craig@tolerant.com (Craig Harmer) (05/26/90)
REICHETZ@AWIIMC11.BITNET (Christian J. Reichetzeder) writes: [text deleted] >I admit that a clever virus *could* go unnoticed for sufficient time. But it's >rather unlikely that the *developement* of the virus would - unless the whole >systems group is taking part. >Well, 'nuf said for now, I'll wait for comments >Christian while i was working at amdahl (on UTS, amdahl's Unix), i could quite readily have put my time into developing a virus. i spent quite a bit of time on test domains where i effectively had the whole machine to myself (booting, supervisor state, etc.). while i was developing standalone software, i could have just as easily split my time with developing standalone viruses. of course i was doing UTS development, but i could have brought up MVS or VM instead. but anyway, why should that be necessary? there have been several examples of Unix viruses, and a couple VMS viruses. wasn't there even something on Bitnet (i'm not sure)? i suspect that MVS and VM have *more* holes than Unix, for the simple reason that there are less people around looking for holes to exploit. far fewer people have access to the source, or machines that run it. they cost more than $1 million each, after all. it was my understanding that any user could crash VM quite easily by simply filling up all the spooling space--i don't think even unix is that fragile. and, while VM has a number of "security" or privilege levels, once you get a step beyond the joe-user level (class G?) its supposed to be easy to all the way to root (class A?). i don't know how, though; i was never very interested. there's nothing magical about MVS or VM, after all. - -- {apple,pyramid}!tolsoft!craig craig@hoser.tolerant.co m (415) 626-6827 (h) (408) 433-5588 x220 (w) [views expressed above shouldn't be taken as Tolerant's views, or your views or even as my views]
AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) (06/04/90)
craig@tolerant.com (Craig Harmer) writes: >...wasn't there even something on Bitnet (i'm not sure)? i suspect >that MVS and VM have *more* holes than Unix, for the simple reason that >there are less people around looking for holes to exploit. far fewer >people have access to the source, or machines that run it. they cost >more than $1 million each, after all. >...{stuff about VM's frailties deleted}... I believe you're referring to the infamous XMAS (or CHRISTMA) EXEC that could in fact crash VM by filling up it's spool space. But, as with any other system, alert staff here were able to nip it in the bud *before* VM came crashing down (similarly, we have been able to avoid XMAS clones by making the operations staff aware of them as they appear). It is my intuition that any system that has a file transfer mechanism has to have dasd to put files onto, and thus runs the risk of crashing when that dasd area runs dry (I don't know, other systems may handle it better, e.g., by rejecting files when spool space is dry; in fact, I think VM can be set up in this way). As for stepping all the way to class 'A' once you get beyond 'G', I really don't know; VM isn't my specialty. But it seems to me that there would be *some* measures against this built into the system. I disagree with your premise about Unix vs. VM or MVS security, though. MVS has been in development far longer than Unix has been alive (even back beyond the days of MVT), and there are many shops that use MVS and VM (IBM ain't making it on PS/2s alone). Thus, these operating systems have had much more opportunity for people to poke around in them. Not to say they are invincible, mind you, but I think they're less susceptible than Unix. As for the source being readily available, that was a matter of choice, and one that should, and has, been stood by. I wrote a shareware program with a friend, and we decided not to distribute source because we felt it would make it harder for someone to break our code that way. For the same reasons, I'm inclined to believe that building back doors and spreading viruses in Unix is easier with the source readily available. The technical knowledge isn't as necessary as general programming knowledge if the source is there. Again, it is just a matter of choice. Unix was intended to be a programmer's system; as such it does a great job. With all systems, there is a tradeoff between functionality and security, the trick is to find the right balance. /===" Arthur J. Gutowski, System Programmer : o o : MVS & Antiviral Group / WSU University Computing Center : --- : Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET \===/ AGUTOWS@cms.cc.wayne.edu Have a day. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Please all and you will please none." -Aesop
WHMurray@DOCKMASTER.NCSC.MIL (06/07/90)
>I disagree with your premise about Unix vs. VM or MVS security, though. >MVS has been in development far longer than Unix has been alive (even >back beyond the days of MVT).... I would not want to get into an argument about it, but the difference in age is not signigficant. Unix is much older than you might guess. >.... and there are many shops that use MVS and VM >(IBM ain't making >it on PS/2s alone). Total licenses for MVS and VM are measured in the low tens of thousands. >Thus, these operating systems have >had much more opportunity for people to poke around in them. I doubt that this is true in terms of years or hours. It is likely true in terms of determination and other resources. Total reported integrity flaws in MVS have likely been in the high tens. Almost none were detected or exploited by hackers. Most were detected by people with special knowledge and training after the expenditure of significant resources. >Not to say they are invincible, mind you, but I think they're less >susceptible than Unix. Your confidence is poorly placed. While MVS and VM are as secure as IBM knows how to make them collectively, individual installations or instances are likely no better than instances of Unix. People who do penetration studies of MVS and VM for a living report that eighty-five percent will yield privilege to a knowledgeable attacker in hours to days. Most will yield to a determined attacker in days, and less than one percent will stand up for weeks. This has little to do with design or implementation by IBM but with use and management by their customers. Most MVS and VM installations are guilty of exactly the same kinds of problems as are reported in the "Cuckoo's Egg." The book takes its name from the attack that exploits the gnu-emacs editor that runs privileged. MVS installations are rife with very general utilities that run privileged and have poor controls. All of this has little to do with their vulnerability to viruses. As Dave Chess of IBM Research has tried to explain on this list several times, viruses exploit the privileges of users rather than flaws in the environment. Operating system integrity and access controls will only slow them. If users have the privilege to execute an arbitrary program of their own choice, can create or modify a procedure, and share data with a sufficiently large population of peers, then that is all that is required for the success of a virus. The trick to the success of a virus is not in its code, but in how you get it executed! William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL