• Was Itanium a safer architecture ?

    From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Mon Jun 1 17:57:12 2026
    From Newsgroup: comp.os.vms

    Another DCL CVE and once again, a buffer overflow doesn't work on Itanium.

    It works on Alpha, and on the brand new x86-64 port with modern security features. But it doesn't work on Itanium. (As with my CVE, all you are
    reported to get is a process crash on Itanium).

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    Interesting question isn't it ?

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From =?UTF-8?Q?Arne_Vajh=C3=B8j?=@arne@vajhoej.dk to comp.os.vms on Mon Jun 1 14:00:44 2026
    From Newsgroup: comp.os.vms

    On 6/1/2026 1:57 PM, Simon Clubley wrote:
    Another DCL CVE and once again, a buffer overflow doesn't work on Itanium.

    It works on Alpha, and on the brand new x86-64 port with modern security features. But it doesn't work on Itanium. (As with my CVE, all you are reported to get is a process crash on Itanium).

    The patch was also released for VMS Itanium.

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    Probably.

    Just the obscurity of the ISA and rarity of HW makes it a much
    less likely target.

    Arne

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Mon Jun 1 18:13:57 2026
    From Newsgroup: comp.os.vms

    On 2026-06-01, Arne Vajhoj <arne@vajhoej.dk> wrote:
    On 6/1/2026 1:57 PM, Simon Clubley wrote:
    Another DCL CVE and once again, a buffer overflow doesn't work on Itanium. >>
    It works on Alpha, and on the brand new x86-64 port with modern security
    features. But it doesn't work on Itanium. (As with my CVE, all you are
    reported to get is a process crash on Itanium).

    The patch was also released for VMS Itanium.


    Yes. To fix the process crash. They did they same thing for my CVE as well.

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    Probably.

    Just the obscurity of the ISA and rarity of HW makes it a much
    less likely target.


    This is about technical merits, not about how popular it may be.

    The real question is: do you have to work harder on Itanium to try to
    turn a buffer overflow into something that can be exploited and so far
    the answer appears to be yes.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From =?UTF-8?Q?Arne_Vajh=C3=B8j?=@arne@vajhoej.dk to comp.os.vms on Mon Jun 1 14:45:24 2026
    From Newsgroup: comp.os.vms

    On 6/1/2026 2:13 PM, Simon Clubley wrote:
    On 2026-06-01, Arne Vajh|+j <arne@vajhoej.dk> wrote:
    On 6/1/2026 1:57 PM, Simon Clubley wrote:
    Another DCL CVE and once again, a buffer overflow doesn't work on Itanium. >>>
    It works on Alpha, and on the brand new x86-64 port with modern security >>> features. But it doesn't work on Itanium. (As with my CVE, all you are
    reported to get is a process crash on Itanium).

    The patch was also released for VMS Itanium.

    Yes. To fix the process crash. They did they same thing for my CVE as well.

    I think the release notes only talk about risk of process crash on
    all 3 platforms for this patch.

    But given the power of supervisor mode, then DCL problems have
    to be taken seriously - there could be something exploitable.

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    Probably.

    Just the obscurity of the ISA and rarity of HW makes it a much
    less likely target.

    This is about technical merits, not about how popular it may be.

    The real question is: do you have to work harder on Itanium to try to
    turn a buffer overflow into something that can be exploited and so far
    the answer appears to be yes.

    Itanium got NX bit. And may have other features as well not present
    in Alpha.

    Arne



    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Mon Jun 1 19:15:08 2026
    From Newsgroup: comp.os.vms

    On 2026-06-01, Arne Vajhoj <arne@vajhoej.dk> wrote:
    On 6/1/2026 2:13 PM, Simon Clubley wrote:
    On 2026-06-01, Arne Vajhoj <arne@vajhoej.dk> wrote:
    On 6/1/2026 1:57 PM, Simon Clubley wrote:
    Another DCL CVE and once again, a buffer overflow doesn't work on Itanium. >>>>
    It works on Alpha, and on the brand new x86-64 port with modern security >>>> features. But it doesn't work on Itanium. (As with my CVE, all you are >>>> reported to get is a process crash on Itanium).

    The patch was also released for VMS Itanium.

    Yes. To fix the process crash. They did they same thing for my CVE as well.

    I think the release notes only talk about risk of process crash on
    all 3 platforms for this patch.


    It's an 8.5 Arne. :-) That's not a process crash. That's a confirmed exploitable vulnerability. (At least on Alpha/x86-64).

    But given the power of supervisor mode, then DCL problems have
    to be taken seriously - there could be something exploitable.


    Agreed. And this leads to some wider questions.

    If VSI had followed through with the original plans in the aftermath of
    my CVE to outright strip image permissions before any transition into supervisor mode (and then restore them afterwards) I wonder if that would
    have neutered this latest vulnerability ?

    Much more interesting however is who actually added this code to DCL ?
    Was it added in Nashua by one of the original VMS Engineering team or
    one of the outsourced teams ?

    Regardless of developer location (including if the developer was in the
    US or in Europe) I hope any other code by this developer (or developers)
    has also been closely examined for similar mistakes.

    Given the peer review process that VSI engineers have talked about in
    the past, I do wonder also how it got past peer review.

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    Probably.

    Just the obscurity of the ISA and rarity of HW makes it a much
    less likely target.

    This is about technical merits, not about how popular it may be.

    The real question is: do you have to work harder on Itanium to try to
    turn a buffer overflow into something that can be exploited and so far
    the answer appears to be yes.

    Itanium got NX bit. And may have other features as well not present
    in Alpha.


    So does x86-64.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From =?UTF-8?Q?Arne_Vajh=C3=B8j?=@arne@vajhoej.dk to comp.os.vms on Mon Jun 1 17:08:53 2026
    From Newsgroup: comp.os.vms

    On 6/1/2026 3:15 PM, Simon Clubley wrote:
    On 2026-06-01, Arne Vajh|+j <arne@vajhoej.dk> wrote:
    On 6/1/2026 2:13 PM, Simon Clubley wrote:
    On 2026-06-01, Arne Vajh|+j <arne@vajhoej.dk> wrote:
    On 6/1/2026 1:57 PM, Simon Clubley wrote:
    Another DCL CVE and once again, a buffer overflow doesn't work on Itanium.

    It works on Alpha, and on the brand new x86-64 port with modern security >>>>> features. But it doesn't work on Itanium. (As with my CVE, all you are >>>>> reported to get is a process crash on Itanium).

    The patch was also released for VMS Itanium.

    Yes. To fix the process crash. They did they same thing for my CVE as well. >>
    I think the release notes only talk about risk of process crash on
    all 3 platforms for this patch.


    It's an 8.5 Arne. :-) That's not a process crash. That's a confirmed exploitable vulnerability. (At least on Alpha/x86-64).

    You can speculate about Itanium being different. But I have not
    seen anything in what VSI has published that indicate Itanium is
    different from this one.

    But now I actually read the release notes a little more careful.
    The included 1-3 patches are about process crash, but the change listed
    for the 4 patch says "This ECO kit addresses a security vulnerability (CVE-2026-41112) where a buffer overflow could alter data on the stack,
    which could potentially be exploited to alter local privilege context.".
    Which is probably why the 8.5 score.

    Much more interesting however is who actually added this code to DCL ?
    Was it added in Nashua by one of the original VMS Engineering team or
    one of the outsourced teams ?

    Nothing has been said about when the problem was introduced.

    Regardless of developer location (including if the developer was in the
    US or in Europe) I hope any other code by this developer (or developers)
    has also been closely examined for similar mistakes.

    Only if the boss is clueless.

    Given the peer review process that VSI engineers have talked about in
    the past, I do wonder also how it got past peer review.

    Vulnerabilities get through review all the time.

    Arne

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From kludge@kludge@panix.com (Scott Dorsey) to comp.os.vms on Mon Jun 1 17:43:38 2026
    From Newsgroup: comp.os.vms

    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    No. The whole VLIW thing actually seems like a way to conceal various
    kinds of bugs which could turn out to be vulnerabilities.

    If you want safety, you want the iAPX 432. Or maybe that Honeywell
    capability machine.
    --scott
    --
    "C'est un Nagra. C'est suisse, et tres, tres precis."
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Michael S@already5chosen@yahoo.com to comp.os.vms on Tue Jun 2 01:23:35 2026
    From Newsgroup: comp.os.vms

    On Mon, 1 Jun 2026 17:57:12 -0000 (UTC)
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

    Another DCL CVE and once again, a buffer overflow doesn't work on
    Itanium.

