trt@rti-sel.UUCP (Tom Truscott) (12/10/84)
> The main attractiveness of VM for secure systems is that VM itself is a > very limited system, concerned almost solely with partitioning ... This argument is compelling. After all, VM concerns itself with 'not sharing' (security) whereas MVS concerns itself with 'sharing' (insecurity). And VM's task is conceptually much simpler. So I was surprised a few years ago to read a Datamation (?) article by an IBM computer security person who said that they 'warranted' the security of MVS but not VM. That means IBM will fix any security hole found in MVS. >From what I have heard MVS (with RACF) is much more secure than MVF or MVT but only in the sense that security flaws are much more obscure and difficult to exploit. Perhaps VM, though potentially secure, comes up short since VM users insist on sharing (minidisks, whatever) and the hacks^H^H^H^Hmechanisms for so doing have security flaws. Tom Truscott
darrelj@sdcrdcf.UUCP (Darrel VanBuer) (12/10/84)
While VM 370 gives the appearance of a whole machine to each user (and client
operating system), in fact it does not. E.g. when a client OS "enters"
sepervisor state, it really sets a flag in VM that the client "believes" it's
in supervisor state, and restores the machine to user state. When the client
OS (tries) to execute a privledged instruction, it traps back to VM, gets
tested for no harm to the VM environment, VM does the privledged operation
and resumes execution.
This sounds horrible in performance, but is usually acceptible for several
reasons. First, most OSs actually do few privledged operations. Second, VM
is not threatened by all privledged ops, so many of the checks are short.
Finally, most 370s (and successors) have VM-assist microcode to handle the
majority of the pseudo-privledged operations without all the traps.
I/O is also virtualized under VM (e.g. printers are usually virtual devices
eventually spooled to a real VM printer), CMS "disks" are usually only
portions of some real disk. I/O is a privledged operation, so VM limits
and modifies that too.
The main attractiveness of VM for secure systems is that VM itself is a
very limited system, concerned almost solely with partitioning the real
resources among the client operating systems. Even though MVS is a huge
piece of software (and thus unavoidably full of bugs and bits of archaic
misdesign from 1960s), when run as a VM client, it's isolated from all other
users in other VM partitions. VM presents a much less formidable piece of
code to sucure.
--
Darrel J. Van Buer, PhD
System Development Corp.
2500 Colorado Ave
Santa Monica, CA 90406
(213)820-4111 x5449
...{allegra,burdvax,cbosgd,hplabs,ihnp4,orstcs,sdcsvax,ucla-cs,akgua}
!sdcrdcf!darrelj
VANBUER@USC-ECL.ARPAeager@amd.UUCP (Mike Eager) (12/20/84)
> So I was surprised a few years ago to read a Datamation (?) article > by an IBM computer security person who said > that they 'warranted' the security of MVS but not VM. > That means IBM will fix any security hole found in MVS. > > From what I have heard MVS (with RACF) is much more secure than > MVF or MVT but only in the sense that security flaws are much more > obscure and difficult to exploit. Perhaps VM, though potentially secure, > comes up short since VM users insist on sharing (minidisks, whatever) > and the hacks^H^H^H^Hmechanisms for so doing have security flaws. > Tom Truscott MVS is substantially more secure than MVT or MFT or the other OS/360 or DOS operating systems, having plugged most of the glaring holes. Sometime I'll tell about how I used to tell the operating system to use my open exit, then I'd finagle getting returned in supervisor mode. Ah, history. There was an IBM Systems Journal some years ago which had a set of articles about VM security. I have the feeling that it should be quite easy to verify that VM is secure, in the sense that one user cannot obtain or alter the data of another user without permission. Sharing mini-disks requires that permission.
henry@utzoo.UUCP (Henry Spencer) (12/22/84)
> ... I have the feeling that it should be quite easy to verify > that VM is secure, in the sense that one user cannot obtain or alter the data > of another user without permission. Sharing mini-disks requires that > permission. That's exactly where the problem lies: sharing. Isolation is easy (well, relatively easy) to verify. Controlled sharing is the hard part. -- Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,linus,decvax}!utzoo!henry