> -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of Edward Jaffe > Sent: Sunday, October 22, 2006 8:38 AM > To: [email protected] > Subject: Re: Is the teaching of non-reentrant HLASM coding practices ever > defensible? > > Paul Gilmartin wrote: > > On Sat, 21 Oct 2006 15:44:00 -0600, Jeffrey D. Smith > <[EMAIL PROTECTED]> wrote: > > /snip/ > >> The only way to know for sure is to put the program into > >> read-only storage. An unauthorized program can do that by > >> using the IARVSERV or PGSER to page protect the program > >> after it is loaded. The program must be marked page-aligned > >> and the size must be an exact multiple of a page. > >> > >> > > There has also been discussed on ASSEMBLER-LIST a secret PARMLIB > > option that when set causes all code, authorized or not, marked > > RENT to be loaded in a write-protected subpool. There was a URL > > for an IBM presentation. > > > > Write-protected subpools?! No such thing! > > I mentioned the CsvRentSp252 DIAG trap earlier in this thread.. What > that does is put RENT code into subpool 252, which is key zero storage. > Therefore, programs running in PSW key zero can modify SP 252 storage. > > To get complete protection of all RENT modules, you must use the > CsvRentProtect DIAG trap. That uses PGSER PROTECT to protect the modules > once they're loaded. I don't recommend that setting on systems older > than z/OS V1R8 because there are several popular IBM programs, residing > in SP 252, that "legitimately" update themselves and whose module names > don't appear in the exception table until that release. > > [Disclaimer: DIAG traps are not intended for use on production systems.] > > -- > Edward E Jaffe /snip/
I prefer rolling my own IARVSERV or PGSER cover program, because it only affects my job step address space and not the entire system. I guess on a single-user system, like a FLEX-ES (rest in peace), the DIAG stuff would be OK. It doesn't take much work to LOAD the target program, figure out the boundaries and issue PGSER PROTECT (or IARVSERV ACCESS=READONLY). Then on the way out, be sure to unprotect the pages before issuing DELETE. Protected pages are not foolproof, but certainly stronger than relying on key 0 storage to detect self-modifying reentrant programs. Jeffrey D. Smith Principal Product Architect Farsight Systems Corporation 700 KEN PRATT BLVD. #204-159 LONGMONT, CO 80501-6452 303-774-9381 direct 303-484-6170 FAX http://www.farsight-systems.com/ comments are invited on my encryption project ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
