|
>If you were running an NT box and IIS a hacker could get in using one of the >many buffer overrun exploits out there now. And only on port 80. Some of the >various http server have directory traversal exploits using ../ and such. And >there are a lot of other exploits out there for getting to a machine that is >"only" serving web pages. >I do not believe, although am not positive, that the AS/400 is not plagued by >buffer overrun exploits. It may be possible to overrun a buffer (as we've all >done when we pass the wrong length parameter) but the AS/400 is usually smart >enough not to execute this code. Single level store provides a lot of practical benefit, here, even when applications use teraspace or PASE. The addition of Apache and other "Unix style" application modes shouldn't change the system's vulnerability, or lack of same, to this particular set of problems. It is just plain a lot harder, in the context of single level store, for all of these buffer overrun tricks to work, because Unix or NT systems seem to rely (sooner or later) on privilege bits in paging tables to keep problem state from accessing important storage. But, a single level store-based OS does not have to rely on that, nor do we. Overrunning buffers will either injure problem state data only or simply cause a program check. I suppose if I thought about it for a while, I could figure out how a buffer overrun attack could plague single level store, too. Bugs are hardy beasts and they eventually happen. But, the architecture is such that it would require far more than mis-setting a few bits in a page table somewhere, which is all that it takes on a conventional system. So, it will happen much, much less often if it happens at all. Larry W. Loen - Senior Java and iSeries Performance Analyst Dept HP4, Rochester MN +--- | This is the MI Programmers Mailing List! | To submit a new message, send your mail to MI400@midrange.com. | To subscribe to this list send email to MI400-SUB@midrange.com. | To unsubscribe from this list send email to MI400-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: dr2@cssas400.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.