Unix (In)Security

[Mike Lutz]

Good Lord! I never thought I'd ever be in a position where I'd support
(even indirectly) anything Big Blue does, but here goes:

> ecsvax!bet (Bennett Todd):
> Wait, wait, wait, formally 'prove" VM secure? Gaaak. Not physically
> possible -- it runs on an IBM S-370, and emulates complete S-370's for
> each user -- including permitting users to run code in supervisor state,
> which lets them run channel control programs, which can do
> mindbogglingly complex things...

So?  The key word is *emulate*.  None of the virtual machines actually
*runs* in supervisor mode; only VM does.  Since VM need only be an
operating systems operating system, it need only provide barebones
services to it's clients.  In theory, then, VM should be much smaller
and less complex than any of the general purpose systems it monitors,
and the as a general rule, less complexity makes it easier to prove
security.

Note that MVS, CMS, and the other IBM monstrosities can be full of holes;
as long as VM puts clients on distinct virtual machines, and controls the
interactions among these machines, the system as a whole can be secure.

>VM, last I heard, attempts to look at a
>channel control program to figure out what it might do before it runs
>it, though I heard there were bugs in the attempt to sniff them out when
>the channel control programs were self-modifying.

You betcha -- this is a big hole, but is less a problem in VM than in
IBM's I/O subsystem design.  This hole can be plugged, however, and IBM
is already making moves in that direction.  For instance, big hunks of
VM have been migrated into the CPU microcode (VM ASSIST); the same
technique could be used in channel microcode to "virtualize" all
channel programs.  For all I know, something like this might already be
in place.
-- 
Mike Lutz	Rochester Institute of Technology, Rochester NY
UUCP:		{allegra,seismo}!rochester!ritcv!mjl
CSNET:		mjl%rit at csnet-relay.ARPA