1.  Home
  2. MIDRANGE-L
  3. October 2002

RE: Paging file

If I understand this correctly, you've been saying that a program can access
data off disk directly -- the traditional methods of access and the security
layers are bypassed.  The program isn't really opening a database file, and
even OS/400 user/object security is moot.

I think Joe Pluta and others have suggested that this exposure is an
esoteric example.  I'm inclined to feel the same -- most shops have more
glaring "real world" exposures.  If someone had an opportunity to present
such a program to a typical AS/400 he or she would have probably had a dozen
opportunities to use simpler techniques.  Nonetheless, depending on degree
of difficulty or likelihood of breach are not a good security policies.

What I'm wondering is whether other traditional business systems
architectures do or do not have similar exposures.  For example, when I was
in a shop that used Sybase years ago I was told that if you understood the
architecture you could bypass database security by reading the underlying
data files directly.  I don't know if it was really true of Sybase and I
don't think that the same is true of an Oracle database.  Even if it were
true, an n-tier model protects you from much of the exposure.  The
application makes database requests through the Oracle listener, and doesn't
have the opportunity to run an OS-level program on the server.

What do you think?  Are there other systems/databases that are inherently
better equipped to protect you from the types of exposures SLS presents?

-Jim

James P. Damato
Manager - Technical Administration
Dollar General Corporation
<mailto:jdamato@dollargeneral.com>


-----Original Message-----
From: Leif Svalgaard [mailto:leif@leif.org]
Sent: Monday, October 28, 2002 10:52 PM
To: midrange-l@midrange.com
Subject: Re: Paging file


From: David Gibbs <david@midrange.com>
> >The SLS is a very bad security risk. With fake pointers
> >one can access everything everywhere. My eBook
> >shows a simple tool, MIEXPLR, to do just that.
>
> But a program has to run in system state to do this, right?
>

yes, but a user state program can switch itself into system
state and out at will. The archives are full of discussions of this.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.