16 Sep
2015
16 Sep
'15
6:36 p.m.
On 09/16/2015 01:29 PM, Paul Koning wrote:
I never had any incentive to look for holes in CDC
operating systems, but I still remember a simple hole I
found in OS/360, about a month after I first wrote a
program for that OS. It allowed anyone to run supervisor
mode code with a couple dozen lines of assembler source
code. I found it on OS/PCP 19.6, but I noticed in graduate
school that it still worked on the university's 370
running OS/MVS 21.7. (The magic? Use the OS service to
give a symbolic name to a location in your code, with a
well chosen name, then give that name as the name of the
"start I/O appendage" in an EXCP style I/O request.) paul
Yup, the
classic breakin was you set up an exception handler
with SPIE (specify program interrupt exit, I think) and
then do a divide by zero. This gives the handler the PSW of
the problem program. You turn the P bit of the PSW off and
return. The stock OS would actually ALLOW you to DO this,
and just return to the user program now in supervisor
state! It was a VERY simple fix, you just don't allow any
exception handler to change the state of the P bit. But,
MANY systems did not do that check.
So MANY other weaknesses could easily be caused by
accident. Like, the file that contained valid account
numbers was often not protected. Anybody could just print
out that file.
Jon