IBM z/OS assumed to be secure because it have ACF2 & RACF.
Mainframe access control types:
RACF – Resource Access Control Facility or RACF® provides the tools to help the installation manage access to critical resources.
ACF2 – (Access Control Facility) is a commercial, discretionary access control software security system developed for the MVS (z/OS today), VSE (z/VSE today) and VM (z/VM today)
Why we have this discussion topic today? We all known IBM z/OS is a proprietary OS. The Enterprise firms especially Banking and Finance group They are relies on mainframe comupter to do the handle the high volume of electronic transaction procoess.
A term so called operation day end process, it is well known job process in banking finance, broker firm and insurance industries.
Since Mainframe responsible for the back end job and therefore the modern Java apps with front end web application not direct communicate with this giant (see below diagram for reference). The inquiry and data download will be responsible by middle tier. Such architecture implementation not require high risk components especially Java components did not install on top of mainframe partition (LPAR).
As times goes by, Unified Computing System techniques like from virtual storage integrate to cloud computing and run in wide range of coverage. Actually mainframe is the pioneer of Unified Computing System technology. Since 2000 IBM z/OS (MVS) capable to support more than one OS running on top on the machine. It can be partitioned into multiple logical partitions, each hosting a separate operating system. A logical partition, commonly called an LPAR, is a subset of a computer’s hardware resources, virtualized as a separate computer.
Vulnerability not the proprietary of Microsoft OS and Linux OS
The penetration test performed by Mark Wilson on 2013. There are over 100 vulnerabilities found on z/OS even 1.13. The weakness of z/OS happened in the following area:
- Poor APF Library protection
- Poor SURROGAT profiles
- Poorly coded SVC’s
Reference: z/OS V1R1 was first introduced in October 2000, z/OS Initial release on March 30, 2001 , Version 2.2 (V2R2) introduced on June 28, 2015. On February 21, 2017 IBM z/OS Version 2 Release 3 go to the market and available to use.
Hold different opinion on vulnerability
My assumption base on the security findings of a security auditor (Ayoub Elaassal) from Black Hat conference in Las Vegas. His finding is that the ASM program updates the ACEE block in memory to give temporary SPECIAL privilege and causes privileges escalation. Hints that if you want to manually specify the user getting the SPECIAL privilege, replace userid() with any user in line 104 (see below command syntax for reference)
QUEUE "/*" QUEUE "//STEP01 EXEC PGM="||PROG||",COND=(0,NE)" QUEUE "//STEPLIB DD DSN="||APF_DSN||",DISP=SHR" QUEUE "//STEP02 EXEC PGM=IKJEFT01,COND=(0,NE)" QUEUE "//SYSTSIN DD *" QUEUE " ALU "||userid()||" SPECIAL OPERATIONS" QUEUE "/*" QUEUE "//SYSIN DD DUMMY" QUEUE "//SYSTSPRT DD SYSOUT=*" QUEUE "//*"
Ayoub Elaassal create a utility to test the privileges escalation on z/OS. The file name of the utility is ELV.APF.
***The authorized program facility (APF) helps your installation protect the system. APF-authorized programs can access system functions that can affect the security and integrity of the system. APF-authorized programs must reside in APF-authorized libraries, which are defined in an APF list, or in the link pack area.
However any misconfiguration will make a castle become a unsecured house…..But our study bring me consider of the malware infection on non IBM CISC environment especially Windows server environment and Linux environment!
If above speculation is true. The z/OS system will be encountered of the following security problem.
It looks that IBM need to cope with IT world trend. CISC system environment capable of Java framework. CICS uses the IBM 64-bit SDK for z/OS, Java Technology Edition. Regarding to our earlier discussion, 64 bit OS environment not absolute avoid malware infection. Even though you apply ASLR technology, sometimes a open source or 3rd party application will bring up operation problem causes system developer to modify the core system source code and not aware to create the vulnerability. We all known business driven the IT world instead of technology or Information security.
Visitor who will be interested of the report of mainframe penetration tool, please visit GitHub to find out the details.
….let me find out more information security items and share with you soon! Bye!