    It works on Alpha, and on the brand new x86-64 port with modern
    security features. But it doesn't work on Itanium. (As with my CVE,
    all you are reported to get is a process crash on Itanium).

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?


    Architecture - no, ABI - yes.
    Dual-stack (i.e. Backing Store for Register Stack that is separate from
    so called Memory Stack) is useful against certain class of attacks.


    Interesting question isn't it ?

    For those with necrofiliac tendencies.


    Simon.



    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Mon Jun 1 22:37:39 2026
    From Newsgroup: comp.os.vms

    In article <10vkh5o$2d0p2$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    Another DCL CVE and once again, a buffer overflow doesn't work on Itanium.

    It works on Alpha, and on the brand new x86-64 port with modern security >features. But it doesn't work on Itanium. (As with my CVE, all you are >reported to get is a process crash on Itanium).

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    I suspect not. It's unclear why these bugs are exploitable on
    Alpha and x86, but not on Itanium; it could be the hardware, or
    it could be some aspect of the software and the way it was
    implemented on Itanium that just isn't the same on x86 and
    Alpha, but could be. We don't have enough information to know.

    Interesting question isn't it ?

    In the abstract, yes. But absent more information, it's unclear
    how meaningful the hardware different really is.

    That said, Itanium is a fabulously complex beast, and honestly,
    we never got to see the kind of market penetratin that lead to
    it being probed the way that more common architectures have. Is
    it susceptible to a spectre-style attack? Who knows? Maybe.
    It may be immune to some kinds of attacks, but vulnerable to
    novel attacks that e.g. x86 and Alpha are not. It's hard to
    say.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From =?UTF-8?Q?Arne_Vajh=C3=B8j?=@arne@vajhoej.dk to comp.os.vms on Mon Jun 1 18:58:27 2026
    From Newsgroup: comp.os.vms

    On 6/1/2026 5:08 PM, Arne Vajh|+j wrote:
    On 6/1/2026 3:15 PM, Simon Clubley wrote:
    It's an 8.5 Arne. :-) That's not a process crash. That's a confirmed
    exploitable vulnerability. (At least on Alpha/x86-64).

    You can speculate about Itanium being different. But I have not
    seen anything in what VSI has published that indicate Itanium is
    different from this one.

    Which is not true.

    The VSI CVE page actually say they are different and do explain
    more about the problem:

    <quote>
    An issue was discovered in OpenVMS V8.4 through V8.4-2L2 on Alpha, V8.4 through V8.4-2L3 on IA64, and through V9.2-3 on x86. Passing a long
    string value to the F$CUNITS lexical function may result in a buffer
    overflow allowing a local privilege escalation when a non-privileged
    account enters a crafted command line. This bug is exploitable on Alpha
    and x86 and may cause a process crash on IA64. Software was affected regardless of whether it was directly shipped by VMS Software, Inc.
    (VSI), HPE, or HP.
    </quote>

    Arne

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Tue Jun 2 12:14:31 2026
    From Newsgroup: comp.os.vms

    On 2026-06-01, Scott Dorsey <kludge@panix.com> wrote:
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    No. The whole VLIW thing actually seems like a way to conceal various
    kinds of bugs which could turn out to be vulnerabilities.


    Although as Michael S points out, Itanium does have an interesting feature.

    If you want safety, you want the iAPX 432. Or maybe that Honeywell capability machine.

    Oh god, having modern capability-based hardware (and the software to go
    with it) would be _nice_.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Tue Jun 2 15:05:07 2026
    From Newsgroup: comp.os.vms

    In article <10vmhf6$2tlpl$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-01, Scott Dorsey <kludge@panix.com> wrote:
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

    Question: Was Itanium the safer architecture (at least in some ways)
    that we have all been looking for ?

    No. The whole VLIW thing actually seems like a way to conceal various
    kinds of bugs which could turn out to be vulnerabilities.

    Although as Michael S points out, Itanium does have an interesting feature.

    I thought he pointed out that it is the _ABI_ that gives that
    that property (separate register and data stacks), not the
    hardware. The ABI is nothing more than a software abstraction
    for a particular platform.

    One could imagine maintaining a separate data stack for x86_64,
    for example, though it may be challenging to provide because
    even now that architecture is relatively register starved, and
    one presumes that keeping the data stack pointer in a register
    would be desirable. Of course, that means that one wouldn't be
    using `push` and `pop` for the data stack, but I imagine that
    for most compilers they won't generate `push` and `pop` for data
    allocated on the stack anyway, though I guess I could be wrong.

    A potential wrinkle could be long functions with many locals,
    where you might want to maintain multiple "live" copies of a
    register in memory throughout the execution of that function.
    But that is the kind of thing that the compiler can calculate so
    I suppose it could simply allocate fixed space on either stack
    for that.

    If you want safety, you want the iAPX 432. Or maybe that Honeywell
    capability machine.

    Oh god, having modern capability-based hardware (and the software to go
    with it) would be _nice_.

    Ask and ye shall receive: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ https://www.arm.com/architecture/cpu/morello https://cheri-alliance.org/discover-cheri/cheri-products/

    Get a hold of Morello Board isn't easy, though, and most of the
    other designs are soft cores targeting FPGAs at the moment.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Wed Jun 3 12:24:50 2026
    From Newsgroup: comp.os.vms

    On 2026-06-02, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <10vmhf6$2tlpl$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

    Oh god, having modern capability-based hardware (and the software to go >>with it) would be _nice_.

    Ask and ye shall receive: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ https://www.arm.com/architecture/cpu/morello https://cheri-alliance.org/discover-cheri/cheri-products/

    Get a hold of Morello Board isn't easy, though, and most of the
    other designs are soft cores targeting FPGAs at the moment.


    Oh boy, I had totally forgotten about that work and I had thought
    in the past it was just a research project that unfortunately had
    not gone anywhere. It's interesting (to put it mildly!) to see
    something viable might come out of this work after all.

    Thank you for the pointers.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From jgd@jgd@cix.co.uk (John Dallman) to comp.os.vms on Thu Jun 4 09:35:40 2026
    From Newsgroup: comp.os.vms

    In article <10vp6ei$3ke9b$1@dont-email.me>, clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    On 2026-06-02, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    Get a hold of Morello Board isn't easy, though, and most of the
    other designs are soft cores targeting FPGAs at the moment.

    Oh boy, I had totally forgotten about that work and I had thought
    in the past it was just a research project that unfortunately had
    not gone anywhere. It's interesting (to put it mildly!) to see
    something viable might come out of this work after all.

    It isn't going anywhere /quickly/. My employer was offered a Morello
    board for six months in 2021 or '22. We concluded that while it would be interesting, there were more immediate commercial priorities. We'd need
    enough hardware, indefinitely, to run all our production testing to keep
    a CHERI build going, and that wasn't on offer.

    John
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Thu Jun 4 12:17:46 2026
    From Newsgroup: comp.os.vms

    On 2026-06-04, John Dallman <jgd@cix.co.uk> wrote:
    In article <10vp6ei$3ke9b$1@dont-email.me>, clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    On 2026-06-02, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    Get a hold of Morello Board isn't easy, though, and most of the
    other designs are soft cores targeting FPGAs at the moment.

    Oh boy, I had totally forgotten about that work and I had thought
    in the past it was just a research project that unfortunately had
    not gone anywhere. It's interesting (to put it mildly!) to see
    something viable might come out of this work after all.

    It isn't going anywhere /quickly/. My employer was offered a Morello
    board for six months in 2021 or '22. We concluded that while it would be interesting, there were more immediate commercial priorities. We'd need enough hardware, indefinitely, to run all our production testing to keep
    a CHERI build going, and that wasn't on offer.


    Oh well. In that case, that excitement (that we might have a nice more
    secure architecture in the near future) lasted all of 24 hours...

    I now return to my normal state of foreboding about the current state of computer security in today's world.

    Thanks for returning me to reality John. :-)

    Simon.

    PS: The above was very much a good natured response. :-)

    PPS: On a more serious note, is it going to take a global scale disaster to finally invest resources into making things well and truly "really secure" instead of just "pretend secure" ?
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From jgd@jgd@cix.co.uk (John Dallman) to comp.os.vms on Thu Jun 4 20:04:40 2026
    From Newsgroup: comp.os.vms

    In article <10vrqda$bvkh$1@dont-email.me>, clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that,
    via air gaps, but nobody want to buy such systems. Few are willing to pay
    for any security overheads.

