | Freely available educational resources on cybersecurity vulnerabilities and attack techniques. | NO: no free education. One of the main reasons for speedy cyberattacks is due to the fastest way to learn attacking techniques freely using the Internet. | Section 3.5.1 Item #6 |
18 | Freely available online automation tools | NO: A closed system, no freely available automation tools. | Section 3.5.1 Item #19 |
19 | Allowing attackers to use a legitimate machine and infect | NO: All legitimate machines are bare; nothing to infect them. | Section 3.5.2 Item #21 |
20 | Hardware vulnerabilities | NO: Cannot get to hardware, as HAPI is not available outside running applications. As the machine is bare, physical attacks can only damage the machine. | Section 3.5.2 Item #21 |
21 | Including attachments in emails | NO: Attachments are not allowed. | Section 3.5.1 Item #15 |
22 | Lack of bounds checking in functions | NO: All string functions are strictly enforced for bound checking. | Table 4 Item #16 |
23 | Lack of data validation by programmers | YES: No exposure of attacks; all data entered by users is checked for valid data and data types. Strict data checking is conducted at a programming level. All bare code is developed as one homogeneous entity; there is no third-party software, no external models. | Table 4 Item #47 |
24 | Lack of physical security | YES: Physical security is required when a user is running an application suite on a bare machine (this is a mandatory requirement in the BMC paradigm). Otherwise, there is no need for physical security because the machine is bare. | Section 3.5.2 Item #21 |
25 | Malicious insiders | YES: All insiders must be properly authorized and trusted; otherwise, there is no security for any system. | Section 3.5.2 Item #23 |
26 | Marketing tools and techniques online | NO: Marketing tools and techniques are not online. | Section 3.5.1 Item #17 |
27 | Not validating and authenticating user entered data | YES: User entered data must be validated and authenticated. | Table 4 Item #47 |
28 | Open ports | NO: There are no open ports. | Section 3.5.2 Item #10 |
29 | Open-source automation tools | NO: There are no open-source automation tools. | Section 3.5.1 Item #19 |
30 | Open-source code | NO: Not allowed. | Section 3.5.1 Item #2 |
31 | Open-source OSs | NO: No OS. | Section 3.5.2 Item #1 |
32 | Open Wi-Fi access at public places | NO: Wi-Fi is not allowed at this point. | Section 3.5.1 Item #13 |
33 | OS vulnerabilities | NO: No OS. | Section 3.5.2 Item #1 |
34 | Protocol vulnerabilities in ARP, DHCP, DNS, ICMP, and IP | NO: We limit our protocols to Ethernet and IP. The other protocols are not available outside the application running on the machine. Furthermore, there are no protocol layers. These protocols are implemented within the bare application. The attacker does not have the path to invoke these protocols. Although IP spoofing can be conducted, the attacker does not have bare user authentication. Bare user authentication is used in every packet, encrypted and validated for each message transmission. | Section 3.5.2 Item #27 |
35 | Providing backdoors in software and hardware | NO: Do not allow any backdoors. | Section 3.5.1 Item #2 |
36 | Receiving messages from unauthenticated users | NO: Only communicate with the authentication users. | Section 3.5.2 Item #23 |
37 | Running a downloaded code automatically | NO: There is no downloading code, although there is no dynamic linking and loading to run a code. The bare code is statically compiled. | Section 3.5.2 Item #5, #6 |
38 | Secure socket layer provided by OS | NO: No socket concept. | Section 3.5.2 Item #9 |
39 | Software vulnerabilities | YES: Buffer overflow was discussed in items 22 and 23. There could be possible programming errors; however, the intruder has no access to modify or exploit injecting new code due to static binding. There are no deserialization issues as intruder has no access to the flow control of application. Overall, any software vulnerabilities cannot cause any harm as the application code is statically bound. | Section 3.5.2 Item #5, #6 |
40 | Strong security policies not applying to private data | YES: Only if the attacker is an insider. | |
41 | System privileges given to DBMS | NO: No OS. DBMS is part of an application suite. | Section 3.5.2 Item #1 |
