-------------------------------<snip>--------------------------
Another reason not to write your own SVC routine is that some form of
validity checking must be done by the SVC routine to ensure that all
parameters passed to it are valid, including information about who
invoked it, from where, and in what environment.
That's a poor reason. Magic numbers for PC routines are just as much
of a security issue as magic numbers for SVC routines. The routine
should rely on the caller for information about what function is
desired, but *not* for information on what authorization the caller
has. Mechanism such as APF and SAF should be used for the latter.
Parameter validation is still necessary with PC, but it is harder
now for hackers to find the executable code that they can then
disassemble.
Security by obscurity is an "own me" sign on your back.
------------------------------<unsnip>------------------------------
Agreed. And parameter checking is ALWAYS required, lest the code
unknowingly store information in wrong places, causing other types of
failures. Would be a seriously bad move to store results in the midst of
program code, be it z/OS or problem program code.
Obscurity just slows the hacking process; it never will stop a
determined hacker. And the only "nondisclosure" security that's
effective is with regards to passwords.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
