Secure Coding mailing list archives
Mainframe Security
From: ljknews at mac.com (ljknews)
Date: Fri, 2 Nov 2007 11:22:23 -0400
At 4:11 PM +0100 11/2/07, Johan Peeters wrote:
Let me offer a little variant on the previous theme though to illustrate, hopefully more convincingly, why I find COBOL worrisome: ... 01 txt pic x(2). .... move 'hi' to txt call 'evil-code' using txt .... IDENTIFICATION DIVISION. PROGRAM-ID. evil-code. DATA DIVISION. linkage section. 01 asset PIC X(1200). procedure division using asset .... The author of evil-code now has a selection of the contents of the caller's data segment at his disposal.
Are you saying that evil-code is written in some language that allows it to take advantage of by-reference semantics to go outside the nominal boundaries of 2 bytes presumed by COBOL ? If so, this is hardly an issue specific to COBOL. Presuming evil-code can play address arithmetic issues, any situation where the caller's address space is visible to evil-code is similarly vulnerable. Clearly evil-code should be in a separate address space to defend against such an attack. -- Larry Kilgallen
Current thread:
- Microsoft Pushes Secure, Quality Code, (continued)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
- Microsoft Pushes Secure, Quality Code J.M. Seitz (Oct 08)
- Microsoft Pushes Secure, Quality Code Romain Gaucher (Oct 09)
- Mainframe Security McGovern, James F (HTSC, IT) (Nov 01)
- Mainframe Security Johan Peeters (Nov 01)
- Mainframe Security Kenneth Van Wyk (Nov 01)
- Mainframe Security ljknews (Nov 01)
- Mainframe Security Paul Powenski (Nov 01)
- Mainframe Security Johan Peeters (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Message not available
- Message not available
- Mainframe Security ljknews (Nov 02)
- Mainframe Security Glenn and Mary Everhart (Nov 02)
- Mainframe Security Gergely Buday (Nov 02)
- Mainframe Security Florian Weimer (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Mainframe Security Florian Weimer (Nov 03)
- Mainframe Security Andrew van der Stock (Nov 17)
- Mainframe Security Edward N Schofield (Nov 01)
- Microsoft Pushes Secure, Quality Code Gunnar Peterson (Oct 09)