On 23 April 2010 09:41, Sam Siegel <[email protected]> wrote: > Now a question about TCB creation. After control is returned from the > problem state program to the caller, it should be possible to see if it > ATTACHed any new TCBs. If new TCBs were created, I could abend the entire > process instead of flipping the JSCBAUTH bit back on. This would ensure > that when the user exit returned to the caller, none of the problem state > program code was running. > > If this was true, would it be acceptable to turn the JSCBAUTH bit back on?
The problem here, imho, is that you are going through the exposures one by one, fixing each one in your mind, and then moving on to think up the next one. Or someone else points it out to you. There is no defined end to this process. If you are going to go through this kind of design, you need a taxonomy of exposures, and then you need to work through the classes and subclasses, turning off each one as you encounter it. At some point you will in theory be done, and then your system will be secure. Then you can write a very impressive paper for IEEE CS or ACM or the like. :-) Well, IBM spent a great deal of time and intellectual effort on this, starting some time well before OS/VS2 2.0 (MVS) was released, and continuing to the present. (See the thread about SMP/E and secret integrity APARs.) The chance that you (and obviously I mean that pretty generically) will nail them all is remote. Also, if instead of rolling your own integrity stuff, you rely on infrastructure from IBM that does so, then not only will they fix it if it is found to be broken, but many times more people will be testing and thinking about it, and exposures are more likely to be found and fixed. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
