Re: [SC-L] COBOL Exploits

2007-11-18 Thread Andrew van der Stock
I've been researching web app - mainframe security from a software  
engineering perspective for about the last six months. If anyone from  
a mainframe background wants to collaborate, I'd be more than happy to  
share as I have a few challenges:


a) I'm working from secondary resources (web pages, manuals, PDFs)
b) I don't have access to a z/OS or similar system and thus cannot  
mock up a test environment to prove or disprove my hypotheses on how  
best to prevent certain classes of attack
c) I really don't have a lot of experience with z/OS, COBOL, DB2, IMS,  
or CICS. Therefore, I could be missing some great resources and  
features.


Saying that, I have made a bit of headway by applying first principles  
and trying to discover what is available to assist and protect against  
certain threats and attacks. I've just posted a draft entry to my blog  
detailing the first (and I mean first) post I've had brewing since May  
this year. It's nowhere near as good as I would have liked.


I don't do exploits. You will not be seeing any how to hax0rs b1g  
ir0n from me. I don't see the relevance of arming script kiddies.  
Only the architects and developers need to know how to develop and  
maintain safer designs and code, and folks like me need to know what  
to look for to make sure it's in place.


That said, from my personal research, this area is a total greenfield.  
The folks who know mainframe security simply don't come out of their  
shells often enough. They have the goods, but the goods are not really  
well known amongst the architects and devs I've dealt with. Most of  
the business folks who ask for their shiny new dodgy code to talk to  
old dodgy transactions don't see this risk and refuse to pay to have  
qualified folks review and remediate the security of the mainframe  
side. They see it as this reliable old workhorse - which is not broke,  
so don't fix it. And in my personal experience, they NEVER fix it.


On another note, I'm really happy to see Fortify tackle the mainframe  
with their SCA products. It's really late and delayed, but better late  
than never. I know a bunch of sites that could use that tool if it  
works even 1% as well as the marketing is likely to make out.


thanks,
Andrew van der Stock
Executive Director, OWASP
Project Lead  Author, OWASP Guide

On Nov 2, 2007, at 1:45 PM, Peter G. Neumann wrote:


Searching through
 http://www.csl.sri.com/neumann/illustrative.html
gives these COBOL-related RISKS items.  The initial
character descriptors are defined there.  In the citations,

* R relates to RISKS (archives at risks.org)
* S relates to SIGSOFT Software Engineering Notes (archives at
   www.sigsoft.org/SEN/ although more recent items also in RISKS)

Vf  West Drayton ATC system bug found in 2-yr-old COBOL code (S 16  
3, R 11 30)


\$fe IRS COBOL reprogramming delays; interest paid on over 1,150,000  
refunds

 (S 10 3:12)

S[H?] Election frauds, lawsuits, spaghetti code, same memory locations
used for multiple races simultaneously, undocumented GOTOs, COBOL
ALTER verb allowing self-modifying code, calls to undocumented/unknown
subroutines, bypassable audit trails (S 11 3);
Report from the Computerized Voting Symposium, August 1986 (S 11 5)

Sie
Data transfer Excel-COBOL loses voter data in 2003 Greenville
 Mississippi election (R 22 95)

\$hi Man gets \$218 trillion phone bill (R 24 24); COBOL program?
 (R 24 27,29,30,33)

f Discussion of date and century roll-over problems:
Fujitsu SRS-1050 ISDN display phones fail on two-digit month (10);
1401 one-character year field; COBOL improvements; IBM 360 (S 20 2:13)
 [See Fred Ballard and Walt Murray  (R 16 70 ff).]
 [Lots of stuff is relevant on COBOL's two-character year field
 and the entire Y2K saga.]
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com 
)

