On Tue, 14 Sep 1999, Ryan Russell wrote:
> >and peripherals to an LPAR. And the LPARs can then be completely
> >invisible to the others. They are just like two physically separated
> >machines.
>
> You hope. This is where security holes come in. You will not achieve the
> same level of security as you will with physically separate machines.
> There are too many places for human error, both software and hardware.
> I don't even know if it's theoretically possible. I don't believe it's
> practically
> possible.
>
> No, having said that it's not a bad design, and I applaud the attempt. It's
> not worthy of absolute faith, though.
I won't put "absolute faith" on it either. However, this is not a wish,
nor is it just an attempt. This technology have been around for a looong
time. (7 or 8 years ?) It is a common thing for large IBM mainframe
sites. It is working very reliably at least in my own experience.
> >I guess many MVS admin working for years may still not be able to
> >circumvent the barrier imposed by the LPAR by exploiting bugs in the OS.
> >Of course, there are many other ways if you are an insider especailly if
> >ou are an admin. But for an intruder from the Internet ? I can't think
> >of any mechanism that is possible. Maybe, some other more experienced MVS
> >admin listening on the list can shed some light on it.
>
> Clearly there are no publically known methods. I have to assume they are there,
> though.
Yes, I have to assume there is some bug and some exploit in every OS in
the world though.
> >Lastly, I want to emphasize that, I did not say it is risk free. I just
> >meant my experience told me that LPARs are just like separate physical
> >machines even when I was an Admin. I wonder you would get any information
> >from this list of a way to compromise an LPAR even if this exist.
>
> Unless they are clunking relays open and closed to physically separate
> busses, there has to be some way.
In fact, you can install different versions of MVS in different LPARs or
even different OSes, e.g. MVS on one LPAR, UNIX on the other (of course,
IBM flavor). To make this possible, there must be something BELOW the OS.
Probably some sort of microcodes and dedicated hardware.
Any exploit may involve in-depth knowledge of 370 assembler and the
underlying microcodes. Not an easy task.
Vinci
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
