[Info-vax] VMS and security

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Wed Nov 9 13:30:53 EST 2022 

On 2022-11-09, Dave Froble <davef at tsoft-inc.com> wrote:
> On 11/3/2022 9:42 AM, Simon Clubley wrote:
>> On 2022-11-02, IanD <iloveopenvms at gmail.com> wrote:
>>>
>>> I would have thought VMS could leverage it's historical reputation in security to give it an advantage against Linux at least, but I'm not convinced it has done enough to ensure it's up to date in the modern security landscape and it really needs to make sure it has it's ducks all in a row and then some because any failure in the security arena could/would end VMS chances of making a comeback
>>
>> Unfortunately, the idea of VMS security somehow being comparable to
>> today's expected security standards is utterly delusional.
>
> Who's expectations?
>

Everyone in the industry outside of those who write DEC Basic code for
a living ?

>> Even Linux is _far_ in advance of what VMS offers.
>
> Perhaps in some areas, and perhaps VMS is ahead in others.
>
>> For example, Linux has mandatory access controls and VMS is still stuck
>> back in the DAC world.
>
> Is this the only method?
>

The fact you are asking this question, and phrasing it in this way,
tells me that you simply don't understand the issues being discussed.

Security is a layered approach, and things that were not required 20-30
years ago, are now required (and expected to be available) as a result of
experience and a changing security environment.

>> There's no ASLR/KASLR support on VMS.
>
> Is this the only method?
>

That question makes absolutely no sense.

>> There's nothing like the Unix chroot jails on VMS.
>
> Is this the only method?
>

If you could come up with something that provides the same level of
isolation, that could be acceptable as well. What would be your
suggested VMS alternative to a Unix chroot jail ?

>> Compiler protections in generated code has been lacking on VMS compared
>> to what is available elsewhere, but John in recent years has started
>> looking at getting comparable protections in the VMS compilers, when it
>> comes to generating code, that currently exist elsewhere.
>>
>> Back in the 1980s/early 1990s, VMS was a leader in security and it has
>> proudly remained there while the rest of the world has moved on.
>
> It is understood that VMS has been neglected by it's owners for some time. 
> However, the question of how far behind could be interesting.
>
> Simon, you throw out things used elsewhere and claim that that is the only way 
> to provide security.  I don't think that is quite accurate.
>

Ok, so what are the VMS equivalents of the above functionality that
can be used to address the same security issues ?

I am especially interested in your plans for implementing MAC security
on VMS to the same level of functionality and fine-grained levels of
control seen in SELinux.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list