Reply to post: Re: Have I missed something?

Windows' authentication 'flaw' exposed in detail

Michael Wojcik Silver badge

Re: Have I missed something?

RACF can be bypassed with a vulnerability in any APF authorized load module

Indeed.

zOS with RACF or one of the other SAF providers (ACF2 or Top Secret) isn't even designed to be especially secure - even APF-authorized modules and application errors like storing credentials in vulnerable locations aside. RACF is only TCSEC B1 certified. In TCSEC ("Orange Book") terms that's stronger than e.g. Windows and typical UNIX systems (C1 or C2), but there are exotic OSes which have been certified at A1 (Honeywell SCOMP and Boeing SNS), which requires formal proof of secure design, among other things.

And there's a semi-formal "Beyond A1" level, though I don't think anyone's claiming to have an OS that meets it.

Even A1 OSes aren't "perfectly" secure, of course, because that idea is nonsense.1 A machine can't determine all possible consequences of an action, so it can't be a perfect oracle in deciding whether to allow an action. So under any sufficiently complete definition of "secure",2 there's no possible decision procedure which gives the "correct" answer when evaluating every request for access.

And of course in practice we know that people aren't capable of designing and implementing complex systems with no errors. And it's impossible in general to mechanically prove complex systems don't have errors (it's isomorphic to the Halting Problem), and doing it even for specific cases is non-trivial.

All that said, the post that started this sub-thread - the "no OS is secure" commonplace - is not responsive to the OP's question about what's new in the particular blog post that inspired this article. As I noted above, though, I haven't had a chance to read that blog post and see what it has to offer that we didn't already know about Golden Tickets.

1And TCSEC criteria aren't the only way to evaluate the security of an OS, because that idea would also be nonsense. "Secure" is only meaningful as an evaluation of relative costs under a threat model, and both of those things vary by application.

2Such as this one: A secure system does everything it's supposed to do, and nothing else.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019