[Info-vax] Opportunity for VSI?

Tue Dec 18 08:47:41 EST 2018

On 2018-12-17, johnson.eric at gmail.com <johnson.eric at gmail.com> wrote:
> On Monday, December 17, 2018 at 8:41:51 AM UTC-5, Simon Clubley wrote:
>> One more thing in addition to that above extensive list of yours.
>> 
>> It's well known what I think of certain parts of VMS security, but
>> what do _you_ think with your clear exposure to a wide range of other
>> technologies ?
>> 
>> For you, what parts of VMS security would stand out to an outsider as
>> "well, that _really_ needs fixing" and what parts come across as
>> "well, that's not too bad."
>
> I'm not much of a security expert. But I do believe there will be a
> multitude of exploits should anyone really start to dig. The belief that
> the low CVE count is a measurement of security quality is deeply 
> misguided.
>

[Thanks for the reply. It's always interesting to see new viewpoints,
based on different experiences, on this subject.]

I agree strongly with that.

When I decided to look for something I could use to try and wake up
the community, I decided to start my search with DCL/CDU, then the
privileged programs, then the APIs, then corrupting data files and
seeing how VMS handled that.

As you can see, there's a large number of areas to explore and I never
got past the first one (DCL/CDU) because I found what I was looking
for in the first area I looked.

It makes you wonder what the trained security professionals might
find if they take a serious look at VMS.

> I regard Linux and Windows as _more_ secure mainly because they
> have a community of well respected folks who discover issues and
> there are processes in place to catalog and prioritize those fixes.
> In that sense, the VMS space is deeply immature. There is neither
> a community nor a process.
>

There's also the fact the Linux and Windows users _know_ they need
to be on the lookout for new security problems so they have procedures
in place from that angle as well.

You will also find that VSI have now actually even _removed_ the security
reporting form from their contact page. :-( No, I don't believe it either.

> As for security areas I'd think about... I've always wondered what
> might happen if you take well formed RMS indexed files, and then
> corrupt them. And then ask DCL and the underlying 
> routines to deal with them. I would imagine there is a good possibility
> that this will suss out some unexpected stack corruptions. Don't some
> of those underlying mechanisms make use of executive mode and
> supervisor mode? Are there mistakes along a pathway of stack
> corruption to exploit? I have no idea... maybe?
>

These were similar to the things I was going to be looking for if
I had not found something earlier on.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world