42 | There is no proper authentication measure to validate users | NO: All users are properly authorized and authenticated. | Section 3.5.2 Item #23 |
43 | User accessing fake websites | NO: Not applicable (Only access legitimate and authenticated bare websites) | Section 3.5.1 Item #18 |
44 | User clicking an unsolicited link | NO: No downloads in emails; no website links in emails (only access legitimate and authenticated bare websites using the Bare Internet) | Section 3.5.2 Item #19 |
45 | User downloading a file from an unidentified website | NO: No online downloading (only access legitimate and authenticated bare websites using the Bare Internet) | Section 3.5.2 Item #19 |
46 | User downloading an unsolicited file | NO: No online downloading (only access legitimate and authenticated bare websites using the Bare Internet) | Section 3.5.1 Item #18 |
47 | User downloading email attachments | NO: No attachments in emails. | Section 3.5.1 Item #15 |
48 | User downloading software | NO: No online downloading for software (Use CDs/USBs from authenticated bare application providers) | Section 3.5.2 Item #19 |
49 | User installing software online | NO: No installation software online. | Section 3.5.1 Item #12 |
50 | User mistakes or negligence | YES: All bare users must be properly trained to handle sensitive data. | Section 3.5.1 Item #11 |
51 | User using an infected USB | NO: Dual USBs (one for booting and second for application). Both USBs must be physically secure. | Section 3.5.2 Item #25 |
52 | User using infected firmware | NO: Bundled with a domain-specific application suite | Section 3.5.2 Item #26 |
53 | Firmware vulnerabilities | NO: Bundled with a domain-specific application suite | Section 3.5.2 Item #26 |
Seq. | Conventional Preventive Mechanisms | Applicability to BMC |
---|---|---|
1 | Access Control Lists (ACL) | YES |
2 | AI and automation tools | YES |
3 | Analyzing security breaches | YES |
4 | Anti-Virus software | NO: No OS. |
5 | Artificial neural networks | YES |
6 | Avoid opening suspicious emails | YES |
7 | Avoid using user input directly | YES |
8 | Avoiding phishing | YES |
9 | Beware of urgency | NO: Not applicable |
10 | Blacklist-Based | NO: Not applicable, not needed since only communicates with trusted bare users. |
11 | Blocking high-risk applications | NO: only runs intended domain-specific application suite |
12 | Blocking known malware servers | NO: No OS; malware cannot be downloaded and it cannot communicate with domain-specific application suite. |
13 | Change file extensions randomly | NO: Not applicable. Attackers Do not have access to file Hardware API (HAPI) |
14 | Change password frequently | YES |
15 | Changing DBMS accounts to something else | NO: Not applicable. No OS, database application is part of bare domain-specific application suite. |
16 | Check bounds on string functions | YES. Uses only functions with bounds checking. |
17 | Check Website URLs | YES |
18 | Consistent trainings and reviews | YES |
19 | Controlling database permissions | YES |
20 | Controlling external media | YES |
21 | Cryptography | YES |
22 | Delete web browser caches and cookies | NO: Not applicable. Cookies are not allowed. |
23 | Detection of ARP Spoofing | YES |
24 | Detection of DNS Spoofing | YES |
25 | Disable backdoor | YES |
26 | Do not click on malicious links | YES |
27 | Do not download malicious software | NO: Not applicable. Downloads are not allowed. |
28 | Do not enable cookies and disable options in browser settings | NO: cookies are not allowed. |
29 | Do not write down passwords | YES |
30 | Download software from verified publishers | NO: Not applicable. |
31 | Email filtering | YES |
32 | Enable two-factor authentication | NO: Not applicable. |
33 | Enforce and manage strong passwords | YES |
34 | Firewalls | NO: No OS. |
35 | Flow statistics | YES |
36 | Identify all potential insider threats | YES |
37 | Identify all third-party data leaks | YES |
38 | Identify and protect vulnerable resources | YES |
39 | Identity and access management (IAM), such as strong passwords | YES |
40 | Implement a Zero Trust Architecture (ZTA) | NO: By default, the BMC system is built based on the Zero Trust concept. |
41 | Implement Honey tokens | NO: No OS. |
42 | Implement proper access management | YES |