    John
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Lawrence =?iso-8859-13?q?D=FFOliveiro?=@ldo@nz.invalid to comp.os.vms on Thu Jun 4 22:47:35 2026
    From Newsgroup: comp.os.vms

    On Thu, 4 Jun 2026 20:03 +0100 (BST), John Dallman wrote:

    The military have brute-force answers to that, via air gaps, but
    nobody want to buy such systems. Few are willing to pay for any
    security overheads.

    And the discipline to use them. The military takes that sort of
    regulatory environment for granted, ordinary civilians not so much.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Fri Jun 5 12:54:18 2026
    From Newsgroup: comp.os.vms

    On 2026-06-04, John Dallman <jgd@cix.co.uk> wrote:
    In article <10vrqda$bvkh$1@dont-email.me>, clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that,
    via air gaps, but nobody want to buy such systems. Few are willing to pay
    for any security overheads.


    Good question.

    First of all, I should hold myself to my own standards and say "much
    more secure" instead of "really secure" in keeping with my position
    that you can only make things safer and not safe.

    Some ideas (and I will probably think of more right after I post this :-))

    1) We need CHERI or something like it. There are very good reasons why
    I was so excited something like that might finally become a reality.
    We need it to be cheap and commonplace and something that "just is"
    in the same way that, say, cheap hobbyist dev boards are now "just are"
    so people now use them to explore new ideas.

    People don't build widespread systems around new concepts until general availability is guaranteed.

    2) Linus is on the wrong side of the microkernel argument. There was a performance argument 30 years ago, but that argument no longer exists
    in today's world. We need to get today's monolithic and fully privileged kernels broken up and isolated into a microkernel infrastructure.

    Next time you get some Linux patch notifications, spend some time
    reading the kernel ones and following the CVEs and then remember all
    those bugs are running in one single fully privileged address space.

    Microkernels are a lot more secure and robust than monolithic kernels.

    3) Intel and AMD need to knock off this operating system below the
    user's operating system stuff that the user's operating system can't
    even see. I know why they (claim) they do, but that's extreme
    arrogance and a disaster in the making. That should be under the full
    control of the user and the user's OS at all times.

    4) All operating systems (at least the public facing server ones) should
    run with mandatory access control security (ie: something like SELinux)
    at all times to try to help keep a successful breach contained.

    5) Our software architectures are way too complex. Complex systems are
    way more vulnerable than a more simple, more cleanly defined architecure because there many more paths with unanticipated side effects.

    6) We need to find a way of moving away from opaque binary firmware and
    other blobs from vendors. Even _if_ there are no backdoors, someone
    could still discover exploitable vulnerabilities that we may be able
    to do absolutely nothing about.

    7) If a government agency comes across a vulnerability, they need to be
    forced by law to disclose it to the vendor so it can be fixed instead
    of holding onto it for some perceived short-term gain. If they can find
    it, then so can others.

    8) No government mandated backdoors in hardware or software.

    Any additions to this list ?

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From bill@bill.gunshannon@gmail.com to comp.os.vms on Fri Jun 5 22:31:22 2026
    From Newsgroup: comp.os.vms

    On 6/5/2026 5:49 PM, Scott Dorsey wrote:
    John Dallman <jgd@cix.co.uk> wrote:
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that,
    via air gaps, but nobody want to buy such systems. Few are willing to pay
    for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through
    most typical air gaps.

    I didn't see a smiley. Is this joke or do you really not know
    what is meant by an air gap in the IT world.

    (a question from someone who once had the job finding backdoors
    around air gaps at DOD sites as part of inspections)

    bill


    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From kludge@kludge@panix.com (Scott Dorsey) to comp.os.vms on Fri Jun 5 22:37:45 2026
    From Newsgroup: comp.os.vms

    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 5:49 PM, Scott Dorsey wrote:
    John Dallman <jgd@cix.co.uk> wrote:
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that,
    via air gaps, but nobody want to buy such systems. Few are willing to pay >>> for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through
    most typical air gaps.

    I didn't see a smiley. Is this joke or do you really not know
    what is meant by an air gap in the IT world.

    I do. It means there's no network connection and you're relying only
    on usually-pitiful physical security measures to keep your system isolated. --scott
    --
    "C'est un Nagra. C'est suisse, et tres, tres precis."
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Gary R. Schmidt@grschmidt@acm.org to comp.os.vms on Sun Jun 7 21:11:29 2026
    From Newsgroup: comp.os.vms

    On 06/06/2026 23:17, bill wrote:
    On 6/5/2026 10:37 PM, Scott Dorsey wrote:
    bill-a <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 5:49 PM, Scott Dorsey wrote:
    John Dallman <jgd@cix.co.uk> wrote:
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to
    that,
    via air gaps, but nobody want to buy such systems. Few are willing
    to pay
    for any security overheads.

    Air gaps aren't really secure.-a One platoon of Marines can get through >>>> most typical air gaps.

    I didn't see a smiley.-a Is this joke or do you really not know
    what is meant by an air gap-a in the IT world.

    I do.-a It means there's no network connection and you're relying only
    on usually-pitiful physical security measures to keep your system
    isolated.

    Yeah, much more pitiful than putting it in the cloud where everyone and their dog has access to it.

    On a side note, I saw some very interesting methods to try and breach airgaps.-a Like having a secure and a non-secure terminal side by side
    on a desk so you could copy data manually from one to the other.
    Security is not always a second thought.-a Sometimes it is openly
    despised.-a :-)


    In SF, the Vorkosiverse, the nickname of a series by Lois McMaster
    Bujold, in "Memory" our hero, Miles Vorkosigan (aka Admiral Miles
    Naismith) defeats the oh-so-secure ImpSec environment by having
    Ivan-You-Idiot spin the screen of the secure terminal around so that the camera on the insecure terminal can see it.

    Miles' father twits the head of ImpSec about it, somewhat.

    Cheers,
    Gary B-)
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Mon Jun 8 12:55:47 2026
    From Newsgroup: comp.os.vms

    In article <memo.20260604093432.15192O@jgd.cix.co.uk>,
    John Dallman <jgd@cix.co.uk> wrote:
    In article <10vp6ei$3ke9b$1@dont-email.me>, >clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    On 2026-06-02, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    Get a hold of Morello Board isn't easy, though, and most of the
    other designs are soft cores targeting FPGAs at the moment.

    Oh boy, I had totally forgotten about that work and I had thought
    in the past it was just a research project that unfortunately had
    not gone anywhere. It's interesting (to put it mildly!) to see
    something viable might come out of this work after all.

    It isn't going anywhere /quickly/. My employer was offered a Morello
    board for six months in 2021 or '22. We concluded that while it would be >interesting, there were more immediate commercial priorities. We'd need >enough hardware, indefinitely, to run all our production testing to keep
    a CHERI build going, and that wasn't on offer.

    That was 4 or 5 years ago; I wonder how the situation is
    different now, if at all.

    I see some uptick in the availability of CHERI based hardware;
    whether it's enough for industrial uptake, I don't know.
    OpenTitan, SCI Semiconductor, et al, seem bullish on it, but
    they all seem focused on the embedded space right now.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Mon Jun 8 12:57:35 2026
    From Newsgroup: comp.os.vms

    In article <10vvga0$avd$1@panix2.panix.com>,
    Scott Dorsey <kludge@panix.com> wrote:
    John Dallman <jgd@cix.co.uk> wrote: >>clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that,
    via air gaps, but nobody want to buy such systems. Few are willing to pay >>for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through
    most typical air gaps.

    One Marine with a euphemistically named, "porn stick" (read: USB
    flash drive) can get through that, too.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Mon Jun 8 13:19:24 2026
    From Newsgroup: comp.os.vms

    In article <n8ikv7FtdetU2@mid.individual.net>,
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 10:37 PM, Scott Dorsey wrote:
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 5:49 PM, Scott Dorsey wrote:
    John Dallman <jgd@cix.co.uk> wrote:
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that, >>>>> via air gaps, but nobody want to buy such systems. Few are willing to pay >>>>> for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through >>>> most typical air gaps.

    I didn't see a smiley. Is this joke or do you really not know
    what is meant by an air gap in the IT world.

    I do. It means there's no network connection and you're relying only
    on usually-pitiful physical security measures to keep your system isolated.

    Yeah, much more pitiful than putting it in the cloud where everyone and >their dog has access to it.

