Chris, Thank you for your reply sir ... I concur w/your suggestions and no, I am not and will not do so.
That said, w/regard to TPROT, I've had a localized routine that I wrote before the hardware got involved. Again, thank you for your suggestions. Kind Regards. Jim Thomas -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Blaicher, Christopher Y. Sent: Saturday, November 30, 2013 3:53 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Un-authorized caller calling authorized services. There are a number of things you need to do to prevent an integrity exposure. At one point I saw a presentation by IBM on this, but right now I can't place my hands on it. If I do find it, I will post it. Here are the main points of it, as I remember them. - Don't ever read data from a caller's address space when you are not in the caller's key. As an SVC or PC your routine can be entered in key zero/supervisor state, I.E. you are a god and can do anything you want. - Don't EVER, EVER write data to a caller's address space when you are not in the caller's key. - You may have written the routine for your exclusive use, but don't assume/think/hope that no one else is going to find it. Someone will and then they will try to exploit it or use it for nefarious purposes. - TPROT data areas to be referenced. Let's assume the interface calls for R1 pointing to a two word parameter list. First of all, the words pointed to by R1 may be outside of his address space, so you want to verify their location is valid. Then the individual parms may or may not point to valid data in his address space. The original presentation went into about 10 different ways a nefarious user can try to get your valid routine to do something bad. Maybe Peter Relson has access to it and can post it. Chris Blaicher Principal Software Engineer, Software Development Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: cblaic...@syncsort.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jim Thomas Sent: Saturday, November 30, 2013 3:09 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Un-authorized caller calling authorized services. Forgive me, I have an authorized service that I've written but needs to be able to allow un-authorized callers to use. Could anybody please provide any direction on the best way to implement this ??. I've already looked at PC's (which might be fine) and having a server type address space (not something I want to do). I just want to use an acceptable API or venue of sorts. Lastly, a while back, I'd posted an email asking how to get a product SMP/E instable and while I never got any responses per se, I did get one offline email from someone that faced the same issues as I did. To that person, if you happen to read this, please re-contact me offline. I apologize but I lost your email but have some information for you. Kind Regards. Jim Thomas j...@thethomasresidence.us ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
