Re: Anti-virus for i5OS

Joe,

Try copying a PHP file to IFS and overwrite an existing one. If the PHP
you copy contains a call to native i5/OS commands, then you CAN copy a
file to IFS and use it to execute arbitrary native i5/OS code. Same is
true for the web server, WAS, etc... These kinds of blanket statements are
never true about any system, including i5/OS.

If PASE is a non-secure environment, then logically you MUST assume i5/OS
is a non-secure environment. Parts of the base i5/OS run in PASE! You
can't NOT use PASE if you use i5/OS -- they are part of the same thing.
You can attack PASE and access native i5/OS resources. Some of the parts
of base i5/OS running in PASE have had known buffer overflow attacks (BIND
Version 8.xx) and required HIPER/INTGRITY PTFs for i5/OS to fix!

But in reality there is no such thing as an inherently secure or
non-secure OS. OSes and the business assets managed on them are things to
be secured -- not things that inherently make you secure. What makes one
OS different from another with respect to security is how much time and
cost is required to make them secure. This is where i5/OS is better than
other OSes -- NOT because it somehow knows that the janitor's user profile
shouldn't be allowed to change the financials database.

Joe Pluta wrote:

Joe Pluta wrote:


There is no known instance of any IFS file ever executing code on
i5/OS.


And by this, I hope you know what I mean. There is no way copying a
file to the IFS can magically execute code on the System i under normal
operation.

There are of course ways around that. Running non-secure environments
such as PASE, especially running "industry standard" code with known
exploits, can get around this. So I suppose as you start running
non-native applications, there is more need for that sort of protection.

Joe