[Info-vax] VMS and security

Thu Nov 17 08:23:00 EST 2022

On 2022-11-16, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 11/10/2022 8:32 AM, Simon Clubley wrote:
>> On 2022-11-09, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> On 11/9/2022 8:09 AM, Simon Clubley wrote:
>>>> On 2022-11-08, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>>> On 11/8/2022 1:29 PM, Simon Clubley wrote:
>>>>>> On 2022-11-07, Dave Froble <davef at tsoft-inc.com> wrote:
>>>>>>> I don't use Linux, but it is my impression that just about everything in Linux
>>>>>>> is from third parties.  Nor is Linux restricted to a single vendor.
>>>>>>>
>>>>>>> So why then should VSI be responsible for everything VMS needs?
>>>>>>>
>>>>>>> Gotta love double standards ...
>>>>>>
>>>>>> Well that's a load of bollocks David. We are talking about things
>>>>>> that are integral within Linux, in the same way as, say, RMS, clustering,
>>>>>> and KESU modes are integral within VMS.
>>>>>
>>>>> That was pretty strong words given that you are only 75% correct ...
>>>>
>>>> I've just reviewed my list in the posting that David is responding to
>>>> and I don't see it, so can you tell me which 25% am I wrong about ?
>>>
>>> Really?
>>>
>>> So if we from that list:
>>>
>>> # For example, Linux has mandatory access controls and VMS is still stuck
>>> # back in the DAC world.
>>> #
>>> # There's no ASLR/KASLR support on VMS.
>>> #
>>> # There's nothing like the Unix chroot jails on VMS.
>>> #
>>> # Compiler protections in generated code has been lacking on VMS compared
>>> # to what is available elsewhere, but John in recent years has started
>>> # looking at getting comparable protections in the VMS compilers, when it
>>> # comes to generating code, that currently exist elsewhere.
>>>
>>> create a little pop quiz:
>>>
>>> Which of the following items:
>>> A) mandatory access controls
>>> B) ASLR
>>> C) chroot jails
>>> D) Compiler protections in generated code
>>> are not "integral within Linux"?
>>>
>>> Then you have no idea?
>>>
>> 
>> They all are present and integrated within Linux these days Arne. Which one
>> do you think is missing from Linux ?
>
> Well - maybe you are not aware.
>
> But the compiler used by Linux GCC is not "integral within Linux"
> (your words) but "from third parties" (Davids words). It comes
> from the GNU project not the Linux kernel project.
>

A review of my posting history, including discussion of work I have
done on them in the past, would make it very clear I know this.
However, you have moved from talking about the compiler protections
to talking about the compilers themselves.

> That a compiler is used to build something does not make it
> an integral part of what is being build.
>

No, but the resulting compiler protections _ARE_ an integral part of
Linux just as I stated above. Note that I never stated anything about
the compilers themselves above, but only the resulting protections.

You end up with a Linux system that has yet another layer of security
integrated right into it, which makes it harder to compromise, in exactly
the same way as ASLR and friends also make it harder to compromise.

Basic protections BTW that are missing from "the world's most secure
operating system."

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.