> -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of Arthur T. > Sent: Thursday, June 21, 2007 3:17 PM > To: [email protected] > Subject: Re: SVC vs APF and other 'privileged' code > > On 21 Jun 2007 14:03:20 -0700, in bit.listserv.ibm-main > (Message-ID:<[EMAIL PROTECTED]>) > [EMAIL PROTECTED] (R.S.) wrote: > > > From time to time I read on the list about companies > > which demand ISVs to provide source code for SVC routines > > to analyze it from security point of view. > >While I don't know to much about z/OS 'guts', I'm > >wondering what is the reason for that? Or rather, why the > >SVC code is so important, while APF-authorized libraries > >are not subject to analyze. The same apply to propgrams in > >SCHEDxx members. > >AFAIK (I could be wrong) APF-authorized program can bypass > >security rules, so it can be dangeours. Is SVC more > >dangerous ? > > What follows is a mixture of facts, opinion, and > experience. I am not pointing a finger at any particular > companies or software packages. > /snip/ > > Many companies, and some software packages, even have > "get yourself authorized" SVCs. If you know the secret > software handshake, you can make your non-authorized > program authorized. Some of these SVCs do better jobs than > others of assuring that they came from programs which are > to be trusted. Regardless, they're frowned on by auditors.
Every instance of the ISV "get yourself authorized SVC" that I have seen is horribly broken. The only such SVC that actually works correctly is the IBM MODESET SVC, which requires the caller to be APF authorized (or already running in system state). The general rule is that a program that needs to do something authorized should put that logic on the other side of the SVC/PC fence and do it in a controlled environment. I have not yet seen an ISV "get yourself authorized" SVC that couldn't be replaced with a correct authorized service that does it the right way. Just sloppy or incompetent developers IMHO. (Yes, I've been bitchslapped for complaining about bad SVC; enuf said...) Jeffrey D. Smith Principal Product Architect Farsight Systems Corporation 700 KEN PRATT BLVD. #204-159 LONGMONT, CO 80501-6452 303-774-9381 direct 303-484-6170 FAX http://www.farsight-systems.com/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
