[Info-vax] Kernel Transplantation

Mark Berryman mark at theberrymans.com
Thu Jan 18 12:25:29 EST 2024 

On 1/18/24 6:06 AM, Simon Clubley wrote:
> On 2024-01-17, Lawrence D'Oliveiro <ldo at nz.invalid> wrote:
>> On Wed, 17 Jan 2024 13:11:31 -0000 (UTC), Simon Clubley wrote:
>>> The server software with the vulnerability could be the DECnet stack
>>> running on that server.
>>
>> Any reason why you think DECnet is particularly prone to introducing
>> security holes, per se?
> 
> Because, at best, it has only had a very small fraction of the effort
> spent on probing it that the mainstream network stacks have had.

Simon's postings would tend to indicate that he believes that anything 
not subject to constant probing by hundreds or thousands of hack.., er, 
security researchers is just full of latent bugs waiting to be discovered.

It might help to remember that the IP stack was designed by committee 
and implemented by an even more diverse group, some good at programming, 
some not so much.  DECnet, however, was designed and implemented by a 
much smaller group, which often leads to much better code.  I suspect, 
but don't know for sure, that the designers and implementers were also 
essentially the same people.  (They were also very good).

Also, once upon a time, DECnet was a more diverse network than the 
internet.  Until the internet went public in the early 90s, it was quite 
limited in scope, consisting mainly of some government institutions, 
some government contractors, and some universities.  DECnet, however, 
was used to implement a number of world-wide networks consisting of many 
diverse endpoints.  There was some probing that went on but not a whole 
lot.  For one, with DECnet the source was too easy to trace and, for 
another, if any of the probes were successful I never heard of it (I was 
on SPAN at the time).  This was all DECnet phase IV.  After the internet 
went public, these networks ran multiple protocols in parallel, 
including TCP/IP and DECnet.  As DEC equipment was phased out at these 
sites, so was DECnet.  But it somehow managed to survive without issue 
all those years.  (The only known problems were caused by local 
misconfigurations by people who didn't read the manual and simply 
accepted defaults that should have been better.  None were cause by the 
stack itself.)

Finally, as I mentioned in an earlier post, it is trivial in today's 
world to isolate one's DECnet stack from anything other than trusted 
hosts.  On any network where I have been involved, it some host were 
compromised, and if that host were to try to probe DECnet, none of its 
packets would even reach the DECnet interface of any host that was 
actually running DECnet.

There are, after all, many ways to implement security.

My two cents.

Mark Berryman

More information about the Info-vax mailing list