Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

COBOL Exploits

From: vanderaj at owasp.org (Andrew van der Stock)
Date: Sun, 18 Nov 2007 00:58:16 -0500
I've been researching web app -> mainframe security from a software  
engineering perspective for about the last six months. If anyone from  
a mainframe background wants to collaborate, I'd be more than happy to  
share as I have a few challenges:

a) I'm working from secondary resources (web pages, manuals, PDFs)
b) I don't have access to a z/OS or similar system and thus cannot  
mock up a test environment to prove or disprove my hypotheses on how  
best to prevent certain classes of attack
c) I really don't have a lot of experience with z/OS, COBOL, DB2, IMS,  
or CICS. Therefore, I could be missing some great resources and  
features.

Saying that, I have made a bit of headway by applying first principles  
and trying to discover what is available to assist and protect against  
certain threats and attacks. I've just posted a draft entry to my blog  
detailing the first (and I mean first) post I've had brewing since May  
this year. It's nowhere near as good as I would have liked.

I don't do exploits. You will not be seeing any "how to hax0rs b1g  
ir0n" from me. I don't see the relevance of arming script kiddies.  
Only the architects and developers need to know how to develop and  
maintain safer designs and code, and folks like me need to know what  
to look for to make sure it's in place.

That said, from my personal research, this area is a total greenfield.  
The folks who know mainframe security simply don't come out of their  
shells often enough. They have the goods, but the goods are not really  
well known amongst the architects and devs I've dealt with. Most of  
the business folks who ask for their shiny new dodgy code to talk to  
old dodgy transactions don't see this risk and refuse to pay to have  
qualified folks review and remediate the security of the mainframe  
side. They see it as this reliable old workhorse - which is not broke,  
so don't fix it. And in my personal experience, they NEVER fix it.

On another note, I'm really happy to see Fortify tackle the mainframe  
with their SCA products. It's really late and delayed, but better late  
than never. I know a bunch of sites that could use that tool if it  
works even 1% as well as the marketing is likely to make out.

thanks,
Andrew van der Stock
Executive Director, OWASP
Project Lead & Author, OWASP Guide

On Nov 2, 2007, at 1:45 PM, Peter G. Neumann wrote:


Searching through
 http://www.csl.sri.com/neumann/illustrative.html
gives these COBOL-related RISKS items.  The initial
character descriptors are defined there.  In the citations,

* R relates to RISKS (archives at risks.org)
* S relates to SIGSOFT Software Engineering Notes (archives at
   www.sigsoft.org/SEN/ although more recent items also in RISKS)

Vf  West Drayton ATC system bug found in 2-yr-old COBOL code (S 16  
3, R 11 30)

\$fe IRS COBOL reprogramming delays; interest paid on over 1,150,000  
refunds
 (S 10 3:12)

S[H?] Election frauds, lawsuits, spaghetti code, same memory locations
used for multiple races simultaneously, undocumented GOTOs, COBOL
ALTER verb allowing self-modifying code, calls to undocumented/unknown
subroutines, bypassable audit trails (S 11 3);
Report from the Computerized Voting Symposium, August 1986 (S 11 5)

Sie
Data transfer Excel-COBOL loses voter data in 2003 Greenville
 Mississippi election (R 22 95)

\$hi Man gets \$218 trillion phone bill (R 24 24); COBOL program?
 (R 24 27,29,30,33)

f Discussion of date and century roll-over problems:
Fujitsu SRS-1050 ISDN display phones fail on two-digit month (10);
1401 one-character year field; COBOL improvements; IBM 360 (S 20 2:13)
 [See Fred Ballard and Walt Murray  (R 16 70 ff).]
 [Lots of stuff is relevant on COBOL's two-character year field
 and the entire Y2K saga.]
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com 
)
as a free, non-commercial service to the software security community.
_______________________________________________


Andrew van der Stock
Executive Director, OWASP
Lead Author, OWASP Guide



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2458 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20071118/c014d2fd/attachment.bin
Previous By Date Next
Previous By Thread Next

Current thread: