[Info-vax] VMS and security

ultr...@gmail.com ultradwc at gmail.com
Thu Jan 5 20:17:20 EST 2023 

On Tuesday, January 3, 2023 at 5:27:12 PM UTC-5, Stephen Hoffman wrote:
> On 2023-01-03 17:49:54 +0000, ultr... at gmail.com said: 
> 
> > On Wednesday, November 9, 2022 at 3:22:04 PM UTC-5, Arne Vajhøj wrote: 
> >>>> 
> >> MAC for VMS should be relative well understood. That was what SEVMS provided. 
> >
> > Since the SEVMS code is still there, wouldn't making sure that code 
> > still works and fixing what doesn't be a good and 
> > inexpensive way to start?
> If you want just the underpinnings of Rainbow-era US DoD/NCSC Class B1 
> Orange-focused MAC, a design which was found approximately non-sellable 
> including to some of those same entities that had worked on and 
> specified Class B1 security, and that probably also involving with few 
> or none of the SEVMS utilities and tools available, and all that also 
> probably untested for a quarter-century, sure. 
> 
> Serving as a foundation for a whole lot of design and development work 
> both on the MAC code and within on OpenVMS APIs and docs and elsewhere, 
> and within IP networking, and with related work on better-integrated 
> encryption and key stores and such, sure. 
> 
> As anything that'll be likely useful by apps in the rest of this decade, no. 
> 
> Pragmatically, BSD pledge is probably a better option for VSI in the 
> short term. And that's no small project. And that requires app 
> assistance. https://man.openbsd.org/pledge.2 Creating app sandboxing 
> / app jail / would be the closest modern application, and some parts of 
> Class B1 might be (poorly) useable for that. 
> 
> The only folks that might consider NCSC Class B1 Rainbow-era MAC 
> nowadays are scarce at best, or folks that may have never even used 
> Class B1 and will probably then quickly lose interest. Managing and 
> labeling information flow within a large and complex system is less 
> than easy. And again, Class B1 really isn't all that useful for 
> securing most apps. Approximately no commercial providers would 
> consider using Class B1, absent some regulatory or contractual mandate.
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

you just got done telling us it might serve as a basis to add sandboxing and some other features ...

More information about the Info-vax mailing list