[Info-vax] VMS internals design, was: Re: BASIC and AST routines

Sun Nov 28 09:13:17 EST 2021

On Saturday, November 27, 2021 at 12:46:16 AM UTC-5, Andrew Commons wrote:
> I've been watching this thread with a mixture of amusement and horror. The 
> triggering thread regarding AST routines was equally enlightening. In 
> fact if I ever feel the urge to start a thread here I will probably make 
> the subject line something like this: 
> 
> <My Topic>, was: Re: Something Simon Clubley felt strongly about 
> 
> Purely curiosity to see if it stopped forking :) 
> 
> So, for Simon...
> >> One of the biggest mistakes made is that DEC went to the trouble of 
> >> implementing a 4-mode architecture and then completely blew how it was 
> >> used.
> Well, a bit like Intel implementing a 4-mode architecture and then having 
> Microsoft completely blow how it is used? 
> 
> Note that the OS/2 update that Cutler and Co were originally hired to work 
> on used 3 of the modes. When Windows looked like becoming a success then 
> it switched to a Windows upgrade instead. Gates wanted it to run on 
> consumer hardware, so things got dropped. There are still 4 modes available 
> and I'm sure VSI are using them.
> >> That 4-mode architecture could have provided some really truly radical 
> >> internal security separation within VMS, but once you are in any of the 
> >> 3 inner modes, you can get to any of the other inner modes so all those 
> >> extra modes were wasted from a security isolation point of view.
> Put your money where your mouth is. Prove it. Post examples that show a 
> fundamental flaw rather than an Ooops in a single privileged program.
> >> In case you are wondering, you can escalate from supervisor mode because 
> >> DCL has access to the privileges of the programs it runs even though it 
> >> doesn't actually need them. That kind of thing should have stayed within 
> >> the kernel so DCL never sees those privileges.
> If this was such a huge fundamental problem I would expect masses of 
> vulnerability reports. Where are they? Post examples. 
> 
> When a program runs in a privileged context then those writing the program 
> obviously need to exercise care. Ideally you enable/disable privileges 
> in a Just In Time basis and, obviously, when you are operating in a mode 
> higher than the originating mode any inputs from the lower mode must be 
> treated with caution. Failing to do this on one occasion does not invalidate 
> the security model. 
> 
> I will now scrub my cookies and history back to bedrock which I recommend 
> after logging in to anything Google related.

Every time I see these posts I think "My God, what have I started?"