× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  • Subject: Re: SNA datastream
  • From: "Jason M. Felice" <jasonf@xxxxxxxxxxxxxxxx>
  • Date: Sun, 14 Nov 1999 16:17:11 -0500

Caution: This is a somewhat lengthy message, and probably more than a tad 
off-topic (what's a tad? ;)

On Sun, Nov 14, 1999 at 03:40:38PM -0000, Roger Bowler wrote:
> -----Original Message-----
> From: Jason M. Felice <jasonf@Baldwingroup.COM>
> 
> 
> >In any case, given how the 5250 protocol is designed, the AS/400 being
> >susceptible to a buffer overflow attack is very possible given all the
> >differnet structures expected to be different sizes in the 5250 data
> stream.
> >It's a much more complicated protocol than plain telnet, and therefore much
> >more likely to have weeknesses.
> 
> 
> I would draw the opposite conclusion, Jay. The rigorous definition of the
> SNA
> datastream, with each field strictly bounded by its length, IMO is designed
> to
> reduce rather than increase the scope for errors.  Of course I haven't seen
> the OS/400 source code but I'd be willing to bet that it's 100% rock solid
> in
> this respect.

While on the one hand, this is probably implemented in MI assembly on the 
OS/400, and the structures are rigidly definied in memory and loaded from the
code, that precise idea is what will require the code to check for a buffer-
overflow attempt (or even accident) in every instance there is a fixed
structure and every instance there is a fixed sub-structure or field or what
not.

... and there's no such thing as 100% rock solid ;)  My experience with
security (inluding being hacked a few times and thwarting hacks a few times)
has taught me that it really is an evolution ...  you can never be perfectly
secure, but only more secure than the majority of hackers out there.

One example is when they were able to crack implementations of DES.  DES, at
that time, was known to be perfectly secure; however, they found that with
most implementation, if you time the rate of output and latencies in the
transmitted data, you can deduce the key.  Now everybody is upgrading to
implementations of DES or other crypto algorithms which work in constant time.
This just blows my mind, but makes me have to accept as a general fact that
you can't really gauruntee _anything_ is secure, even if you *can* read the
source code, you can only gauruntee that there is no publicly known method of
hacking it right now.

I can certainly see areas where the IBM philosophy would lead to more secure
software, especially since the protocols are so rigidly and well definied
before implemented, but also because most 'nix type protocols need a parser
of some sort, where as in IBM land the client pretty much parses the protocol
into the strucures and sends everything pre-parsed.  There are other reasons
I think so as well.  I just (for the above reasons) wouldn't ever put my
live business data plugged into the Internet.  Just way too much to loose.

> 
> What you've got to remember is that OS/400 was built by IBM programmers
> working in a culture where this kind of highly structured data had been the
> norm for 20 years.  When I first saw Unix after 15 years of mainframe
> programming, I couldn't believe how loosely defined protocols like SMTP and
> Telnet could be made to work.  Now I've got more experience of Unix I
> understand how it's possible for seasoned Unix programmers to design
> reasonably robust implementations around these protocols.

I was (am) likewise facinated by the IBM way of doing things ... pretty crazy
how different they can be.  I probably know a good 15 computer languages,
counting scripting languages and shells, and because of that, have enough
background to learn another computer language *very* quickly.  This is 
somewhat why I was confident in starting an RPG compiler and walking into that
large project even though I had never written an RPG program before.  And,
while I'm still making much progress, and still learning RPG, I can honestly
say that with the exception of the first computer languages I learned 
(BASIC and Pascal), RPG has been one of the most difficult: many concepts in
RPG are just completely alien despite my varied background.  They aren't
difficult concepts at all; RPG is relatively simple language on purpose,
there's just a lot about it that strikes me as very odd.

I can't wait until quantum computing becomes a reality, then we'll all be
blown away <g>

> 
> Mainframe and Unix are quite simply at poles apart in their philosophy --
> that's why I find the fusion of the two cultures so fascinating.

Absolutely agreed.  Now if they can just make the AS/400 TCP/IP interface
stay alive if the default gateway goes down temprorarily ;)  Kidding aside,
they really have done a good job -- I just have to scratch my head every so
often and say "Huh?!?"

> 
> Cheers, Roger Bowler
> 

-Jay 'Eraserhead' Felice
+---
| This is the LINUX5250 Mailing List!
| To submit a new message, send your mail to LINUX5250@midrange.com.
| To subscribe to this list send email to LINUX5250-SUB@midrange.com.
| To unsubscribe from this list send email to LINUX5250-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.