    I worked on Google Cloud, and I used secure and insecure
    military networks while deployed in a combat environment.

    I'd posit that cloud infrastucture run by Google is verifiably
    orders of magnitude more secure than a deployed military
    network.

    On a side note, I saw some very interesting methods to try and breach >airgaps. Like having a secure and a non-secure terminal side by side
    on a desk so you could copy data manually from one to the other.
    Security is not always a second thought. Sometimes it is openly
    despised. :-)

    Sometimes that is an operational necessity, and sometimes it
    goes from non-secure to secure.

    True story: I was embedded with an Afghan Army unit. I was a
    Marine communications officer, but I'm also a Marine: that means
    I am expected to operate outside of my primary MOS and put
    together combat ops when required. My ANA guys were in a log
    unit, but didn't have the uparmored or heavy weapons
    capabilities that I did; which meant I spent a lot of time
    outside the wire running security and commanding them. Fun
    times.

    Anyway, at one point, some ricky-recon ANGLICO Captain shows up
    out of nowhere and says, "I want to support you!" Uh, ok, guy,
    support me with what, precisely? By this time I'd been running
    missions for months, and it wasn't clear what he was bringing to
    the table other than a few extra guns that, honestly, I really
    didn't need.

    I never did figure it out. He wanted to attach to one of my
    convoys, so I told him, "ok, good to go, sir: please send me
    your manifest over SIPR so I can integrate it into mine."

    See, before going outside the wire on a mission, I had to put
    together an op-order and a manifest listing all of my assets:
    vehicles, radios, weapons, Marines and Navy personnel (we don't
    have doctors or medics in the Marine Corps; we get all of that
    from the US Navy, so I had sailors attached to my team, and at
    one point an Army medic showed up and we kept him, so I had a
    soldier too); basically, anything with a serial number or a
    pulse had to be listed on the manifest, which had to be sent up
    to the division level so they could track everything that was
    operationally active. So my secret squirrel ANGLICO ninja guy
    wants to join this mission and he's bringing his own vehicle and
    weapons and all of that, so I ask him for his gear list, and I
    ask him to send it to me on the "secure" network, because that's
    where all of that stuff was stored and sent around and so on.

    So naturally he sends me his manifest (incomplete) on NIPR (the
    "Non-secure Internet Protocol Router": no, really, that's what
    it's called; "SIPR" is the "Secure Internet Protocol Router") so
    now I have to sit there in the CoC, reading this stuff off of a
    laptop on the NIPR network, and typing it into another laptop,
    connected to the SIPR network.

    To add insult to injury, we go to DFL and Ricky Recon shows up
    with like two other people that weren't on the manifest, in a
    different vehicle than the one he'd said he was going to be in,
    with a bunch of weapons he didn't tell me about, but he is
    rolling Ready For War. "What the hell? Who is this?" "Oh, he's
    coming along with us...." "He's not on the manifest. I have to
    call this in and add him."

    Long story short, nothing this guy had sent me was accurate, so
    I called up my CoC, explained the situation; they pushed it up
    to Divison, and Division was _pissed_: at me. I was pissed that
    division was pissed and that this guy was wasting my time.
    Meanwhile, the ANA guys are starting to honk at me because they
    want to get going. So do I, guys, so do I. Sadly, I was
    looking at having to delay by an hour or more to fix all of this
    manfist asshattery, or leaving the War Badger behind.

    I left him behind; never heard from the guy again. I guess he
    found someone else to "support."

    I don't know if this is an argument _for_ or _against_ close
    physical proximity for airgapped terminals.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From jgd@jgd@cix.co.uk (John Dallman) to comp.os.vms on Mon Jun 8 17:40:40 2026
    From Newsgroup: comp.os.vms

    In article <1106e4j$up$1@reader1.panix.com>,
    cross@spitfire.i.gajendra.net (Dan Cross) wrote:

    I see some uptick in the availability of CHERI based hardware;
    whether it's enough for industrial uptake, I don't know.
    OpenTitan, SCI Semiconductor, et al, seem bullish on it, but
    they all seem focused on the embedded space right now.

    Yup, it's the usual chicken-and-egg problem for something without
    immediately demonstrable benefits.

    The application software people aren't going to do the work to support
    CHERI unless there's fast hardware available and end-user demand. The
    hardware people don't want to start a separate line of hardware unless
    there's serious end-user demand. The end-users mostly don't care about
    security enough to spend extra money on it for different hardware, and
    want all the software to be available before they try to make a decision.


    The embedded world, where one team controls hardware and software, is the easiest place to get some commitment.

    John
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Mon Jun 8 18:10:17 2026
    From Newsgroup: comp.os.vms

    On 2026-06-08, John Dallman <jgd@cix.co.uk> wrote:

    The embedded world, where one team controls hardware and software, is the easiest place to get some commitment.


    Yes, and in addition to the professional markets, there is some strong
    history for that in the hobbyist embedded world as well where reasonably
    priced and easily available embedded hardware has resulted in the eventual explosion of various related ecosystems for everyone.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Mon Jun 8 19:21:52 2026
    From Newsgroup: comp.os.vms

    In article <10vugtq$15a62$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-04, John Dallman <jgd@cix.co.uk> wrote:
    In article <10vrqda$bvkh$1@dont-email.me>,
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that,
    via air gaps, but nobody want to buy such systems. Few are willing to pay
    for any security overheads.

    Good question.

    First of all, I should hold myself to my own standards and say "much
    more secure" instead of "really secure" in keeping with my position
    that you can only make things safer and not safe.

    Some ideas (and I will probably think of more right after I post this :-))

    1) We need CHERI or something like it. There are very good reasons why
    I was so excited something like that might finally become a reality.
    We need it to be cheap and commonplace and something that "just is"
    in the same way that, say, cheap hobbyist dev boards are now "just are"
    so people now use them to explore new ideas.

    People don't build widespread systems around new concepts until general >availability is guaranteed.

    I agree with this. But it goes beyond hardware capabilities, as
    well; hardware purports to make guarantees about isolation of
    systems that are subverted by sidechannel attacks (e.g., timing)
    and we need solutions for that urgently.

    2) Linus is on the wrong side of the microkernel argument. There was a >performance argument 30 years ago, but that argument no longer exists
    in today's world. We need to get today's monolithic and fully privileged >kernels broken up and isolated into a microkernel infrastructure.

    Next time you get some Linux patch notifications, spend some time
    reading the kernel ones and following the CVEs and then remember all
    those bugs are running in one single fully privileged address space.

    Microkernels are a lot more secure and robust than monolithic kernels.

    This bears some scrutiny. In particular, what are the assumed
    characteristics of microkernels that make them more secure
    and/or robust, in your estimation?

    3) Intel and AMD need to knock off this operating system below the
    user's operating system stuff that the user's operating system can't
    even see. I know why they (claim) they do, but that's extreme
    arrogance and a disaster in the making. That should be under the full
    control of the user and the user's OS at all times.

    Agreed, but it's not just Intel and AMD. It's also ARM and
    (increasingly) the RISC-V ecosystem.

    This also opens up a whole can of worms about what that stuff
    does and when, and interfaces between the hardware platform and
    the operating system _should_ exist. If we really do everything
    that is in UEFI or ACPI or SMM in the OS, then we're going to
    need to have some pretty fundamental conversations first.

    4) All operating systems (at least the public facing server ones) should
    run with mandatory access control security (ie: something like SELinux)
    at all times to try to help keep a successful breach contained.

    This conflates MAC with containment; that is, it mandates a
    particular shape of a solution instead of starting with the
    fundamental problem and driving to a solution.

    Absolutely we need containment of breaches. Is MAC the best way
    to get that?

    5) Our software architectures are way too complex. Complex systems are
    way more vulnerable than a more simple, more cleanly defined architecure >because there many more paths with unanticipated side effects.

    100% I agree with this. And frankly, it's only getting worse.

    6) We need to find a way of moving away from opaque binary firmware and
    other blobs from vendors. Even _if_ there are no backdoors, someone
    could still discover exploitable vulnerabilities that we may be able
    to do absolutely nothing about.

    Again, I concur 100%. The number of hidden CPUs in a SoC
    complex running software of dubious provenance and questionable
    quality control is a serious problem.

    7) If a government agency comes across a vulnerability, they need to be >forced by law to disclose it to the vendor so it can be fixed instead
    of holding onto it for some perceived short-term gain. If they can find
    it, then so can others.

