On Sat, 23 Jun 2007 14:13:13 +0200, R.S. <[EMAIL PROTECTED]> wrote:
>BTW: My understanding of 'SVC risk' vs 'APF risk'
>- both can do dangerous things.
>- SVC can be invoked by non-authorized program and then could provide
>'wide-open' security hole. Open to everyone who know how to invoke it.
>No additional privilege is checked.
>- APF code invoked directly (PGM=apfmodule) could do anything, but the
>'anything' have to be coded inside the program.
>- APF programs, when do something considered as security bypass (i.e.
>DSS DUMP ADMIN) usually check for authority of the caller i.e.
>STGADMIN.ADR.STGADMIN.DUMP.xxx
I think the "SVC risk" is perceived as high because there are many evil ISV
SVCs whose main or only purpose in life is to return control in an
authorized state to an unauthorized caller. Exploiting these is just a
matter of figuring out the protocol; the function is *intended* to give back
control authorized. It is not a matter of a bug in the routine (except in
the sense that the whole design can be called a bug).
Maliciously exploiting an APF authorized program requires that there be a
bug (one hopes that almost all AC(1) modules are coded correctly), that the
bug be "drivable" by the malicious user (many holes are timing related or
otherwise depend on circumstances that are very difficult to set up), and
that the malicious user have access to the program in the first place, both
for analysis and execution.
By the way, I don't entirely agree with your comment:
>- APF code invoked directly (PGM=apfmodule) could do anything, but the
>'anything' have to be coded inside the program.
It is possible to exploit a buffer overflow in an authorized program to run
arbitrary code.
Trivial contrived example of a BAD authorized program:
<housekeeping>
L R1,0(,R1) -> Parm string
LH R2,0(,R1) Get parm length
EX R2,MOVEPARMS Copy without checking length :-(
MOVEPARMS MVC PARMS(*-*),2(R1)
CLC PARMS,=C'OPTION99'
BE OPT99
B DEFAULT
PARMS DS CL8 Our parms are all <= 8, so why waste space?
OPT99 DS 0H <do mainline processing - can be overlayed by malicious code>
<etc.>
So if you pass in a carefully constructed parm string you may be able to
execute it and have the program do what you like.
Tony H.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
