× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MI400
  3. June 2001

Re: No single case of hacking...

  • Subject: Re: No single case of hacking...
  • From: "Larry Loen" <lwloen@xxxxxxxxxx>
  • Date: Thu, 7 Jun 2001 14:03:29 -0500
  • Importance: Normal
 

>If you were running an NT box and IIS a hacker could get in using one of
the
>many buffer overrun exploits out there now.  And only on port 80.  Some of
the
>various http server have directory traversal exploits using ../ and such.
And
>there are a lot of other exploits out there for getting to a machine that
is
>"only" serving web pages.

>I do not believe, although am not positive, that the AS/400 is not plagued
by
>buffer overrun exploits.  It may be possible to overrun a buffer (as we've
all
>done when we pass the wrong length parameter) but the AS/400 is usually
smart
>enough not to execute this code.

Single level store provides a lot of practical benefit, here, even when
applications use teraspace or PASE.  The addition of Apache and other "Unix
style" application modes shouldn't change the system's vulnerability, or
lack of same, to this particular set of problems.

It is just plain a lot harder, in the context of single level store, for
all of these buffer overrun tricks to work, because Unix or NT systems seem
to rely (sooner or later) on privilege bits in paging tables to keep
problem state from accessing important storage.  But, a single level
store-based OS does not have to rely on that, nor do we.  Overrunning
buffers will either injure problem state data only or simply cause a
program check.

I suppose if I thought about it for a while, I could figure out how a
buffer overrun attack could plague single level store, too.  Bugs are hardy
beasts and they eventually happen.  But, the architecture is such that it
would require far more than mis-setting a few bits in a page table
somewhere, which is all that it takes on a conventional system.  So, it
will happen much, much less often if it happens at all.


Larry W. Loen  -   Senior Java and iSeries Performance Analyst
                          Dept HP4, Rochester MN


+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.