[Info-vax] VMS Privileges Versus Linux Capabilities

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Tue Jun 21 11:20:07 EDT 2016 

On 2016-06-21 12:29:17 +0000, RobertsonEricW said:

> On Thursday, June 16, 2016 at 8:06:43 PM UTC-4, Stephen Hoffman wrote:
> ...
>> SEVMS was the mandatory access control variant of OpenVMS: 
>> http://h71000.www7.hp.com/openvms/products/sevms/info.html
>> 
>> OpenVMS lacks sandboxes or jails or a BSD-style pledge() mechanism, 
>> among other constructs.
> 
> I did not get the impression that Security Enhanced VMS (SEVMS) was 
> supported by HP in recent years.

Hence "was".  SEVMS was retired (by DEC) prior to V7.  IIRC, V6.2 was 
the last release available.

> Which brings up the question: Does VSI support SEVMS or does it plan to 
> in the future?

Donno.   The market for multi-level security wasn't and hasn't been a 
very large one in recent years, and the product evaluations often 
entailed in selling into that market were detailed, tedious and 
comparatively expensive undertakings.

The core of the mandatory access control bits underneath SEVMS are 
(still) latent in OpenVMS.   The layered product added management 
interfaces, tools and utilities.

The effort entailed in hauling what SEVMS provided forward would range 
from trivial, to — for the addition and integration of potential 
features such as better multi-level support, sandboxing and jails and 
app stacking and app separation, PCSI integration, mandatory access 
control documentation integration, and the rest that would increasingly 
be expected — non-trivial.

Adding support for environments akin to what Haven and Intel SGX target 
would definitely be a project.  That's well outside what SEVMS 
provided.  But I digress.

As implemented, nobody in their right mind would want to use SEVMS, or 
any other traditional mandatory access control system for that matter.  
Some folks — certainly of their right mind — do have to use mandatory 
access controls, because of their environment and the sorts of data 
they have stored on their servers.  Mandatory access control security 
is not easy to manage, nor to use.

Sandboxing and jails and app stacking also diverge somewhat from what 
traditional SEVMS-style mandatory access controls traditionally 
provide.  As implemented, the amount of separation provided by SEVMS 
and its categories and labels masks wouldn't be sufficient — there 
aren't enough of those implemented in the current design, and you'd 
need something akin to lib$get_ef to allocate what is available.  If 
that's how VSI chose to implement those features, as part of adding 
container-related support.  (Using UUIDs in place of bitmasks and such 
is more of a hassle for the designers and developers, but also avoids 
some big hassles around allocation and coordination,)

In more recent times and closer to the market that SEVMS targeted, 
OpenVMS with SEVMS isn't anywhere near what the SeL4 evaluation process 
went through.  https://sel4.systems

There's a whole pile of infrastructure-level security work that OpenVMS 
would want or need before trying to sell on security, in any case.  And 
that's before getting to dusting off SEVMS and mandatory access 
controls.


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list