Yes, it is true that if you could introduce a trojan into an APF library
you could compromise z/OS, and that this might be possible:
If you don't have RACF or equivalent properly configured to protect all
system data sets;
If you allow update authority to APF libraries or PARMLIB to people
other than those which require it for system-level maintenance;
If you install modules into APF libraries from any sources other than
trusted vendors;
If you add installation hooks deliberately designed to circumvent
security that might be exploited, or tolerate vendor products with such
exposures;
If you don't have some sort of change management, oversight, and
monitoring in place to catch violations of installation security policies.
In a very real sense RACF and system maintenance policies and the
mindset and training of z/OS SysProgs are the anti-virus software on
z/OS and this combination has worked quite well over the decades -- much
more reliably than even the best anti-virus software on MS platforms,
and no periodic database or detection program refresh ever required.
The concept of allowing average-Joe user to be able to download data
from arbitrary sources in arbitrary formats and being able from that to
somehow introduce executable code into the system in ways that will
execute with special privileges so as to introduce a virus or trojan is
an issue that is endemic to Windows platforms but foreign to z/OS.
Thus it makes excellent sense for auditors to examine and question
installation RACF conventions, access to critical system data sets, and
change management procedures. It makes zero sense to ask what is your
z/OS anti-virus software.
JC Ewing
On 03/27/2012 01:49 PM, David Cole wrote:
I'm sorry Tom. I did not intend my remarks to be personal. I deeply
regret that you feel hurt by them. Please don't let my words deter you
from future contributions. Your thoughts generally are more valuable
than most.
I just wanted to emphasize the APF Trojan horse vulnerability. It is
real, it is serious, yet for decades everyone seems to want to pretend
that it does not exist... It mystifies me.
...
www.zassure.com is the closest thing I've seen to an MVS anti-virus
program. After seeing a demo, I would have bought it, or recommended
it to a client. Check it out, you will be surprised, if not shocked.
Thank you for this. I will check it out.
[Regarding SAF] I do take issue with your last sentence. SAF and an
ESM have everything to do with anti-virus protection, provided they
are configured to correctly protect APF-authorized resources.
Perhaps. However, all an APF authorized program has to do is flip a bit
or two in certain RACF control blocks, and voilĂ ! He's suddenly a
supervisory program and, as such, is given a pass on all RACF calls...
Alternatively, a malicious APF program can simply dynamically front-end
certain supervisory programs, and again voilĂ ! (As I'm sure you know,
APF programs can fairly easily defeat all hardware storage protections.)
Yes, SAF is still called even for APF programs, but an APF program can
still subvert those calls.
I've never forgotten this [APF libraries]. That's why my
APF-authorized libraries are severely limited in scope, and audited
for any and all updates.
Enforcing trust is a technical issue. RACF is very good at that.
Deciding who to trust is a management issue. Even at shops that allow
only trusted vendor software into APF authorized libraries is implicitly
trusting the hundreds or even thousands of people involved in the
development of that software.
Again, I go into more detail about this in my prior post:
"<https://bama.ua.edu/cgi-bin/wa?A2=ind0608&L=IBM-MAIN&P=R63457&I=-3&X=6EB01556E36E4D9CAC&Y=dbcole%40colesoft.com&d=No+Match%3BMatch%3BMatches>https://bama.ua.edu/cgi-bin/wa?A2=ind0608&L=IBM-MAIN&P=R63457&I=-3&X=6EB01556E36E4D9CAC&Y=dbcole%40colesoft.com&d=No+Match%3BMatch%3BMatches
".
Again, please accept my apology, Tom. It was not intended to be
personal. I'm sorry it came out that way.
Dave Cole REPLY TO: dbc...@colesoft.com
ColeSoft Marketing WEB PAGE: http://www.colesoft.com
736 Fox Hollow Road VOICE: 540-456-8536
Afton, VA 22920 FAX: 540-456-6658
At 3/27/2012 02:21 PM, Pinnacle wrote:
Replies like this are why I seldom post to IBM-Main anymore. The fact
that it comes from someone who I respect and consider a friend hurts
all the more. Bottom line is that I work for a living, and I often
don't have time to respond in gory detail to everything posted. My
primary objective here was to stress that the z/OS architecture is
inherently hardened against viruses. The fact that I did not go into
explicit protections for APF-authorized programs appears to have been
my fatal flaw, according to Mr. Cole. Regardless of what comes back,
this will be my last post on the subject. My comments below.
Regards,
Tom Conley
On 3/27/2012 1:06 PM, David Cole wrote:
At 3/27/2012 11:19 AM, Pinnacle wrote:
There is a mainframe product that protects against malicious
software. It's called SAF, and it interfaces with ESM's like RACF,
or ACF2, or TopSecret.
"SAF" is not a product. It stands for "System Access Facility" and it
is nothing more than an interface within z/OS into which a security
system (such as ACF2, TopSecret and any ryo security system) can plug
into to receive and respond to security calls. It really has nothing
to do with anti-virus protection.
SAF is not a product, you're right. Please forgive my use of the term
"product", I should have said "feature". I do take issue with your
last sentence. SAF and an ESM have everything to do with anti-virus
protection, provided they are configured to correctly protect
APF-authorized resources.
It [z/OS] is the only operating system out there with built-in
anti-virus protection. On top of that, the hardware itself actively
protects against damage through storage keys, protected memory, etc.
You have to explain to the auditors that anti-virus software is not
needed on z/OS, because it's intrinsic to the operating system and
the hardware.
I think you seriously misunderstand what a virus is...
Yes, z/OS has exceptional security (and integrity and reliability)
features for protecting against non-authorized programs. But I must
emphasize... -->NON<--authorized programs!
When it comes to AUTHORIZED programs, z/OS's integrity (which is what
you are talking about with "storage keys" and such) is very good, but
of course not bulletproof. Worse though, when it comes to SECURITY,
there are some real problems! Because with the proper knowledge, it
is TRIVIALLY EASY FOR AN AUTHORIZED PROGRAM TO SUBVERT SECURITY
COMPLETELY!
This is what mainframers constantly forget regarding security. For
authorized programs there is no security. All that is necessary for a
malicious program to do is to Trojan-horse its way (with the AC(1)
attribute) into an authorized library, and you're done for!
I've never forgotten this. That's why my APF-authorized libraries are
severely limited in scope, and audited for any and all updates.
As far as I know there is no serious anti-virus program for
mainframes. I believe strongly that there needs to be one, but I
don't know of one. And at this stage of the mainframe culture, I
would be seriously suspicious of the efficacy of any program that
claimed to be anti-virus. I don't think that a serious mainframe
anti-virus program can exist unless and until IBM itself makes a
commitment to support an effort to make the mainframe anti-virus proof.
...
--
Joel C. Ewing, Bentonville, AR jcew...@acm.org
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
