[Info-vax] VMS and security

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Nov 21 08:24:50 EST 2022 

On 2022-11-18, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 11/17/2022 8:23 AM, Simon Clubley wrote:
>> On 2022-11-16, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> On 11/10/2022 8:32 AM, Simon Clubley wrote:
>>>> On 2022-11-09, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>>> On 11/9/2022 8:09 AM, Simon Clubley wrote:
>>>>>> On 2022-11-08, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>>>>> On 11/8/2022 1:29 PM, Simon Clubley wrote:
>>>>>>>> On 2022-11-07, Dave Froble <davef at tsoft-inc.com> wrote:
>>>>>>>>> I don't use Linux, but it is my impression that just about everything in Linux
>>>>>>>>> is from third parties.  Nor is Linux restricted to a single vendor.
>>>>>>>>>
>>>>>>>>> So why then should VSI be responsible for everything VMS needs?
>>>>>>>>>
>>>>>>>>> Gotta love double standards ...
>>>>>>>>
>>>>>>>> Well that's a load of bollocks David. We are talking about things
>>>>>>>> that are integral within Linux, in the same way as, say, RMS, clustering,
>>>>>>>> and KESU modes are integral within VMS.
>>>>>>>
>>>>>>> That was pretty strong words given that you are only 75% correct ...
>>>>>>
>>>>>> I've just reviewed my list in the posting that David is responding to
>>>>>> and I don't see it, so can you tell me which 25% am I wrong about ?
>>>>>
>>>>> Really?
>>>>>
>>>>> So if we from that list:
>>>>>
>>>>> # For example, Linux has mandatory access controls and VMS is still stuck
>>>>> # back in the DAC world.
>>>>> #
>>>>> # There's no ASLR/KASLR support on VMS.
>>>>> #
>>>>> # There's nothing like the Unix chroot jails on VMS.
>>>>> #
>>>>> # Compiler protections in generated code has been lacking on VMS compared
>>>>> # to what is available elsewhere, but John in recent years has started
>>>>> # looking at getting comparable protections in the VMS compilers, when it
>>>>> # comes to generating code, that currently exist elsewhere.
>>>>>
>>>>> create a little pop quiz:
>>>>>
>>>>> Which of the following items:
>>>>> A) mandatory access controls
>>>>> B) ASLR
>>>>> C) chroot jails
>>>>> D) Compiler protections in generated code
>>>>> are not "integral within Linux"?
>>>>>
>>>>> Then you have no idea?
>>>>>
>>>>
>>>> They all are present and integrated within Linux these days Arne. Which one
>>>> do you think is missing from Linux ?
>>>
>>> Well - maybe you are not aware.
>>>
>>> But the compiler used by Linux GCC is not "integral within Linux"
>>> (your words) but "from third parties" (Davids words). It comes
>>> from the GNU project not the Linux kernel project.
>> 
>> A review of my posting history, including discussion of work I have
>> done on them in the past, would make it very clear I know this.
>
> I know that you have a high opinion about yourself.
>

Well, that's extremely rich coming from you Arne.

You have such a self-important opinion of yourself that you can confidently
state, on a wide range of subjects, that people are doing one of A, B, or C
and then assign percentages to those options and then you further state this
level of detail as if it was an established fact.

The sheer sense of self-importance of someone who feels comfortable doing
that on a regular basis easily dwarfs anything I may be guilty of.

>> However, you have moved from talking about the compiler protections
>> to talking about the compilers themselves.
>
> The code generated by the compiler is certainly different from the
> compiler itself.
>
> But the first comes from the second.
>
>>> That a compiler is used to build something does not make it
>>> an integral part of what is being build.
>> 
>> No, but the resulting compiler protections _ARE_ an integral part of
>> Linux just as I stated above. Note that I never stated anything about
>> the compilers themselves above, but only the resulting protections.
>
> A Linux binary compiled with GCC using the compile switch that
> enable SSP has this feature.
>
> But it is the third party product GCC that makes it possible.
>
> It is not a characteristics of Linux. It is the benefit of the
> third party tooling available for Linux.
>

It's more than that. Linux is now developed with those options enabled
so errors are much more likely to be caught during development and testing.

Based on what has happened in the past, I very strongly suspect that if
VSI ever get around to adding this functionality to its own VMS builds,
the first thing it will find are a range of coding issues and potential
security issues that have simply not been picked up until now.

This is a good thing and will help increase the quality of VMS.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list