Mainframe Security

[vanderaj at owasp.org (Andrew van der Stock)]

In my experience of reviewing COBOL and mainframes in general, it's  
worthwhile to evaluate doing bad things to the business logic. The  
designers are literal in their translation of the business  
requirements to specifications, and never think of the mis-use cases.  
Mainframe coders aren't paid to design and implementing missing links  
in the design, and are often penalized if they stray too far from the  
specification. Therefore, as Peter pointed out in a previous thread,  
almost all of the "exploits" for mainframes goes after the golden  
apples - the business logic and the underlying asset.

Luckily, up until recently, data which violated the requirements  
wasn't easy to get in, but now it's more than easy:

a) a system I am aware of used to be green screen only and had  
validation to prevent unauthorized characters like commas in the  
presentation layer. Once the underlying transaction was made available  
to process transactions from the Internet, customers finally could  
manipulate this data. Someone didn't bother to eliminate "," as a  
valid character as it wasn't in the spec - they only had a few  
characters to eliminate and "," wasn't one of them. The comma upset  
the strip (batch data) file. Caused several abends and a lot of  
sleepless nights for the folks whilst they worked out how to get rid  
of this troublesome character from a multi-gigabyte file and  
successfully re-run the batch without re-processing already processed  
transactions.

b) I have spaces in my name. Galileo, the online booking system used  
by pretty much everyone is written on top of TPS, an old (and I mean  
OLD - it's older than me) OS for IBM mainframes. TPS is written in  
assembly language, as is most of the Galileo transactions for freight  
and self-loading freight (humans). If you try like me to enter the  
legally required spaces in your name as often as you can, it's nearly  
funny the number of times I've had to get manual assistance to get on  
planes and through the TSA checkpoint. I'm sure it's because Galileo  
doesn't handle spaces properly. I wonder what other characters it  
doesn't like.

c) The EOF marker in EBCDIC works real well. If your outside program  
can send it in a field and it doesn't mean anything to anyone ...  
until it hits a file, you can cause a lot of problems, particularly  
with batch driven systems. Luckily, most front end systems I come  
across don't know what to do with low ASCII entries and either don't  
pass it on, or fail to translate it properly, thus preventing a  
workable attack.

thanks,
Andrew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2458 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20071118/71492d15/attachment.bin