    8) No government mandated backdoors in hardware or software.

    Any additions to this list ?

    Open specs for buses, HBAs, and so forth, would make this a lot
    more tractable. SCSI should have done this; Intel did us a
    great service with AHCI and the NVMe folks similarly.

    Something that is increasingly happening is that computation is
    spread across disparate IPs in a single system (think: what's
    running on your GPU vs what's running on your CPU). We need to
    have open runtimes for those different components, all
    coordinated via the OS. Right now, we treat GPUs like
    peripherals, and not like first-class computational resources.

    The same is true of TPUs, DPUs, and so on. What does the OS
    really do? Increasingly, it only runs the control plane that
    (nominally) coordinates everything else, but even that's kind of
    a lie since the OS isn't _really_ in charge of the system; the
    platform firmware can usurp it.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Lawrence =?iso-8859-13?q?D=FFOliveiro?=@ldo@nz.invalid to comp.os.vms on Tue Jun 9 00:48:16 2026
    From Newsgroup: comp.os.vms

    On Mon, 8 Jun 2026 17:39 +0100 (BST), John Dallman wrote:

    Yup, it's the usual chicken-and-egg problem for something without
    immediately demonstrable benefits.

    That tends to apply to proprietary software, the classic example being Microsoft Windows.

    The application software people aren't going to do the work to
    support CHERI unless there's fast hardware available and end-user
    demand.

    As I recall, the CHERI folks already ported a full working OS stack,
    in the form of CheriBSD. This even included a KDE Plasma desktop.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Tue Jun 9 19:40:18 2026
    From Newsgroup: comp.os.vms

    On 2026-06-08, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <10vugtq$15a62$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    2) Linus is on the wrong side of the microkernel argument. There was a >>performance argument 30 years ago, but that argument no longer exists
    in today's world. We need to get today's monolithic and fully privileged >>kernels broken up and isolated into a microkernel infrastructure.

    Next time you get some Linux patch notifications, spend some time
    reading the kernel ones and following the CVEs and then remember all
    those bugs are running in one single fully privileged address space.

    Microkernels are a lot more secure and robust than monolithic kernels.

    This bears some scrutiny. In particular, what are the assumed characteristics of microkernels that make them more secure
    and/or robust, in your estimation?


    More secure:

    Outside of the core functionality, which must remain in kernel mode,
    the rest of the kernel components, and especially the vendor supplied
    and third-party device drivers, are isolated in non-privileged
    user-mode processes and are only physically capable of talking to the
    rest of the kernel via highly structured interfaces.

    There are drivers and components even in a microkernel that if you
    manage to compromise you could still use to do damage but you now
    face the harder job of getting to them because they are isolated
    in user processes behind those message interfaces.

    It also means you can't use the compromise of a secondary driver without security implications in itself as a jumping-off point to go and compromise
    the critical parts of the kernel as they no longer share the same address space.

    Also remember what I said: "More secure", not "secure".

    More robust:

    A crash in a driver or kernel component does not mean failure of the
    system (in most cases). A suitably designed microkernel means that
    restart of the failed component/driver may very well also be possible.

    3) Intel and AMD need to knock off this operating system below the
    user's operating system stuff that the user's operating system can't
    even see. I know why they (claim) they do, but that's extreme
    arrogance and a disaster in the making. That should be under the full >>control of the user and the user's OS at all times.

    Agreed, but it's not just Intel and AMD. It's also ARM and
    (increasingly) the RISC-V ecosystem.


    I thought ARM was restricted to the TrustZone stuff for user applications.
    I wasn't aware of the SMM stuff because I'm more used to using ARM in
    embedded environments. I've had a look and it appears more sane than
    Intel/AMD but I still don't like it.

    I have not been able to find anything about RISC-V SMM mode so I don't
    know if they call it something else that I am unable to find.

    This also opens up a whole can of worms about what that stuff
    does and when, and interfaces between the hardware platform and
    the operating system _should_ exist. If we really do everything
    that is in UEFI or ACPI or SMM in the OS, then we're going to
    need to have some pretty fundamental conversations first.


    I don't really care where it is, provided _I_, and not my government
    or my closed-source dodgy binary blob vendor are in control. In reality however, that means it needs to be quite high up in the stack, with
    (as you correctly point out) open specifications for everything.

    Also in reality, and sadly also based on history, that is indeed looking
    like the OS.

    4) All operating systems (at least the public facing server ones) should >>run with mandatory access control security (ie: something like SELinux)
    at all times to try to help keep a successful breach contained.

    This conflates MAC with containment; that is, it mandates a
    particular shape of a solution instead of starting with the
    fundamental problem and driving to a solution.

    Absolutely we need containment of breaches. Is MAC the best way
    to get that?


    MAC policies can very tightly lock down resources for different services running on the same server. For example, different services can be given
    access to different collections of network ports, which malware cannot override. Likewise, you can tightly label different parts of filesystems
    with various MAC labels.

    Running one service per container may be a partial solution, but you
    still need a container-specific firewall because by removing MAC, you
    have just given the malware the ability to open whatever ports it wants,
    at least within the container. Also, at some point, those different
    services may need to share data so you are back to the controlling access
    to the filesystem problem.

    Having said that, I would welcome suggestions about alternatives.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From kludge@kludge@panix.com (Scott Dorsey) to comp.os.vms on Fri Jun 5 17:49:52 2026
    From Newsgroup: comp.os.vms

    John Dallman <jgd@cix.co.uk> wrote: >clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that,
    via air gaps, but nobody want to buy such systems. Few are willing to pay
    for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through
    most typical air gaps.
    --scott
    --
    "C'est un Nagra. C'est suisse, et tres, tres precis."
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From bill@bill.gunshannon@gmail.com to comp.os.vms on Sat Jun 6 09:17:12 2026
    From Newsgroup: comp.os.vms

    On 6/5/2026 10:37 PM, Scott Dorsey wrote:
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 5:49 PM, Scott Dorsey wrote:
    John Dallman <jgd@cix.co.uk> wrote:
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that, >>>> via air gaps, but nobody want to buy such systems. Few are willing to pay >>>> for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through
    most typical air gaps.

    I didn't see a smiley. Is this joke or do you really not know
    what is meant by an air gap in the IT world.

    I do. It means there's no network connection and you're relying only
    on usually-pitiful physical security measures to keep your system isolated.

    Yeah, much more pitiful than putting it in the cloud where everyone and
    their dog has access to it.

    On a side note, I saw some very interesting methods to try and breach
    airgaps. Like having a secure and a non-secure terminal side by side
    on a desk so you could copy data manually from one to the other.
    Security is not always a second thought. Sometimes it is openly
    despised. :-)

    bill

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From kludge@kludge@panix.com (Scott Dorsey) to comp.os.vms on Sat Jun 6 09:42:42 2026
    From Newsgroup: comp.os.vms

    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 10:37 PM, Scott Dorsey wrote:
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 5:49 PM, Scott Dorsey wrote:
    John Dallman <jgd@cix.co.uk> wrote:
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and
    truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that, >>>>> via air gaps, but nobody want to buy such systems. Few are willing to pay >>>>> for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through >>>> most typical air gaps.

    I didn't see a smiley. Is this joke or do you really not know
    what is meant by an air gap in the IT world.

    I do. It means there's no network connection and you're relying only
    on usually-pitiful physical security measures to keep your system isolated.

    Yeah, much more pitiful than putting it in the cloud where everyone and >their dog has access to it.

    I think everyone agrees that you pretty much give up all serious security
    when you put something into the cloud, just because there are so many more human beings involved and human beings are where security breaches come from. Doesn't take much to bribe one guy at Google or Amazon and it's all over.

    On a side note, I saw some very interesting methods to try and breach >airgaps. Like having a secure and a non-secure terminal side by side
    on a desk so you could copy data manually from one to the other.

    This is very common, yes. It's not always bad but it can be terrible.