43 | Implement strict shadow IT rules | NO: Not applicable. |
44 | Implementing NAC (Network Access Control) | YES |
45 | Incident Response Plan (IRP) | NO: Not applicable. |
46 | Information entropy | YES |
47 | Input validation | YES: Checks for data type and size. |
48 | IP Spoofing Defense | YES |
49 | Keep operating systems up to date | NO: Not applicable since there is no OS. |
50 | Layered defense for a strong security posture | YES |
51 | Limit access permissions | YES |
52 | Limit the number of attempts to enter the correct password | YES |
53 | Machine Learning-Based Method | YES |
54 | Managing endpoint security | YES |
55 | Minimize access to sensitive data | YES |
56 | Minimizing the privileges that are given to all database accounts | NO: Not applicable; no OS, database application is part of bare domain-specific application suite. |
57 | Monitor activity | YES |
58 | Monitor vendor networks for vulnerabilities | YES |
59 | Network and host hardening | YES |
60 | No same password for all accounts | YES |
61 | Penetration testing | YES: Applicable to applications only, as there is no OS |
62 | Perform static code analysis | YES |
63 | Plan ahead of security attacks | YES |
64 | Prohibiting DBA or Admin access to applications | NO: Not applicable |
65 | Protect code segment | YES |
66 | Protecting valuable data | YES |
67 | Ransomware Detection Techniques | NO: Not applicable; no OS. |
68 | Rate Limiting | YES |
69 | Regularly backup digital records | YES |
70 | Report suspicious activity | YES |
71 | Reset web browser settings | NO: Not applicable |
72 | Rootkit scanners | NO: Not applicable; no OS. |
73 | Scan URLs | YES |
74 | Scanning code for SQLI vulnerabilities | YES |
75 | Scanning system and USBs | YES |
76 | Scrutinize website design | YES |
77 | Secure Privileged Access Management | NO: No OS. All user accesses are part of domain-specific suite. |
78 | Send regular third-party risk assessments | NO: No third-party software allowed. |
79 | Spyware algorithm detection | NO: This algorithm is part of a domain-specific application. |
80 | SSL/TLS Solutions | NO: Not sockets. TLS is part of a domain-specific application. |
81 | Statistical analysis | YES |
82 | Take password protection seriously | YES |
83 | TCP Proxies | NO: Proxies are not allowed. |
84 | TPM (Trusted Platform Module) | NO: The BIOS is bundled with application suites. |
85 | Uninstall adware | NO: Not applicable. Adware is not allowed. |
86 | URL encoding | YES |
87 | Use Honeypot | NO: Not applicable; no OS. |
88 | Use the latest OS, Programming languages, and Compilers | NO: Not applicable; no OS. Need to use the latest programming languages and compilers. |
89 | Use offensive security measures | YES |
90 | Use Password-less authentication | YES |
91 | Use password manager | NO: Not applicable; no OS. |
92 | Use user behavior analytics for accessing private data | YES |
93 | Using an ORM Framework | NO: Not applicable |
94 | Using Bot Manager | NO: No OS |
95 | Using IDS and IPS | NO: No OS |
96 | Using Prepared Statements | YES |
97 | Using properly constructed stored procedures | YES |
# | Type of Attack | Root Cause | BMC (Guidelines, Characteristics, and Preventive Mechanisms) | Prevents Root Cause (Yes/No) | Prevents Attack (Yes/No) |
---|---|---|---|---|---|
1 | Buffer Overflow |
| Uses only functions with bounds checking. Table 4, Item 16 | Yes | Yes |
| Checks for data type and size. Table 4, Item 47 | Yes | |||
2 | Phishing |
| No Attachments and Links in emails BMC Guidelines (15) | Yes | Yes |
| No downloads are allowed. BMC Characteristics (19) | Yes | |||
| |||||
| Each message contains encrypted bare user authentication, which is given in person. BMC Characteristics (24) | Yes | |||
| Only bare users can communicate with each other. All bare users must be physically authorized and authenticated. BMC Characteristics (23) | Yes | |||
| No Attachments and Links in emails BMC Guidelines (15) | Yes | |||
| Only bare users can communicate with each other. All bare users must be physically authorized and authenticated. BMC Characteristics (23) | ||||
3 | Ransomware |
| No downloads are allowed. BMC Characteristics (19) | Yes | Yes |
| |||||
| |||||
| There are no system calls or APIs available to the outside world (outside an application suite). BMC Characteristics (8) | Yes | |||
