[Info-vax] CVE counts, was: Re: VMS Software needs to port VAX DIBOL to OpenVMS X86 platf
John Dallman
jgd at cix.co.uk
Thu Dec 17 16:05:00 EST 2020
In article <rrdkiu$jm7$3 at dont-email.me>,
clubley at remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:
> That doesn't exactly give me confidence that VMS has had any serious
> modern third-party security probing, at least by today's standards.
A bit of explaining how the probing is done might help. I only know the
outlines, never having done it, but I have had to fix bugs discovered
using this way.
"Security researchers" are often individuals or very small organisations.
What they do with the security problems they find varies widely.
Some seek "bug bounties" from software publishers, as a way of getting
income. The ones who do this normally publish their finds after a few
months. This may seem unhelpful, but experience has shown that many
software companies never fix security bugs without a deadline, letting
them accumulate, and then getting burned when someone else discovers them.
Others researchers sell their finds to criminals or intelligence agencies,
who have identical needs.
So, how do you do "security research"? One basic technique is "fuzzing",
calling APIs with invalid parameters, sending invalid packets to network
servers, or corrupting files and trying to load them into applications.
This is too slow and tedious for humans, but software can do it just fine,
and looks for crashes and other undesirable behaviour. The modern kind of
statistics-based AI can be applied effectively to this work, and speeds
things up a lot.
Obviously, to do this effectively, you need to be able to run the
software you're attacking, preferably lots of copies, at high speed.
That's why VMS has not been subjected to much of this kind of attack:
small security researchers don't have farms of HP Integrity servers to
use for it.
But when VMS can be run in VMs on commodity x86-64 hardware, attacking it
becomes possible for anyone. Claiming it is "the most secure operating
system on the planet" gives attackers extra motivation.
John
More information about the Info-vax
mailing list