    Security is not always a second thought. Sometimes it is openly
    despised. :-)

    Often, especially when you have "security" people who are obsessed with confidentiality, when in fact the security that is needed is data accessibility. My employers put whole-disk encryption on electronic
    flight bags which carry publically-available information that you can
    download from the FAA. The pilots put the passwords on the cases in
    huge white letters because if that information becomes unavailable in
    flight people could die.
    --scott
    --
    "C'est un Nagra. C'est suisse, et tres, tres precis."
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From bill@bill.gunshannon@gmail.com to comp.os.vms on Tue Jun 9 20:26:46 2026
    From Newsgroup: comp.os.vms

    On 6/8/2026 9:19 AM, Dan Cross wrote:
    In article <n8ikv7FtdetU2@mid.individual.net>,
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 10:37 PM, Scott Dorsey wrote:
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 5:49 PM, Scott Dorsey wrote:
    John Dallman <jgd@cix.co.uk> wrote:
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote: >>>>>>
    PPS: On a more serious note, is it going to take a global scale
    disaster to finally invest resources into making things well and >>>>>>> truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that, >>>>>> via air gaps, but nobody want to buy such systems. Few are willing to pay
    for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through >>>>> most typical air gaps.

    I didn't see a smiley. Is this joke or do you really not know
    what is meant by an air gap in the IT world.

    I do. It means there's no network connection and you're relying only
    on usually-pitiful physical security measures to keep your system isolated. >>
    Yeah, much more pitiful than putting it in the cloud where everyone and
    their dog has access to it.

    I worked on Google Cloud, and I used secure and insecure
    military networks while deployed in a combat environment.

    I know it's done. Kinda shoots down the "zero trust" concept when you
    put all your data in the hands of people you have no reason to trust.


    I'd posit that cloud infrastucture run by Google is verifiably
    orders of magnitude more secure than a deployed military
    network.

    As the the guy responsible for designing, building and operating
    deployed military networks as well as doing a stint with DISA
    inspecting and verifying them I would definitely disagree.
    The only time any data is secure is when it is in your hands
    and your hands only. Just like a secret. Two people can keep
    a secret, if one of them is dead.


    On a side note, I saw some very interesting methods to try and breach
    airgaps. Like having a secure and a non-secure terminal side by side
    on a desk so you could copy data manually from one to the other.
    Security is not always a second thought. Sometimes it is openly
    despised. :-)

    Sometimes that is an operational necessity, and sometimes it
    goes from non-secure to secure.

    Non-secure to secure is fine. It's only a problem when it goes
    the other way. I once worked in National Guard with an officer
    who used to put his personal laptop on SIPRNET during exercises.
    His explanation was "We're National Guard, none of this is real."
    we were connected by satellite to Ft Gordon and connected to the
    real world SIPRNET. If it wasn't real how did he think we were
    able to talk to HUMVEEs in Iraq using Blue Force Tracker.


    True story: I was embedded with an Afghan Army unit. I was a
    Marine communications officer, but I'm also a Marine: that means
    I am expected to operate outside of my primary MOS and put
    together combat ops when required. My ANA guys were in a log
    unit, but didn't have the uparmored or heavy weapons
    capabilities that I did; which meant I spent a lot of time
    outside the wire running security and commanding them. Fun
    times.

    Anyway, at one point, some ricky-recon ANGLICO Captain shows up
    out of nowhere and says, "I want to support you!" Uh, ok, guy,
    support me with what, precisely? By this time I'd been running
    missions for months, and it wasn't clear what he was bringing to
    the table other than a few extra guns that, honestly, I really
    didn't need.

    I never did figure it out. He wanted to attach to one of my
    convoys, so I told him, "ok, good to go, sir: please send me
    your manifest over SIPR so I can integrate it into mine."

    See, before going outside the wire on a mission, I had to put
    together an op-order and a manifest listing all of my assets:
    vehicles, radios, weapons, Marines and Navy personnel (we don't
    have doctors or medics in the Marine Corps; we get all of that
    from the US Navy, so I had sailors attached to my team, and at
    one point an Army medic showed up and we kept him, so I had a
    soldier too); basically, anything with a serial number or a
    pulse had to be listed on the manifest, which had to be sent up
    to the division level so they could track everything that was
    operationally active. So my secret squirrel ANGLICO ninja guy
    wants to join this mission and he's bringing his own vehicle and
    weapons and all of that, so I ask him for his gear list, and I
    ask him to send it to me on the "secure" network, because that's
    where all of that stuff was stored and sent around and so on.

    So naturally he sends me his manifest (incomplete) on NIPR (the
    "Non-secure Internet Protocol Router": no, really, that's what
    it's called; "SIPR" is the "Secure Internet Protocol Router") so
    now I have to sit there in the CoC, reading this stuff off of a
    laptop on the NIPR network, and typing it into another laptop,
    connected to the SIPR network.

    To add insult to injury, we go to DFL and Ricky Recon shows up
    with like two other people that weren't on the manifest, in a
    different vehicle than the one he'd said he was going to be in,
    with a bunch of weapons he didn't tell me about, but he is
    rolling Ready For War. "What the hell? Who is this?" "Oh, he's
    coming along with us...." "He's not on the manifest. I have to
    call this in and add him."

    Long story short, nothing this guy had sent me was accurate, so
    I called up my CoC, explained the situation; they pushed it up
    to Divison, and Division was _pissed_: at me. I was pissed that
    division was pissed and that this guy was wasting my time.
    Meanwhile, the ANA guys are starting to honk at me because they
    want to get going. So do I, guys, so do I. Sadly, I was
    looking at having to delay by an hour or more to fix all of this
    manfist asshattery, or leaving the War Badger behind.

    I left him behind; never heard from the guy again. I guess he
    found someone else to "support."

    I don't know if this is an argument _for_ or _against_ close
    physical proximity for airgapped terminals.

    What happened is exactly the way it is supposed to work. Funny,
    I assumed the Marines had security people equivalent to Army S2.
    They should have been handling this. All the services have
    assholes, sadly the peter principle is in full effect allowing
    their rise thru the ranks.

    bill


    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Wed Jun 10 16:35:48 2026
    From Newsgroup: comp.os.vms

    In article <1109q72$8pnm$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-08, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <10vugtq$15a62$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    2) Linus is on the wrong side of the microkernel argument. There was a >>>performance argument 30 years ago, but that argument no longer exists
    in today's world. We need to get today's monolithic and fully privileged >>>kernels broken up and isolated into a microkernel infrastructure.

    Next time you get some Linux patch notifications, spend some time
    reading the kernel ones and following the CVEs and then remember all >>>those bugs are running in one single fully privileged address space.

    Microkernels are a lot more secure and robust than monolithic kernels.

    This bears some scrutiny. In particular, what are the assumed
    characteristics of microkernels that make them more secure
    and/or robust, in your estimation?

    More secure:

    Outside of the core functionality, which must remain in kernel mode,

    I think if security is our major criteria, one must define what
    one means by "core functionality". Is that memory management?
    Handling interrupts? Process scheduling? Core block storage
    abstractions, or something else?

    the rest of the kernel components, and especially the vendor supplied
    and third-party device drivers, are isolated in non-privileged
    user-mode processes and are only physically capable of talking to the
    rest of the kernel via highly structured interfaces.

    So not every ukernel is architected that way; Minix 1, for
    instance, structured the system as a set of cooperating
    processes that interacted via well-defined IPC interfaces, but
    didn't use an MMU; isolation was logical, not physical.

    Similarly, putting an address space boundary between parts of a
    system doesn't imply that they all (save one) run in userspace;
    one can imagine multiple such components that run in kernel
    mode, but in their own address spaces.

    There are drivers and components even in a microkernel that if you
    manage to compromise you could still use to do damage but you now
    face the harder job of getting to them because they are isolated
    in user processes behind those message interfaces.

    Any non-trivial message in a message-passing system must be
    stored in memory somewhere, unless the message passing interface
    restricts itself to only passing messages that fit in the
    machine's registers, and requires the ukernel core to copy those
    around. That opens up new challenges, and avenues for attack,
    including speculating on the contents of messages.

    It also means you can't use the compromise of a secondary driver without >security implications in itself as a jumping-off point to go and compromise >the critical parts of the kernel as they no longer share the same address >space.

    It's hard to imagine any non-trivial driver that does not have
    security implications if compromised. Consider a block driver
    for a storage device; a compromise could allow an attacker to
    manipulate data coming from or going to the device; same with a
    network driver; something as simple as a timer driver could be
    used to mount side-channel attacks against, well, any number of
    things; a UART driver could be used to sniff data, and so on.

    Also remember what I said: "More secure", not "secure".

    Absolutely. My point isn't to dismiss the idea; it's all about
    defense in depth and all of that, and any little bit helps. But
    one needs to rigorously define both the characteristics of the
    desired microkernel as well as the threat model and how the
    proposed ukernel's architecture addresses those. Just saying,
    "microkernels are more secure than monolithic kernels" by itself
    is insufficient.

