I would implore every author of supervisor state code to read Karl Schmitz's presentation "z/OS System Integrity : Authorized Software Without Security Holes"
Here is a link : ftp://public.dhe.ibm.com/s390/zos/racf/pdf/zOS_System_Integrity.pdf There are many examples of public domain authorized code that break z/OS system integrity rules. Most of the time, it is the code that deals with the interface boundary between the problem state caller and the authorized service that is found wanting. Examples of bad practices include : (o) Referencing caller supplied values or addresses without using the caller's key (eg reading from caller using "MVC" while in key0 rather than something like "MVCSK") (o) Writing to caller supplied storage areas without using the caller's key (eg writing to caller storage using "MVC/MVCL" while in key0 rather than something like "MVCDK") (o) Trusting caller input without sensible validation (eg lengths and null values) (o) Trusting caller to supply control block or identity information (o) Not taking a local copy of supplied parameter list and parameters to authorized working storage at the start of the authorized service. Rob Scott Rocket Software -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Alan Young Sent: Sunday, November 18, 2018 9:33 AM To: [email protected] Subject: Re: System level coding examples I have the 2nd edition of the book. It does cover data and hiper spaces. They are in the Extended Addressibility section. If memory serves, data spaces were introduced in the 1990s with MVS/ESA 4.x or 5 and Hiperspaces were around before that. The section on Inter Address Space Communications has information and examples for commuicating with SRBs or CMS. The examples from the book's first edition are on the CBT tape file 069. Alan -----Original Message----- >From: Charles Mills <[email protected]> >Sent: Nov 17, 2018 2:57 PM >To: [email protected] >Subject: Re: System level coding examples > >1999, so not going to cover PC-ss, for example. > >https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wi >ley.com%2Flegacy%2Fcompbooks%2Fcatalog%2F36176-3.htm&data=02%7C01%7 >CRScott%40ROCKETSOFTWARE.COM%7C0b8804bca7e84efaede008d64d38e151%7C79544 >c1eed224879a082b67a9a672aae%7C0%7C0%7C636781304051600733&sdata=h3D5 >rKUBw7nbZ3A0j%2FEbdZNXbfvEk1gcEdJiLKoOPQg%3D&reserved=0 > >Or 64-bit, or relative jumps, or dataspaces, ... > >Charles > > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:[email protected]] >On Behalf Of Lizette Koehler >Sent: Saturday, November 17, 2018 12:44 PM >To: [email protected] >Subject: Re: System level coding examples > >Just catching up on this thread. > >Has anyone looked to see if this book helps? > > >Advanced Assembler Language and MVS Interfaces: For IBM Systems and >Application Programmers 2nd Edition by Carmine A. Cannatello (Author) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
