It is a piece of cake to share the memory safely. The problem is not satisfying the security requirement; the problem is satisfying all of the requirements concurrently.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Assembler List [ASSEMBLER-LIST@LISTSERV.UGA.EDU] on behalf of Gary Weinhold [weinh...@dkl.com] Sent: Monday, December 6, 2021 9:26 PM To: ASSEMBLER-LIST@LISTSERV.UGA.EDU Subject: Re: Is it possible to update CSA from an unauthorized user-key program? Assuming you could accomplish your objective, which appears to be user-key (8 or 9) storage updatable by any process running on the lpar, it would appear that not only is the information stored there not confidential, but its integrity is not important. You have no protection from any user-key program overlaying the storage with any value it wishes, whether purposely or accidentally. Even if you have a plan to restrict access to obtaining the address of this shared storage, accidental overlays could still occur, like buffer overruns. a) In general, key 0 memory that is not fetch protected can be read by any key 8 user b) By definition, key 8 users cannot update key 0 memory. c) Considering the restrictions, any value of key 0 to key 7 works for the macro d) That would break integrity rules. One method for updating the storage is to encapsulate the update routine in a PC or SVC, which includes a security check for whether the caller is authorized to update the value and determines the location of the memory itself (not trusting the caller to supply it). On 2021-12-06 7:13 p.m., Wendell Lovewell wrote: > Hello Listers, > > I'd like to be able to update a common storage area across all CICS and batch > regions. I've looked at IARV64 REQUEST=GETCOMMON, but it seems that it > requires supervisor state and/or key 0-7. > > It seems that something like issuing a STORAGE macro similar to: > > STORAGE OBTAIN LENGTH=32768,SP=241,KEY=x,LOC=31,OWNER=SYSTEM > > ...from an authorized program would allocate the storage needed. But I > don't know the rules for accessing it from "user-mode" (unauthorized, key 8) > programs like a CICS application. > > a) Given the address of the storage obtained like that, can any user-mode > program read that storage? > b) Could a user-mode program update that storage? > c) Should the KEY parameter be specified, and if so, what value should I use. > Afaik it has to be 0-7 since User-key CSA was outlawed. > d) Am I correct that there isn't an IRAV64 option that will allow a user-mode > program to update the storage? > > Thanks for your help! > > Wendell > > (Cross-posted to the CICS list.) Gary Weinhold Senior Application Architect DATAKINETICS | Data Performance & Optimization Phone:+1.613.523.5500 x216 Email: weinh...@dkl.com Visit us online at http://secure-web.cisco.com/1jTNrWh2-L-DdVmcDpFpeI7wgdzzdd1h1U1ulJ9pNAp-zUwZASDZTxDsYbiROBt1jvn-INbH9EtdCHuYfbssdCQYt4UgfkSGgQDCioCqJQnMZ3iJK4RuTJmn_e2s3mFYEoMUE6kfqIEiqGncABYs_Z07IYSVp1yVqFfwp-0S7bWIYMYP5f1EJWsT7CoWRYZFNTOCecvKDO21lwQRutvCZkvWQatToCQr8V9pKcDCT8lFJhe8BmI4Jw0h1iAMgVEfYknzmLe2g8rMd3ruI02_DfurRBE2ugtypVOmY4MMGXU5G9b9DxKrAGld5qCaTGXakNdVksFMdzRwbqWfpYQOPqszobbvR1E0N72ccIXHFgnRuBXb9bFI6sUAjM83ZbkEkWTeIMK5jclmDlxg8TYGyuTlB2dv39ozgaJzcJ7i7FPx3_jwGqkWaan7tlU_EGC8s/http%3A%2F%2Fwww.DKL.com E-mail Notification: The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