    More robust:

    A crash in a driver or kernel component does not mean failure of the
    system (in most cases). A suitably designed microkernel means that
    restart of the failed component/driver may very well also be possible.

    It's the "suitably designed" part that is both subtle and of the
    utmost importance here; that's what I'm driving at.

    3) Intel and AMD need to knock off this operating system below the
    user's operating system stuff that the user's operating system can't
    even see. I know why they (claim) they do, but that's extreme
    arrogance and a disaster in the making. That should be under the full >>>control of the user and the user's OS at all times.

    Agreed, but it's not just Intel and AMD. It's also ARM and
    (increasingly) the RISC-V ecosystem.

    I thought ARM was restricted to the TrustZone stuff for user applications.
    I wasn't aware of the SMM stuff because I'm more used to using ARM in >embedded environments. I've had a look and it appears more sane than >Intel/AMD but I still don't like it.

    I have not been able to find anything about RISC-V SMM mode so I don't
    know if they call it something else that I am unable to find.

    Sorry, I wasn't clear here: SMM is x86 specific, but neither
    UEFI nor ACPI are, and both the ARM and RISC-V ecosystems are
    well on their way to repeating those two mistakes. The point
    is, the operating system behind the operating system isn't just
    an Intel and AMD problem.

    This also opens up a whole can of worms about what that stuff
    does and when, and interfaces between the hardware platform and
    the operating system _should_ exist. If we really do everything
    that is in UEFI or ACPI or SMM in the OS, then we're going to
    need to have some pretty fundamental conversations first.

    I don't really care where it is, provided _I_, and not my government
    or my closed-source dodgy binary blob vendor are in control. In reality >however, that means it needs to be quite high up in the stack, with
    (as you correctly point out) open specifications for everything.

    This is the point, though. The amoung of board- and microarch-
    specific stuff that is shoved into e.g. the UEFI PEI is
    non-trivial, and deeply tied to each part. Don't get me wrong;
    I'm all for getting rid of UEFI as it is just a dog's breakfast
    of a standard, but unless every OS out there is going to
    implement support for every board and every CPU, we've got to
    find some sort of compromise between "firmware does it all and
    never goes away" and "the OS does everything".

    Also, there's a compatibility problem. For example, SMM exists,
    in part, because it allows old software to run on new hardware.
    Your OS doesn't know how to drive an XHCI USB HBA? No problem;
    UEFI can emulate a PS/2 interface in SMM and your old OS is none
    the wiser, since by definition SMM's existence is hidden from
    the OS.

    Even worse are all the little hidden cores that are embedded in
    a modern SoC complex; most OSes aren't even aware that they are
    there, yet they are, running who knows what, outside of the
    domain of the OS. And that's not talking about the cores that
    we _do_ know are there (like the BMC, ASP, or EM on Intel's
    consumer parts). Is the OS going to drive all of those, too?

    Also in reality, and sadly also based on history, that is indeed looking
    like the OS.

    I'm not sure it _can_ be the OS. Consider the "boot problem":
    you've got a fancy secure ukernel-based OS, but the OS image:
    the ukernel and all the little programs that make it up, are
    copied into a file or files on a block storage device that's at
    the far end of a PCIe link. But on a lot of systems you need
    systems software running on the cores you want to boot your OS
    to configure those links and kick of the LTSSM to bring them up
    before you can load the OS.

    An example of such a platform is AMD's EPYC series server SOCs.
    These are wonderfully flexible; they have a large number of PHYs
    that can be lined out to peripherals and that can be configured
    in a number of different ways: software running on x86 directs
    them to present as PCIe, or as SATA, or as something else; it
    does this by creating a table that describes the desired
    topology, and sending it to a hidden core embedded inside of the
    ASP, that then does the low-level stuff. But critically, you
    can't start training PCIe until you know that something is meant
    to be PCIe, and MPIO (the IP that does it) don't know that until
    the x86 cores tell it.

    So now you've got a chicken and egg thing: you can't load the OS
    to tell it how to configure the SoC until you've configured the
    SoC so that you can load the OS. And of course you still need
    something smart enough to load the first-stage bootloader to
    kick off the rest of the boot process.

    AMD addresses this by pushing all of that into AGESA, their
    UEFI implementation (approxmiately) which is loaded from a
    dedicated flash part by the ASP, and arranges things so that the
    x86 BSC comes out of reset running AGESA code. Each board
    vendor then customizes AGESA with information about their
    board-specific configuration; AGESA consumes that, configures
    the board, starts the IO devices and so on, and loads the
    first-sage bootloader and starts it.

    So, if we're going to get rid of UEFI, we need an answer to this
    problem. Again, "push it into the OS" is not sufficient,
    because we need a way to get the system up enough so that we can
    load the OS.

    We did this at work. We use AMD parts, but not UEFI, let alone
    AGESA. We do it by building things so that the OS looks kind of
    a UEFI image from the ASP's perspective, and then we write it
    into flash. When the BSC starts, it's running our code; we get
    the OS kernel fully loaded and it takes over configuring the
    system in a manner similar to what AGESA does.

    But we can do this because we codesign the software alongside
    the hardware and control both: the unit of compute on our
    machines is a VM; we don't support users running things directly
    on the bare hardware. Not everyone is so lucky, however, and I
    fear the world where either every vendor ships their own custom
    version of the OS, or the OS is bloated with details about every
    vendor's part.

    This strongly implies that, to solve the general problem, you
    need some sort of interface between the two. It's just that the
    interfaces the industry have standardized on are awful.

    4) All operating systems (at least the public facing server ones) should >>>run with mandatory access control security (ie: something like SELinux) >>>at all times to try to help keep a successful breach contained.

    This conflates MAC with containment; that is, it mandates a
    particular shape of a solution instead of starting with the
    fundamental problem and driving to a solution.

    Absolutely we need containment of breaches. Is MAC the best way
    to get that?

    MAC policies can very tightly lock down resources for different services >running on the same server. For example, different services can be given >access to different collections of network ports, which malware cannot >override. Likewise, you can tightly label different parts of filesystems
    with various MAC labels.

    Running one service per container may be a partial solution, but you
    still need a container-specific firewall because by removing MAC, you
    have just given the malware the ability to open whatever ports it wants,
    at least within the container. Also, at some point, those different
    services may need to share data so you are back to the controlling access
    to the filesystem problem.

    Well, note that I didn't say "containers" I said "containment",
    which is different.

    I have no doubt that MAC policies can do it. I question whether
    focusing on a MAC policy as the solution ignores the larger
    problem, and if other mechanisms may be usefully employed here.
    A capability-based system, for example, has many of the same
    properties.

    Again, it's a definitional issue; what precisely is a MAC
    policy, and how does one define it in one's system? https://csrc.nist.gov/glossary/term/mandatory_access_control
    gives several potential definitions, including at least one that
    wouldn't be compatibile with most capability-based systems
    (where, e.g., I might be able to transfer my capability to
    someone else, or given then a less-privileged sub-capability).

    Having said that, I would welcome suggestions about alternatives.

    I think it's a really interesting thing to think about, but that
    to affectively address it requires a very high-level of rigor so
    that everyone consider is talking about the same thing. Other
    things I'd like to explore are stronger languages for writing
    system software, and applying formal methods to it. Indeed, in
    this brave new LLM-ified world, I think these are more important
    than ever.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Wed Jun 10 16:57:14 2026
    From Newsgroup: comp.os.vms

    In article <n8rpa6FesdaU1@mid.individual.net>,
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/8/2026 9:19 AM, Dan Cross wrote:
    In article <n8ikv7FtdetU2@mid.individual.net>,
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 10:37 PM, Scott Dorsey wrote:
    bill <bill.gunshannon@gmail.com> wrote:
    On 6/5/2026 5:49 PM, Scott Dorsey wrote:
    John Dallman <jgd@cix.co.uk> wrote:
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote: >>>>>>>
    PPS: On a more serious note, is it going to take a global scale >>>>>>>> disaster to finally invest resources into making things well and >>>>>>>> truly "really secure" instead of just "pretend secure" ?

    What is "really secure"? The military have brute-force answers to that, >>>>>>> via air gaps, but nobody want to buy such systems. Few are willing to pay
    for any security overheads.

    Air gaps aren't really secure. One platoon of Marines can get through >>>>>> most typical air gaps.

    I didn't see a smiley. Is this joke or do you really not know
    what is meant by an air gap in the IT world.