| A computing device (PC, Laptop, Smartphone, Server, Client, etc.) is bare BMC Characteristics (21) | Yes | |||
| Education and Knowledge: Restricted to authorized bare users. BMC Guidelines (6) | Yes | |||
4 | DOS & DDOS |
| A computing device (PC, Laptop, Smartphone, Server, Client, etc.) is bare. BMC Characteristics (21) | Yes | Yes |
| Rate Limiting. Table 4, Item 68 | Yes | |||
| Free Education: is not allowed. BMC Guidelines (6) | Yes | |||
5 | MitM |
| Currently Wi-Fi is not supported. BMC Guidelines (13) | Yes | Yes |
| No sockets exist in the BMC paradigm as there is no OS. BMC Characteristics (1 and 9) | Yes | |||
| Network Interfaces and Protocol Vulnerabilities. BMC Characteristics (17 and 27) | Yes | |||
| Automated tools are designed to work with only bare computing devices and applications. BMC System Guidelines (19) | Yes | |||
| No operating system. BMC Characteristics (1) | Yes | |||
| Only bare users can communicate with each other. All bare users must be physically authorized and authenticated. BMC Characteristics (23) | Yes | |||
| Education and Knowledge: Restricted to authorized bare users. BMC Guidelines (6) | Yes | |||
6 | Password |
| No operating system. BMC Characteristics (1) | Yes | Yes |
| No password files are stored in bare machines. BMC Characteristics (28) | Yes | |||
| |||||
| There are no system calls or APIs available to the outside world (outside an application suite). BMC Characteristics (8) | Yes | |||
| |||||
7 | Trojan Horse |
| No downloads are allowed. BMC Characteristics (19) | Yes | Yes |
| |||||
| No operating system. BMC Characteristics (1) | Yes | |||
| There are no system calls or APIs available to the outside world (outside an application suite). BMC Characteristics (8) | Yes | |||
| |||||
| Script files are not allowed. BMC Guidelines (14) | Yes | |||
8 | Viruses |
| No downloads are allowed. BMC Characteristics (19) | Yes | Yes |
| |||||
| Only access to authenticated bare websites. BMC Guidelines (18) | Yes | |||
| Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25) | Yes | |||
| Scripts and batch files are not allowed. BMC Guidelines (14) | Yes | |||
| |||||
| No operating system. BMC Characteristics (1) | Yes | |||
9 | Worms |
| No downloads are allowed. BMC Characteristics (19) | Yes | Yes |
| No Attachments and Links in emails BMC Guidelines (15) | Yes | |||
| Only access to authenticated bare websites. BMC Guidelines (18) | Yes | |||
| Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25) | Yes | |||
| Script and batch files are not allowed. BMC Guidelines (14) | Yes | |||
| |||||
| No operating system. BMC Characteristics (1) | Yes | |||
10 | Spyware |
| No downloads are allowed. BMC Characteristics (19) | Yes | Yes |
| No Attachments and Links in emails BMC Guidelines (15) | Yes | |||
| Only access to authenticated bare websites. BMC Guidelines (18) | Yes | |||
| Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25) | Yes | |||
| Script and batch files are not allowed. BMC Guidelines (14) | Yes | |||
| Script and batch files are not allowed. BMC Guidelines (14) | Yes | |||
| No operating system. BMC Characteristics (1) | Yes | |||
11 | Adware |
| No downloads are allowed. BMC Characteristics (19) | Yes | Yes |
| No Attachments and Links in emails BMC Guidelines (15) | Yes | |||
| Only access to authenticated bare websites. BMC Guidelines (18) | Yes | |||
| Advertisements are not allowed. BMC Guidelines (17) | Yes | |||
| No operating system. BMC Characteristics (1) | Yes | |||
| Cookies are not allowed. BMC Guidelines (20) | Yes | |||
12 | Rootkits |
| Online installation is not allowed. BMC Guidelines (12) | Yes | |
| No downloads are allowed. BMC Characteristics (19) | Yes | |||
| No operating system. BMC Characteristics (1) | Yes | |||
| Only access to authenticated bare websites. BMC Guidelines (18) | Yes | |||
| Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25) | Yes | |||
| Bundled with the domain-specific application suite. BMC Characteristics (26) | Yes | |||
| |||||
| Education and Knowledge: Restricted to authorized bare users. BMC Guidelines (6) | Yes | |||
13 | Botnets |
| Yes, however, these software vulnerabilities cannot be exploited by the attacker as the domain-specific application suite is statically bounded. BMC Characteristics (2 and 5) | Yes | Yes |
