I'm sorry Tom. I did not intend my remarks to be
personal. I deeply regret that you feel hurt by
them. Please don't let my words deter you from
future contributions. Your thoughts generally are more valuable than most.
I just wanted to emphasize the APF Trojan horse
vulnerability. It is real, it is serious, yet for
decades everyone seems to want to pretend that it
does not exist... It mystifies me.
www.zassure.com is the closest thing I've seen
to an MVS anti-virus program. After seeing a
demo, I would have bought it, or recommended it
to a client. Check it out, you will be surprised, if not shocked.
Thank you for this. I will check it out.
[Regarding SAF] I do take issue with your last
sentence. SAF and an ESM have everything to do
with anti-virus protection, provided they are
configured to correctly protect APF-authorized resources.
Perhaps. However, all an APF authorized program
has to do is flip a bit or two in certain RACF
control blocks, and voilĂ ! He's suddenly a
supervisory program and, as such, is given a pass
on all RACF calls... Alternatively, a malicious
APF program can simply dynamically front-end
certain supervisory programs, and again voilĂ !
(As I'm sure you know, APF programs can fairly
easily defeat all hardware storage protections.)
Yes, SAF is still called even for APF programs,
but an APF program can still subvert those calls.
I've never forgotten this [APF libraries].
That's why my APF-authorized libraries are
severely limited in scope, and audited for any and all updates.
Enforcing trust is a technical issue. RACF is
very good at that. Deciding who to trust is a
management issue. Even at shops that allow only
trusted vendor software into APF authorized
libraries is implicitly trusting the hundreds or
even thousands of people involved in the development of that software.
Again, I go into more detail about this in my
prior post:
"<https://bama.ua.edu/cgi-bin/wa?A2=ind0608&L=IBM-MAIN&P=R63457&I=-3&X=6EB01556E36E4D9CAC&Y=dbcole%40colesoft.com&d=No+Match%3BMatch%3BMatches>https://bama.ua.edu/cgi-bin/wa?A2=ind0608&L=IBM-MAIN&P=R63457&I=-3&X=6EB01556E36E4D9CAC&Y=dbcole%40colesoft.com&d=No+Match%3BMatch%3BMatches
".
Again, please accept my apology, Tom. It was not
intended to be personal. I'm sorry it came out that way.
Dave Cole REPLY TO: dbc...@colesoft.com
ColeSoft Marketing WEB PAGE: http://www.colesoft.com
736 Fox Hollow Road VOICE: 540-456-8536
Afton, VA 22920 FAX: 540-456-6658
At 3/27/2012 02:21 PM, Pinnacle wrote:
Replies like this are why I seldom post to
IBM-Main anymore. The fact that it comes from
someone who I respect and consider a friend
hurts all the more. Bottom line is that I work
for a living, and I often don't have time to
respond in gory detail to everything posted. My
primary objective here was to stress that the
z/OS architecture is inherently hardened against
viruses. The fact that I did not go into
explicit protections for APF-authorized programs
appears to have been my fatal flaw, according to
Mr. Cole. Regardless of what comes back, this
will be my last post on the subject. My comments below.
Regards,
Tom Conley
On 3/27/2012 1:06 PM, David Cole wrote:
At 3/27/2012 11:19 AM, Pinnacle wrote:
There is a mainframe product that protects
against malicious software. It's called SAF,
and it interfaces with ESM's like RACF, or ACF2, or TopSecret.
"SAF" is not a product. It stands for "System
Access Facility" and it is nothing more than an
interface within z/OS into which a security
system (such as ACF2, TopSecret and any ryo
security system) can plug into to receive and
respond to security calls. It really has
nothing to do with anti-virus protection.
SAF is not a product, you're right. Please
forgive my use of the term "product", I should
have said "feature". I do take issue with your
last sentence. SAF and an ESM have everything
to do with anti-virus protection, provided they
are configured to correctly protect APF-authorized resources.
It [z/OS] is the only operating system out
there with built-in anti-virus protection. On
top of that, the hardware itself actively
protects against damage through storage keys, protected memory, etc.
You have to explain to the auditors that
anti-virus software is not needed on z/OS,
because it's intrinsic to the operating system and the hardware.
I think you seriously misunderstand what a virus is...
Yes, z/OS has exceptional security (and
integrity and reliability) features for
protecting against non-authorized programs. But
I must emphasize... -->NON<--authorized programs!
When it comes to AUTHORIZED programs, z/OS's
integrity (which is what you are talking about
with "storage keys" and such) is very good, but
of course not bulletproof. Worse though, when
it comes to SECURITY, there are some real
problems! Because with the proper knowledge, it
is TRIVIALLY EASY FOR AN AUTHORIZED PROGRAM TO SUBVERT SECURITY COMPLETELY!
This is what mainframers constantly forget
regarding security. For authorized programs
there is no security. All that is necessary for
a malicious program to do is to Trojan-horse
its way (with the AC(1) attribute) into an
authorized library, and you're done for!
I've never forgotten this. That's why my
APF-authorized libraries are severely limited in
scope, and audited for any and all updates.
As far as I know there is no serious anti-virus
program for mainframes. I believe strongly that
there needs to be one, but I don't know of one.
And at this stage of the mainframe culture, I
would be seriously suspicious of the efficacy
of any program that claimed to be anti-virus. I
don't think that a serious mainframe anti-virus
program can exist unless and until IBM itself
makes a commitment to support an effort to make the mainframe anti-virus proof.
www.zassure.com is the closest thing I've seen
to an MVS anti-virus program. After seeing a
demo, I would have bought it, or recommended it
to a client. Check it out, you will be surprised, if not shocked.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
