Creating intercepts for existing MVS functions as provided by IBM has
historically provided many new innovations and products. In my opinion
z/OS is a much better platform for having them. However, these
intercepts need to be designed and implemented in such a way as they do
not violate the IBM statement of integrity.
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series™
www.zassure.com
(312)574-0007
On 3/2/2012 09:25 AM, Edward Jaffe wrote:
On 3/2/2012 1:29 AM, David Cole wrote:
If the PFLIH hook is (as it has been described earlier in these
threads) a mechanism by which a non-authorized process can become
authorized, then its very existence is a "substantive offense" in and
of itself. It is not just "a template", it doesn't just show the way.
It *is* the way.
I keep coming back to IGX00011. It's presence on z/OS systems PROVES
that the
very existence of a "magic" SVC service, while arguably not a
21st-century best
practice, is NOT considered an exposure or "substantive offense" when
done
correctly. (Those last three words are very important!)
A "magic" PFLIH technique is not substantially different, from an
integrity
standpoint, than a "magic" SVC except that the code gets control for
EVERY
interrupt and so has the potential to slow things down if not implemented
efficiently.
The real question is whether an unintended third party can use the
code to
become authorized. Unlike the "magic" SVCs of the past, I'm confident
that
IGX00011 cannot be exploited by unintended third parties. The same
might very
well be true of the PFLIH approach being discussed here, despite any
third-party
hearsay from Bill Fairchild's colleague claiming otherwise.
--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
310-338-0400 x318
[email protected]
http://www.phoenixsoftware.com/
