If the trap door is in an APF authorized library, then by convention it's part of the operating system, and would be considered a platform issue. Anything that is APF authorized is expected to adhere to the statement of integrity that z/OS publishes.
Wayne Driscoll Rocket Software Note - All opinions are strictly my own. -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Seymour J Metz Sent: Wednesday, May 29, 2019 2:58 PM To: [email protected] Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls > A single TRAP DOOR code vulnerability pierces the veil of integrity > and can be used to compromise the mainframe. Is this a platform weakness? An application with a trap door is an application vulnerability. If there is a trap door in z/OS itself then that's a platform vulnerability. I'd be willing to bet a substantial amount that the majority of penetrations in z/OS are application, configuration, personnel and process vulnerabilities rather than z/OS vulnerabilities. > Would you say that the elimination of User Key Common storage is an > example of a z/OS change to address a mainframe platform weakness Partially. -- Shmuel (Seymour J.) Metz https://nam01.safelinks.protection.outlook.com/?url=http:%2F%2Fmason.gmu.edu%2F~smetz3&data=02%7C01%7Cwdriscoll%40ROCKETSOFTWARE.COM%7C4ec98728280a4395aab708d6e46ff2fd%7C79544c1eed224879a082b67a9a672aae%7C0%7C0%7C636947566821955527&sdata=Ggtx2UoZolPoAJZgbcdFshw16B%2B1Yy998xUO7Bts%2FzU%3D&reserved=0 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Ray Overby <[email protected]> Sent: Wednesday, May 29, 2019 11:11 AM To: [email protected] Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls In response to "Mistakes, lack of time, lack of control, lack of skills. Not a platform weakness." comment: The mainframe platform, z/OS, and ESM's all rely on integrity to function. A single TRAP DOOR code vulnerability pierces the veil of integrity and can be used to compromise the mainframe. Is this a platform weakness? I think so. The platform relies on all code it runs adhering to certain rules. z/OS could be changed to better check and enforce those rules. Would you say that the elimination of User Key Common storage is an example of a z/OS change to address a mainframe platform weakness? I think so. An interesting observation. Thanks. On 5/29/2019 5:25 AM, R.S. wrote: > That's classical FUD. > Frightening people. > "if an exploit", "if job reads you RACF db", "unintended consequences". > What exactly hacking scenario can provide RACF db to the hacker? > Yes, I saw APF libraries with UACC(ALTER), UID(0) as standard TSO user > attribute, even UPDATE to RACF db. But it's problem of people. > Mistakes, lack of time, lack of control, lack of skills. Not a > platform weakness. > > It's typical that assurance/lock/gun salesmen tend to talk about > risks, threats and dangers. They create a vision. > My English is poor, but I can observe it for two of debaters here. > It's visible. I don't like social engineering. > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