| No downloads are allowed. BMC Characteristics (19) | Yes | |||
| Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25) | Yes | |||
| There are no open ports in BMC applications. BMC Characteristics (10) | Yes | |||
14 | Data Breaches |
| Yes: BMC Guidelines (11). Table 4, Item 18 | No | No, these threats are related to physical security abuse. |
| Yes, all insiders must be properly authorized and trusted. Otherwise, there is no security for any system. BMC Characteristics (23) | No | |||
| Yes: Physical security is required when a user is running an application suite on a bare machine (this is a mandatory requirement in the BMC paradigm). Otherwise, there is no need for physical security because the machine is bare. BMC Characteristics (21) | No | |||
| No downloads are allowed. BMC Characteristics (19) | Yes | |||
15 | Advanced Persistent Threats |
| No downloads are allowed. BMC Characteristics (19) | Yes | |
| Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25) | Yes | |||
| Only access to authenticated bare websites. BMC Guidelines (18) | Yes | |||
| No operating system. BMC Characteristics (1) | Yes | |||
| Education and Knowledge: Restricted to authorized bare users. BMC Guidelines (6) | Yes | |||
16 | SQL Injection |
| No operating system. BMC Characteristics (1) | Yes | Yes |
| The DBMS is part of the specific-domain application suite. BMC Characteristics (2) | Yes | |||
| Each message contains encrypted bare user authentication, which is given in person. BMC Characteristics (24) | Yes | |||
17 | Supply Chain |
| There are no hardware backdoors, as the devices are bare and physically secured. There are no software backdoors, as the domain-specific application suite can only perform intended functions. BMC Guidelines (2) and BMC Characteristics (2) | Yes | Yes |
| No operating system. BMC Characteristics (1) | Yes | |||
| It is a closed system. BMC Guidelines (2) | Yes | |||
| No downloads are allowed. BMC Characteristics (19) | Yes | |||
| Dual USBs (one for booting and a second for application). Both USBs must be physically secure. BMC Characteristics (25) | Yes | |||
| Only access to authenticated bare websites. BMC Guidelines (18) | Yes | |||
18 | URL Interpretation |
| Uses URL encoding and limited access permissions. Table 4, Items 51, 86 | Yes | Yes |
19 | Insider Threats |
| Yes, if the attacker is an insider | No | No |
| Yes: BMC Guidelines (11). Table 4, Item 18 | No | |||
| Education and Knowledge: Restricted to authorized bare users. BMC Guidelines (6) | Yes | |||
20 | Eavesdropping |
| Automated tools are designed to work with only bare computing devices and applications. BMC System Guidelines (19) | Yes | Yes |
| Currently Wi-Fi not supported. BMC Guidelines (13) | Yes | |||
21 | Cookies |
| Advertisements are not allowed. BMC Guidelines (17) | Yes | Yes |
| A computing device (PC, Laptop, Smartphone, Server, Client, etc.) is bare. When one application suite is running, another one cannot run, thus there is no intrusion from other applications. BMC Characteristics (21) | Yes | |||
22 | Social Engineering |
| Advertisements are not allowed. BMC Guidelines (17) | Yes | Yes |
| A computing device (PC, Laptop, Smartphone, Server, Client, etc.) is bare. When one application suite is running, another one cannot run, thus there is no intrusion from other applications. BMC Characteristics (21) | Yes |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Alotaibi, F.; Karne, R.K.; Wijesinha, A.L.; Soundararajan, N.; Rangi, A. An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks. J. Cybersecur. Priv. 2024, 4, 678-730. https://doi.org/10.3390/jcp4030033
Alotaibi F, Karne RK, Wijesinha AL, Soundararajan N, Rangi A. An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks. Journal of Cybersecurity and Privacy. 2024; 4(3):678-730. https://doi.org/10.3390/jcp4030033
Chicago/Turabian StyleAlotaibi, Fahad, Ramesh K. Karne, Alexander L. Wijesinha, Nirmala Soundararajan, and Abhishek Rangi. 2024. "An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks" Journal of Cybersecurity and Privacy 4, no. 3: 678-730. https://doi.org/10.3390/jcp4030033
APA StyleAlotaibi, F., Karne, R. K., Wijesinha, A. L., Soundararajan, N., & Rangi, A. (2024). An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks. Journal of Cybersecurity and Privacy, 4(3), 678-730. https://doi.org/10.3390/jcp4030033