1.  Home
  2. MIDRANGE-L
  3. October 2002

RE: Paging file

If I understand this correctly, you've been saying that a program can access
data off disk directly -- the traditional methods of access and the security
layers are bypassed.  The program isn't really opening a database file, and
even OS/400 user/object security is moot.

I think Joe Pluta and others have suggested that this exposure is an
esoteric example.  I'm inclined to feel the same -- most shops have more
glaring "real world" exposures.  If someone had an opportunity to present
such a program to a typical AS/400 he or she would have probably had a dozen
opportunities to use simpler techniques.  Nonetheless, depending on degree
of difficulty or likelihood of breach are not a good security policies.

What I'm wondering is whether other traditional business systems
architectures do or do not have similar exposures.  For example, when I was
in a shop that used Sybase years ago I was told that if you understood the
architecture you could bypass database security by reading the underlying
data files directly.  I don't know if it was really true of Sybase and I
don't think that the same is true of an Oracle database.  Even if it were
true, an n-tier model protects you from much of the exposure.  The
application makes database requests through the Oracle listener, and doesn't
have the opportunity to run an OS-level program on the server.

What do you think?  Are there other systems/databases that are inherently
better equipped to protect you from the types of exposures SLS presents?

-Jim

James P. Damato
Manager - Technical Administration
Dollar General Corporation
<mailto:jdamato@dollargeneral.com>


-----Original Message-----
From: Leif Svalgaard [mailto:leif@leif.org]
Sent: Monday, October 28, 2002 10:52 PM
To: midrange-l@midrange.com
Subject: Re: Paging file


From: David Gibbs <david@midrange.com>
> >The SLS is a very bad security risk. With fake pointers
> >one can access everything everywhere. My eBook
> >shows a simple tool, MIEXPLR, to do just that.
>
> But a program has to run in system state to do this, right?
>

yes, but a user state program can switch itself into system
state and out at will. The archives are full of discussions of this.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.