In <[EMAIL PROTECTED]>, on 01/24/2007
at 12:35 PM, "(IBM Mainframe Discussion List)" <[EMAIL PROTECTED]>
said:
>Another reason not to write your own SVC routine is that some form of
> validity checking must be done by the SVC routine to ensure that all
>parameters passed to it are valid, including information about who
>invoked it, from where, and in what environment.
That's a poor reason. Magic numbers for PC routines are just as much
of a security issue as magic numbers for SVC routines. The routine
should rely on the caller for information about what function is
desired, but *not* for information on what authorization the caller
has. Mechanism such as APF and SAF should be used for the latter.
>Parameter validation is still necessary with PC, but it is harder
>now for hackers to find the executable code that they can then
>disassemble.
Security by obscurity is an "own me" sign on your back.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position; see <http://patriot.net/~shmuel/resume/brief.html>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
