[Info-vax] WHY IS VSI REQUIRING A HYPERVISOR FOR X86 OPENVMS?

Mark Berryman mark at theberrymans.com
Thu Jan 14 13:00:09 EST 2021 

On 1/12/21 6:42 AM, Simon Clubley wrote:
> On 2021-01-11, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>> On 2021-01-11 19:16:05 +0000, Dave Froble said:
>>
>>> Just because you found a flaw, in no way means that there are other flaws.
>>
>> There are other flaws, David.
>>
> 
> And until VMS gets the same level of probing as other operating systems,
> we don't know how many are just waiting to be found.


And what makes you think it hasn't been?

Frankly, you have no idea what kind of probing has been done to VMS.  I 
know what kind of probing I've been part of and it is far more extensive 
than you seem to think has been done.

There are, generally speaking, three types of security issues faced by 
operating systems:

1. Privilege escalation bugs that allow a logged in user to do more than 
(s)he should.
2. Intrusion issues that allow an external user to gain access to 
something (s)he shouldn't.
3. Misconfigurations that allow users, both internal and external, 
access they shouldn't have.

The third issue is an administrative issue.  Was it because the 
administrator didn't know what (s)he was doing?  Or was it a 
documentation issue that made it unclear how to properly configure? 
Either way, this wouldn't be an issue with the OS implementation.

The have been multiple privilege escalation bugs found within VMS over 
the years, some known to the public, some not.  The thing with VMS is, 
when they were found, they were fixed, and usually much faster than 
other operating systems on the market were doing.  No endeavor by 
imperfect humans is going to be perfect.  The real question is, when a 
flaw is found, what gets done about it.

If you take TCPIP Services out of the picture and use a different IP 
stack, I have never heard of a VMS system being externally compromised 
from the Internet.  Have you?  I know we weren't able to do it after 
extensive testing.  I've had reason to put multiple VMS systems directly 
on the internet.  They were extensively probed but never penetrated (and 
yes, they were closely monitored).  I'll stack that record up against 
any other platform.

For those of you who have been around for awhile, the DECnet issues of 
the 80's don't count.  If you configured your systems according to the 
manual, instead of simply taking the obviously bad defaults, you were 
immune.  I had several systems on one of the national DECnet networks at 
the time and the DECnet worms hit every one of them but failed to get 
into any of them.  There was nothing special about those systems.  We 
simply read the instructions while configuring them and ignored the 
(eventually fixed) default answers.

Simon, you found a bug.  Great!  Congratulations!  It wasn't any more 
remarkable than finding the SMG bug.  Both got fixed.  Found any more 
bugs?  Managed to penetrate a VMS system?  Until you do, how about 
climbing down off your soapbox for awhile since you really are speaking 
in ignorance of how much security testing VMS has undergone.

If fact, here is a suggestion for a more productive use of your time. 
So far, the only way I've found to compromise macOS is to convince the 
user to do something stupid.  (You known, social engineering, the only 
way Kevin Mitnick was ever able to compromise a VMS system).  Find a way 
to hack into macOS that doesn't involve the user.  Then we can set up a 
contest between Apple and VSI for "the most secure operating system". 
That would be fun.

Mark Berryman

More information about the Info-vax mailing list