[Info-vax] VMS and security

[Stephen Hoffman]

On 2023-01-03 17:49:54 +0000, ultr... at gmail.com said:

> On Wednesday, November 9, 2022 at 3:22:04 PM UTC-5, Arne Vajhøj wrote:
>>>> 
>> MAC for VMS should be relative well understood. That was what SEVMS provided.
> 
> Since the SEVMS code is still there, wouldn't making sure that code 
> still works and fixing what doesn't be a good and
> inexpensive way to start?


If you want just the underpinnings of Rainbow-era US DoD/NCSC Class B1 
Orange-focused MAC, a design which was found approximately non-sellable 
including to some of those same entities that had worked on and 
specified Class B1 security, and that probably also involving with few 
or none of the SEVMS utilities and tools available, and all that also 
probably untested for a quarter-century, sure.

Serving as a foundation for a whole lot of design and development work 
both on the MAC code and within on OpenVMS APIs and docs and elsewhere, 
and within IP networking, and with related work on better-integrated 
encryption and key stores and such, sure.

As anything that'll be likely useful by apps in the rest of this decade, no.

Pragmatically, BSD pledge is probably a better option for VSI in the 
short term. And that's no small project. And that requires app 
assistance. https://man.openbsd.org/pledge.2   Creating app sandboxing 
/ app jail / would be the closest modern application, and some parts of 
Class B1 might be (poorly) useable for that.

The only folks that might consider NCSC Class B1 Rainbow-era MAC 
nowadays are scarce at best, or folks that may have never even used 
Class B1 and will probably then quickly lose interest. Managing and 
labeling information flow within a large and complex system is less 
than easy. And again, Class B1 really isn't all that useful for 
securing most apps. Approximately no commercial providers would 
consider using Class B1, absent some regulatory or contractual mandate.



-- 
Pure Personal Opinion | HoffmanLabs LLC