[Info-vax] Questions and observations about OpenVMS

Dave Froble davef at tsoft-inc.com
Sun Mar 7 03:54:15 EST 2021 

Well shit!!!!

It's time to counter some of Simon's favorite topics.  Again!

I hate it when that happens ....

On 3/7/2021 3:27 AM, Simon Clubley wrote:
> On 2021-03-06, Forrest Aldrich <forrie at forrie.com> wrote:
>>
>> OpenVMS's idea of security (ie: concentric circles, operate with just
>> what is needed) makes a ton of sense to me.  We don't hear about VMS
>> being hacked or riddled with malware.
>>
>
> People have answered your other questions. I will focus on this part.
>
> VMS security is very lacking compared to what is standard these days.

"Standard" sort of depends upon several things, including "definition", 
right?

> From a strictly security point of view, VMS does not have 4 modes, it
> only has 2 modes.

Who cares?

> From a security point of view, it has a user mode and a single inner
> mode with the single inner mode split over 3 hardware modes.
>
> Once in any of the inner modes you can get to any other inner mode
> without any additional privileges required.
>
> VMS is lacking other security features considered to be standard
> these days, such as ASLR and a mandatory access control environment.

See above concerning "standard".

> The way a process survives multiple images (which can be both a mixture
> of privileged and non-privileged images) is a weakness. A Unix-style
> approach, where a process is created to run a new image, would be
> a more secure approach.

Proof?

> There is a good deal of inertia in the VMS world and a desire in some
> quarters to carry on doing something because that is the way it has
> always been done.

If it works, don't fix it.

> For example, DECnet Phase IV is totally unsuited
> for today's world, but VSI has already been forced to port it to x86-64
> VMS, even with other work outstanding, because it is still used by so
> many people.

Since humans haven't yet come up with "counter-grav", the wheel is still 
in use, and will be for the foreseeable future.

> As for VMS not been hacked, you really, really should not have gone there. :-)
>
> VMS has the dubious honour of hosting one of the world's longest
> surviving operating system vulnerabilities (it survived for 33 years
> before it was discovered). It was confirmed to be exploitable on
> both VAX and Alpha and it is an open question whether someone familiar
> with the Itanium environment could have created a variant of the exploit
> to do something bad there.

Oh, give me a break!  How long are you going to polish that particular 
apple?  It was a bug in a utility, which has been fixed.

> Supervisor mode shells (ie: DCL) have access to the privileges of
> the programs they run. This is not a good thing.

So use one that doesn't ....


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list