Siri, Secure My Operating System
While scrutinizing the Apple website the past couple of days eagerly awaiting the iPhone 5 (oops, 4S), we took a look at features of the updated operating system (iOS 5) due out this week. The iOS 5 underscores the growing functionality of smart phones via the integration of sophisticated applications with modern wireless and data networks in a cloud environment. We thought it would be worthwhile to reiterate the structure of current operating systems and program stacks used in web application development to highlight inherent vulnerability—certainly not limited to the iOS 5.
First, a quick primer on the “LAMP (software bundle) Stack Layers” pictured below:
LAMP Stack Layers
- This is a standard stack used for dynamic web application development applied to any industry vertical use case (e.g. financial services (trading systems), aerospace & defense (netted sensor architectures), SCADA (smart grid architectures))
- We show Linux as an operating system—Google and Microsoft are also prolific.
- Apache and IIS are examples of web servers. MySQL and PostgreSQL are examples of database management tools.
- PHP, Perl and Python are examples of scripting languages. PHP is considered for novice use and is the most inexpensive; Perl is used prolifically on web pages; while Python can handle system-level tasks and large volumes of code.
So, where’s the inherent vulnerability? Hackers spend their time, in essence, building a stack of exploits parallel to the web stack layers shown above to infiltrate, exfiltrate or impersonate the user. As such, vulnerability researchers focusing technology development on the following four areas are of most interest to us:
- The rate of patch issuance by operating system manufacturers is suggestive on its own.
- Applications, web servers, and database management tools are in large part open source and General Public License (i.e. free).
- Scripting languages are compilers (i.e. scanning, parsing, code generating) but they can also decompile (i.e. reverse engineering). As shown above, this layer bridges data management and applications.
- Degree of difficulty to automate attack or defense escalates as you move up the LAMP stack from the operating system layer.