Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: WHMurray@DOCKMASTER.NCSC.MIL Newsgroups: comp.virus Subject: Mainframe Viruses (Gutowski) Message-ID: <0005.9006081544.AA22447@ubu.cert.sei.cmu.edu> Date: 6 Jun 90 20:20:00 GMT Sender: Virus Discussion List Lines: 54 Approved: krvw@sei.cmu.edu >I disagree with your premise about Unix vs. VM or MVS security, though. >MVS has been in development far longer than Unix has been alive (even >back beyond the days of MVT).... I would not want to get into an argument about it, but the difference in age is not signigficant. Unix is much older than you might guess. >.... and there are many shops that use MVS and VM >(IBM ain't making >it on PS/2s alone). Total licenses for MVS and VM are measured in the low tens of thousands. >Thus, these operating systems have >had much more opportunity for people to poke around in them. I doubt that this is true in terms of years or hours. It is likely true in terms of determination and other resources. Total reported integrity flaws in MVS have likely been in the high tens. Almost none were detected or exploited by hackers. Most were detected by people with special knowledge and training after the expenditure of significant resources. >Not to say they are invincible, mind you, but I think they're less >susceptible than Unix. Your confidence is poorly placed. While MVS and VM are as secure as IBM knows how to make them collectively, individual installations or instances are likely no better than instances of Unix. People who do penetration studies of MVS and VM for a living report that eighty-five percent will yield privilege to a knowledgeable attacker in hours to days. Most will yield to a determined attacker in days, and less than one percent will stand up for weeks. This has little to do with design or implementation by IBM but with use and management by their customers. Most MVS and VM installations are guilty of exactly the same kinds of problems as are reported in the "Cuckoo's Egg." The book takes its name from the attack that exploits the gnu-emacs editor that runs privileged. MVS installations are rife with very general utilities that run privileged and have poor controls. All of this has little to do with their vulnerability to viruses. As Dave Chess of IBM Research has tried to explain on this list several times, viruses exploit the privileges of users rather than flaws in the environment. Operating system integrity and access controls will only slow them. If users have the privilege to execute an arbitrary program of their own choice, can create or modify a procedure, and share data with a sufficiently large population of peers, then that is all that is required for the success of a virus. The trick to the success of a virus is not in its code, but in how you get it executed! William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL