[Info-vax] VMS and security

Thu Nov 10 08:32:40 EST 2022

On 2022-11-09, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 11/9/2022 8:09 AM, Simon Clubley wrote:
>> On 2022-11-08, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> On 11/8/2022 1:29 PM, Simon Clubley wrote:
>>>> On 2022-11-07, Dave Froble <davef at tsoft-inc.com> wrote:
>>>>> I don't use Linux, but it is my impression that just about everything in Linux
>>>>> is from third parties.  Nor is Linux restricted to a single vendor.
>>>>>
>>>>> So why then should VSI be responsible for everything VMS needs?
>>>>>
>>>>> Gotta love double standards ...
>>>>
>>>> Well that's a load of bollocks David. We are talking about things
>>>> that are integral within Linux, in the same way as, say, RMS, clustering,
>>>> and KESU modes are integral within VMS.
>>>
>>> That was pretty strong words given that you are only 75% correct ...
>>>
>> 
>> I've just reviewed my list in the posting that David is responding to
>> and I don't see it, so can you tell me which 25% am I wrong about ?
>
> Really?
>
> So if we from that list:
>
> # For example, Linux has mandatory access controls and VMS is still stuck
> # back in the DAC world.
> #
> # There's no ASLR/KASLR support on VMS.
> #
> # There's nothing like the Unix chroot jails on VMS.
> #
> # Compiler protections in generated code has been lacking on VMS compared
> # to what is available elsewhere, but John in recent years has started
> # looking at getting comparable protections in the VMS compilers, when it
> # comes to generating code, that currently exist elsewhere.
>
> create a little pop quiz:
>
> Which of the following items:
> A) mandatory access controls
> B) ASLR
> C) chroot jails
> D) Compiler protections in generated code
> are not "integral within Linux"?
>
> Then you have no idea?
>

They all are present and integrated within Linux these days Arne. Which one
do you think is missing from Linux ?

BTW, that last one, where the entire Linux distribution is built with
those protections, has generally been present in Linux distributions
for the last decade or so. It's probably going to be the first one in the
above list to be present on VMS, at least after John does the necessary
compiler and other work (including dealing with the Macro-32 problem).

Having a VMS distribution with all the binaries compiled with the expected
industry-standard protections such as stack-smashing protection, will be a
nice thing to finally see.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.