[Info-vax] VMS and security

[Dave Froble]

On 11/3/2022 9:42 AM, Simon Clubley wrote:
> On 2022-11-02, IanD <iloveopenvms at gmail.com> wrote:
>>
>> I would have thought VMS could leverage it's historical reputation in security to give it an advantage against Linux at least, but I'm not convinced it has done enough to ensure it's up to date in the modern security landscape and it really needs to make sure it has it's ducks all in a row and then some because any failure in the security arena could/would end VMS chances of making a comeback
>
> Unfortunately, the idea of VMS security somehow being comparable to
> today's expected security standards is utterly delusional.

Who's expectations?

> Even Linux is _far_ in advance of what VMS offers.

Perhaps in some areas, and perhaps VMS is ahead in others.

> For example, Linux has mandatory access controls and VMS is still stuck
> back in the DAC world.

Is this the only method?

> There's no ASLR/KASLR support on VMS.

Is this the only method?

> There's nothing like the Unix chroot jails on VMS.

Is this the only method?

> Compiler protections in generated code has been lacking on VMS compared
> to what is available elsewhere, but John in recent years has started
> looking at getting comparable protections in the VMS compilers, when it
> comes to generating code, that currently exist elsewhere.
>
> Back in the 1980s/early 1990s, VMS was a leader in security and it has
> proudly remained there while the rest of the world has moved on.

It is understood that VMS has been neglected by it's owners for some time. 
However, the question of how far behind could be interesting.

Simon, you throw out things used elsewhere and claim that that is the only way 
to provide security.  I don't think that is quite accurate.


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486