[Info-vax] VMS and security

[Simon Clubley]

On 2022-11-08, jimc... at gmail.com <jimcausey at gmail.com> wrote:
> On Thursday, November 3, 2022 at 6:42:30 AM UTC-7, Simon Clubley wrote:
>> Unfortunately, the idea of VMS security somehow being comparable to 
>> today's expected security standards is utterly delusional. 
>> 
>> Even Linux is _far_ in advance of what VMS offers. 
>> 
>> For example, Linux has mandatory access controls and VMS is still stuck 
>> back in the DAC world. 
>> 
>> There's no ASLR/KASLR support on VMS. 
>> 
>> There's nothing like the Unix chroot jails on VMS. 
>> 
>> Compiler protections in generated code has been lacking on VMS compared 
>> to what is available elsewhere, but John in recent years has started 
>> looking at getting comparable protections in the VMS compilers, when it 
>> comes to generating code, that currently exist elsewhere. 
>
> Does VSI have a security program roadmap?  I would have hoped that the x64
> port would include table-stakes features like ASLR; if the product wants to
> compete with Linux and Windows, it will also need to have transparency on
> progress @ modernization features, compiler practices, and responsible
> security reporting -- at a minimum

The only security work I have seen is an enhanced password algorithm
and plans for encryption of VMS cluster traffic.

John has also talked about adding some industry-standard security
features to the compilers but I don't know the status of that work.

The last one on your list is especially annoying because VSI _did_
introduce a public reporting mechanism in the immediate aftermath of
my DCL research, but then they removed it for some reason after all
the fuss had died down. :-( :-(

Emails to VSI and requests to VSI via their contact page asking them
to reinstate it have gone ignored.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.