as a free, non-commercial service to the software security community.
___


Andrew van der Stock
Executive Director, OWASP
Lead Author, OWASP Guide





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] COBOL Exploits

2007-11-02 Thread Mark Rockman
The adolescent minds that engage in exploits wouldn't know COBOL if a 
printout fell out a window and onto their heads.  I'm sure you can write COBOL 
programs that crash, but it must be hard to make them take control of the 
operating system.  COBOL programs are heavy into unit record equipment (cards, 
line printers), tape files, disk files, sorts, merges, report writing -- all 
the stuff that came down to 1959-model mainframes from tabulating equipment.  
They don't do Internet.  What they could do and have done is incorporate 
malicious code that exploits rounding error such that many fractional pennies 
end up in a conniving programmer's bank account.___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] COBOL Exploits

2007-11-02 Thread security curmudgeon

Hi Mark,

: The adolescent minds that engage in exploits wouldn't know COBOL if a 
: printout fell out a window and onto their heads.  I'm sure you can write 
: COBOL programs that crash, but it must be hard to make them take control 
: of the operating system.  COBOL programs are heavy into unit record 
: equipment (cards, line printers), tape files, disk files, sorts, merges, 
: report writing -- all the stuff that came down to 1959-model mainframes 
: from tabulating equipment.  They don't do Internet.  What they could do 
: and have done is incorporate malicious code that exploits rounding error 
: such that many fractional pennies end up in a conniving programmer's 
: bank account.

I'd love for you to show me such exploits, specifically citing the OS 
and/or affected programs *with* a public reference. =)

http://osvdb.org/
Search
Disclosure Date Range: 1960-01-01 to 1979-01-01

Please, help me add to the collection =) Many of these were uncovered by 
my own personal interest/research along with a few contributers to my 
challenge to find the oldest documented vulnerability: 
http://osvdb.org/blog/?p=77

Brian

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] COBOL Exploits

2007-11-02 Thread ljknews
At 12:13 AM -0400 11/2/07, Mark Rockman wrote:

 The adolescent minds that engage in exploits wouldn't know COBOL if a
printout fell out a window and onto their heads.  I'm sure you can write
COBOL programs that crash, but it must be hard to make them take control
of the operating system.

Of course if a program is able to take control of the operating system,
either:

A. The operating system is at fault (typically not COBOL)

B. The program is installed with special privileges

Just feeding bad parameters to a system call is inadquate to suborn
a well-constructed operating system.
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] COBOL Exploits

2007-11-02 Thread Peter G. Neumann
Searching through 
  http://www.csl.sri.com/neumann/illustrative.html
gives these COBOL-related RISKS items.  The initial 
character descriptors are defined there.  In the citations,

* R relates to RISKS (archives at risks.org)
* S relates to SIGSOFT Software Engineering Notes (archives at
www.sigsoft.org/SEN/ although more recent items also in RISKS)

Vf  West Drayton ATC system bug found in 2-yr-old COBOL code (S 16 3, R 11 30)

\$fe IRS COBOL reprogramming delays; interest paid on over 1,150,000 refunds 
  (S 10 3:12)

S[H?] Election frauds, lawsuits, spaghetti code, same memory locations
used for multiple races simultaneously, undocumented GOTOs, COBOL
ALTER verb allowing self-modifying code, calls to undocumented/unknown
subroutines, bypassable audit trails (S 11 3); 
Report from the Computerized Voting Symposium, August 1986 (S 11 5)

Sie
Data transfer Excel-COBOL loses voter data in 2003 Greenville
  Mississippi election (R 22 95)

\$hi Man gets \$218 trillion phone bill (R 24 24); COBOL program? 
  (R 24 27,29,30,33)

f Discussion of date and century roll-over problems:
Fujitsu SRS-1050 ISDN display phones fail on two-digit month (10);
1401 one-character year field; COBOL improvements; IBM 360 (S 20 2:13)
  [See Fred Ballard and Walt Murray  (R 16 70 ff).]
  [Lots of stuff is relevant on COBOL's two-character year field
  and the entire Y2K saga.]
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___