On 3/2/2012 1:29 AM, David Cole wrote:
If the PFLIH hook is (as it has been described earlier in these threads) a mechanism by which a non-authorized process can become authorized, then its very existence is a "substantive offense" in and of itself. It is not just "a template", it doesn't just show the way. It *is* the way.
I keep coming back to IGX00011. It's presence on z/OS systems PROVES that the very existence of a "magic" SVC service, while arguably not a 21st-century best practice, is NOT considered an exposure or "substantive offense" when done correctly. (Those last three words are very important!) A "magic" PFLIH technique is not substantially different, from an integrity standpoint, than a "magic" SVC except that the code gets control for EVERY interrupt and so has the potential to slow things down if not implemented efficiently. The real question is whether an unintended third party can use the code to become authorized. Unlike the "magic" SVCs of the past, I'm confident that IGX00011 cannot be exploited by unintended third parties. The same might very well be true of the PFLIH approach being discussed here, despite any third-party hearsay from Bill Fairchild's colleague claiming otherwise. -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 310-338-0400 x318 [email protected] http://www.phoenixsoftware.com/
