[Info-vax] Why not reimplement SEVMS into x86 OpenVMS?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Nov 16 14:22:16 EST 2022
On 2022-11-16 14:47:56 +0000, Michael C said:
> Offer it free ...
>
> Would be fast to port ...
>
> Wouldn't that boost security until other features can be added?
The basic mandatory access control features were likely hauled across
in the port, as it would be more work and more risk to remove those.
Those in-built features can be enabled (for free) using the CLASS_PROT
system parameter.
There was add-on tooling that was licensed. That add-on tooling
replaced many common OpenVMS apps. But who knows what happened to that
code in the ensuing decades?
More generally, mandatory access controls systems didn't and haven't
sold in sufficient numbers to bother with, and are impractical for most
uses.
Data and connections and info more generally can generally flow from
equal to equal, and upgrade from less to more secure, but in the
downgrade direction not so much.
Most of the folks that wanted those security features ended up buying
multiple system-high boxes, rather than trying to buy and run and
maintain mandatory access controls or multi-level security.
As a foundation for other security enhancement work around adding
sandboxes and pledges and such, sure, the mandatory access controls
might help.
For its reuse, the existing design is limited in terms of the numbers
of secrecy and lowercase-i integrity categories permitted; 64 each.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list