[Info-vax] VMS and security

Arne Vajhøj arne at vajhoej.dk
Wed Nov 9 15:00:55 EST 2022 

On 11/9/2022 9:01 AM, Dave Froble wrote:
> On 11/3/2022 9:42 AM, Simon Clubley wrote:
>> On 2022-11-02, IanD <iloveopenvms at gmail.com> wrote:
>>> I would have thought VMS could leverage it's historical reputation in 
>>> security to give it an advantage against Linux at least, but I'm not 
>>> convinced it has done enough to ensure it's up to date in the modern 
>>> security landscape and it really needs to make sure it has it's ducks 
>>> all in a row and then some because any failure in the security arena 
>>> could/would end VMS chances of making a comeback
>>
>> Unfortunately, the idea of VMS security somehow being comparable to
>> today's expected security standards is utterly delusional.
> 
> Who's expectations?

Whoever are into IT security today.

>> Even Linux is _far_ in advance of what VMS offers.
> 
> Perhaps in some areas, and perhaps VMS is ahead in others.

The lack of investments in VMS the last 25 years has some
consequences.

Security has evolved a lot in those 25 years, so VMS
are generally behind in this area.

>> For example, Linux has mandatory access controls and VMS is still stuck
>> back in the DAC world.
> 
> Is this the only method?
>
>> There's no ASLR/KASLR support on VMS.
> 
> Is this the only method?
> 
>> There's nothing like the Unix chroot jails on VMS.
> 
> Is this the only method?

It is nice features for security.

None of them are strictly required.

VMS will not need all security features available elsewhere, but
VMS will definitely need a good portion of them to be considered
OK.

> It is understood that VMS has been neglected by it's owners for some 
> time. However, the question of how far behind could be interesting.

I will claim that the VMS team anno 1990 could catch up in a year
or two, but VSI will need way more years to catch up. They are a
small team and even though security is important then they also have
lots of other priorities.

> Simon, you throw out things used elsewhere and claim that that is the 
> only way to provide security.  I don't think that is quite accurate.

The cheapest and fastest way forward for VSI is to build
on work other have done.

Security research coming up with new ideas and concepts are
bloody expensive. DEC had the money for it. VSI doesn't.

Arne

More information about the Info-vax mailing list