Spectre & Meltdown

Chuck Guzis cclist at sydex.com
Sat Jan 13 19:40:15 CST 2018


On 1/13/2018 3:24 PM, Fred Cisin via cctalk wrote:
> (I'm unaware of any punch-card attacks, but trojans were possible when
> people used prior subroutines).
Depends on what you mean "attack".  CDC 6000 SCOPE had two PP programs
(which could be invoked via user control card).

One was "RPV"--reprieve job.   The purpose was to recover control after
a program error so that appropriate cleanup by the user could be
performed.   It was effective for *any* error, including operator
killing the job.

The other was "RSJ", reschedule job.  Usually, this was used when a
device or resource wasn't available--basically, it would put a job back
into the input queue and terminate the caller.

Unless, of course, the caller had included an RPV call also, in which
case it was something like the sorcerer's apprentice--you'd get *two*
copies of the job, which would then spawn 4 more copies, etc.  Operator
drop just exacerbated the situation, and eventually, the input queue
would be full of the malicious job and all available PPUs would be
allocated to doing nothing but RSJs and RPVs.

The only way out of the situation was to deadstart the system without
recovering the input queue.

After a couple of incidents of this, a memo came down from on high
saying that anyone attempting this gambit would be subject to discipline
and/or termination.   I think someone also did an EDITLIB and renamed
both RPV and RSJ and kept the new names on a "need to know" basis.

--------------

Another gambit I recall made use of a new I/O call in SCOPE 3.4, called
"Read List String".  Basically, the point of it was to streamline loader
(linkage editor) operation by presenting CIO and, by extension, the disk
stack processor overlay, 1SP with a list of disk addresses and lengths
to be read.   1SP would dutifully go through the list, advancing its
list pointer (so that the caller could keep track of progress).  It was
very effective and bypassed a lot of ancillary PP code.

Some enterprising fellow wondered what might happen, if his CP program
kept track of the READLS progress and kept backing the pointer up every
time it advanced.   Since 1SP attempted to complete an entire I/O
request before terminating, it never terminated and kept the disk busy
basically forever.

That one was fixed by checking the user's control point area for the
"DROP" flag--something that should have been done from the outset.

-----------------------

All of this reminds me of a trick that I witnessed on a Model 40 running
DOS/360.   Some guy wrote a chained CCW set with a TIC back to the
beginning of the list of CCBs that rang the bell on the 1052 operator's
console and locked the keyboard.   The din panicked at least one
operator who pulled the "Emergency Stop" big red button.

But then DOS/360 was easy to fool--it wasn't even much of a challenge.

Good times...

--Chuck


More information about the cctalk mailing list