[Info-vax] Assembly languages

[Simon Clubley]

On 2022-04-12, Dave Froble <davef at tsoft-inc.com> wrote:
> On 4/12/2022 1:34 PM, Simon Clubley wrote:
>
>> The key question is this: Can a non-privileged user who gets code they
>> control running in supervisor mode come up with a way to switch to
>> from supervisor mode to executive mode or kernel mode ?
>
> No, unless, there is some bug, and any bugs in any code pretty much calls off 
> any talk of security.
>

Actually, yes you can. If you don't want to mess around with trying to
hook your supervisor mode code into DCL in a way that allows you do
run it while a privileged image is active, you can simply activate a
privileged image while in supervisor mode and then use the privileges
of the image.

If that image has CMEXEC or CMKRNL privilege, you can use them to get
yourself into executive or kernel mode.

It should be considered a bug IMHO, but that's how VMS works.

In fairness, that was probably considered acceptable in the isolated
systems of the 1970s. Today, not so much.

> Yes Simon, you found a bug, and it has now been fixed.  Can you still use the 
> same exploit?
>
> Unless you find another bug, then a non-prived user cannot gain privs, unless 
> they are granted to that user or process.
>

That isn't what this is about.

This discussion started because I am of the opinion, that from
a security point of view, VMS is just another 2-mode operating
system with its single inner mode split across 3 hardware modes.

That means, if you have code running in supervisor mode, that code
can get access to executive or kernel mode without any additional
privileges required on the logged in account itself.

If, OTOH, supervisor mode, never, ever, saw the privileges of the
images it activates, then that would turn VMS into a 3-mode
operating system.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.