his theory of a formal mathematical model (for expressing computation as a system of functions and substitutions) to the academic world in the form of lambda calculus. physical device that implemented it was impossible to build. it wouldn't be until many years later, and through the research and theories of Princeton fellows John von neumann and alan Turing, that a device capable of digital computation would be built and pressed into service. now, just shy of a century later, we have advanced to the point where we can implement the principles of lambda calculus on stateful machines based on von neumann's architecture in the form of functional programming. What allows these two, fundamentally conflicting, models to work in harmony is layers of programmatic abstraction -- abstraction that has long reached the sophistication where we can run virtual machines on top of with the physical machine underneath. Without reasonable abstractions, programmers would still be writing in binary and any hope of manipulating the machine in a functional manner would remain, just like the theory of lambda calculus, nothing more than a thought exercise. the stacking of system upon system to build new platforms fundamentally clashes with one of the core principles of security- conscious programming: minimising the potential attack surface of the platform being developed. modern smartphone operating systems are an excellent example of where it could be prudent other. The often cited `modern computer in your pocket' analogy used to describe smartphones is not far off the mark. Android, as an example, features a complete GnU/linux implementation, including shell and traditional userland, that exist far below the `Dalvik' virtual machine and APIs typically utilised by Android application developers and core services. despite being very capable, it is arguable that a smartphone platform does not benefit from an operating system and userland designed for much larger systems. The best case scenario is the unused features are simply bloat, the worst case scenario is that they are used as a vehicle for exploitation. To give another example, prior to the BlackBerry 10 operating system and devices, the operating system that ran on BlackBerry phones was very tailored to the hardware, and to the planned functionality of the phone. The result, was a platform that was generally regarded as very secure, all while managing to retain a reasonable feature set. Unfortunately BlackBerry 10, now based on the QnX operating system, does not share its predecessors reputation for security; one of the first documented exploits (disclosed by SEC Consult) for BlackBerry 10 targeted the `find' command-line utility that came with the QnX platform. more conscious about building abstractions upon abstractions should play a bigger role in the secure development lifecycle process. if the answer to this question is yes, then it falls to each development team's discretion of what is, and what is not, an acceptable level of risk in regards to abstractions. To conclude, it becomes our task as security professionals, programmers, and computer scientists to start questioning the merit of layered abstractions in system design. although building on previously built foundations gives notions of stability and security, we have to be careful not to end up with a tower of blocks that is a mere tap away from collapsing. |