    I do. It means there's no network connection and you're relying only
    on usually-pitiful physical security measures to keep your system isolated.

    Yeah, much more pitiful than putting it in the cloud where everyone and
    their dog has access to it.

    I worked on Google Cloud, and I used secure and insecure
    military networks while deployed in a combat environment.

    I know it's done. Kinda shoots down the "zero trust" concept when you
    put all your data in the hands of people you have no reason to trust.

    Not necessarily. Confidential compute is meant for systems that
    do not trust the hypervisor (read: cloud provider) from peeking
    at the VM. Of course, those rely on hardware (generally, RAM is
    encrypted etc) that one may not trust either.

    I'd posit that cloud infrastucture run by Google is verifiably
    orders of magnitude more secure than a deployed military
    network.

    As the the guy responsible for designing, building and operating
    deployed military networks as well as doing a stint with DISA
    inspecting and verifying them I would definitely disagree.

    Well. As a guy who was _also_ responsible for military comms,
    I'd say that gives you a perspective about military systems.
    But as a guy who worked for a major cloud provider in addition
    to being a Comm-O, I'm wondering what your basis for comparison
    is. Did you also work for a cloud provider? If not, how would
    you know how their security compares?

    The only time any data is secure is when it is in your hands
    and your hands only. Just like a secret. Two people can keep
    a secret, if one of them is dead.

    Cute.

    On a side note, I saw some very interesting methods to try and breach
    airgaps. Like having a secure and a non-secure terminal side by side
    on a desk so you could copy data manually from one to the other.
    Security is not always a second thought. Sometimes it is openly
    despised. :-)

    Sometimes that is an operational necessity, and sometimes it
    goes from non-secure to secure.

    Non-secure to secure is fine.

    Indeed. And it's an example of how having two terminals next to
    one another is not a priori a problem.

    It's only a problem when it goes
    the other way. I once worked in National Guard with an officer
    who used to put his personal laptop on SIPRNET during exercises.
    His explanation was "We're National Guard, none of this is real."
    we were connected by satellite to Ft Gordon and connected to the
    real world SIPRNET. If it wasn't real how did he think we were
    able to talk to HUMVEEs in Iraq using Blue Force Tracker.

    This vignette alone undermines the idea that the military system
    is more secure than the cloud provider.

    How on earth was he able to plug a personal laptop into a SIPR
    drop? Why were personnel on a training exercise able to access
    forward deployed operational assets?

    Also, what's the rest of the story? The MPs came and hauled
    this guy off? At a minimum, did his personal laptop become a
    surprise donation to the US government?

    True story: I was embedded with an Afghan Army unit. I was a
    Marine communications officer, but I'm also a Marine: that means
    I am expected to operate outside of my primary MOS and put
    together combat ops when required. My ANA guys were in a log
    unit, but didn't have the uparmored or heavy weapons
    capabilities that I did; which meant I spent a lot of time
    outside the wire running security and commanding them. Fun
    times.

    Anyway, at one point, some ricky-recon ANGLICO Captain shows up
    out of nowhere and says, "I want to support you!" Uh, ok, guy,
    support me with what, precisely? By this time I'd been running
    missions for months, and it wasn't clear what he was bringing to
    the table other than a few extra guns that, honestly, I really
    didn't need.

    I never did figure it out. He wanted to attach to one of my
    convoys, so I told him, "ok, good to go, sir: please send me
    your manifest over SIPR so I can integrate it into mine."

    See, before going outside the wire on a mission, I had to put
    together an op-order and a manifest listing all of my assets:
    vehicles, radios, weapons, Marines and Navy personnel (we don't
    have doctors or medics in the Marine Corps; we get all of that
    from the US Navy, so I had sailors attached to my team, and at
    one point an Army medic showed up and we kept him, so I had a
    soldier too); basically, anything with a serial number or a
    pulse had to be listed on the manifest, which had to be sent up
    to the division level so they could track everything that was
    operationally active. So my secret squirrel ANGLICO ninja guy
    wants to join this mission and he's bringing his own vehicle and
    weapons and all of that, so I ask him for his gear list, and I
    ask him to send it to me on the "secure" network, because that's
    where all of that stuff was stored and sent around and so on.

    So naturally he sends me his manifest (incomplete) on NIPR (the
    "Non-secure Internet Protocol Router": no, really, that's what
    it's called; "SIPR" is the "Secure Internet Protocol Router") so
    now I have to sit there in the CoC, reading this stuff off of a
    laptop on the NIPR network, and typing it into another laptop,
    connected to the SIPR network.

    To add insult to injury, we go to DFL and Ricky Recon shows up
    with like two other people that weren't on the manifest, in a
    different vehicle than the one he'd said he was going to be in,
    with a bunch of weapons he didn't tell me about, but he is
    rolling Ready For War. "What the hell? Who is this?" "Oh, he's
    coming along with us...." "He's not on the manifest. I have to
    call this in and add him."

    Long story short, nothing this guy had sent me was accurate, so
    I called up my CoC, explained the situation; they pushed it up
    to Divison, and Division was _pissed_: at me. I was pissed that
    division was pissed and that this guy was wasting my time.
    Meanwhile, the ANA guys are starting to honk at me because they
    want to get going. So do I, guys, so do I. Sadly, I was
    looking at having to delay by an hour or more to fix all of this
    manfist asshattery, or leaving the War Badger behind.

    I left him behind; never heard from the guy again. I guess he
    found someone else to "support."

    I don't know if this is an argument _for_ or _against_ close
    physical proximity for airgapped terminals.

    What happened is exactly the way it is supposed to work.

    No, what happened is not at all what happened. I suppose there
    is nothing immediately classified about, say, weapons serial
    numbers, but that data should never have been collected together
    on NIPR in that way.

    Funny, I assumed the Marines had security people equivalent to
    Army S2. They should have been handling this.

    S-2 is the intelligence function. What should they have been
    handling? Putting together op orders goes through ops, which
    is the S-3, not the deuce, and anyway, the op order (and all
    associated assets, like manifsts) are the mission commander's
    responsibilty (ie, mine). Comm is the S-6, and is subordinate
    to the 3.

    All the services have
    assholes, sadly the peter principle is in full effect allowing
    their rise thru the ranks.

    Yup.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Thu Jun 11 13:28:17 2026
    From Newsgroup: comp.os.vms

    On 2026-06-10, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <1109q72$8pnm$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-08, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <10vugtq$15a62$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    2) Linus is on the wrong side of the microkernel argument. There was a >>>>performance argument 30 years ago, but that argument no longer exists >>>>in today's world. We need to get today's monolithic and fully privileged >>>>kernels broken up and isolated into a microkernel infrastructure.

    Next time you get some Linux patch notifications, spend some time >>>>reading the kernel ones and following the CVEs and then remember all >>>>those bugs are running in one single fully privileged address space.

    Microkernels are a lot more secure and robust than monolithic kernels.

    This bears some scrutiny. In particular, what are the assumed
    characteristics of microkernels that make them more secure
    and/or robust, in your estimation?

    More secure:

    Outside of the core functionality, which must remain in kernel mode,

    I think if security is our major criteria, one must define what
    one means by "core functionality". Is that memory management?
    Handling interrupts? Process scheduling? Core block storage
    abstractions, or something else?


    There isn't one answer to that question as it varies by microkernel
    design. Simon's answer is "the smaller the kernel footprint the better". :-)

    [snip]


    There are drivers and components even in a microkernel that if you
    manage to compromise you could still use to do damage but you now
    face the harder job of getting to them because they are isolated
    in user processes behind those message interfaces.

    Any non-trivial message in a message-passing system must be
    stored in memory somewhere, unless the message passing interface
    restricts itself to only passing messages that fit in the
    machine's registers, and requires the ukernel core to copy those
    around. That opens up new challenges, and avenues for attack,
    including speculating on the contents of messages.


    Yes. Another way of looking at it is from the economic point of view.
    In other words, to try and make the cost of mounting an attack against
    you greater than the benefits an attacker gains from mounting that attack.
    I would also argue that in addition to the technical benefits, microkernels bring economic benefits in that they increase the costs of mounting an
    attack.

    Also in reality, and sadly also based on history, that is indeed looking >>like the OS.

    I'm not sure it _can_ be the OS. Consider the "boot problem":
    you've got a fancy secure ukernel-based OS, but the OS image:
    the ukernel and all the little programs that make it up, are
    copied into a file or files on a block storage device that's at
    the far end of a PCIe link. But on a lot of systems you need
    systems software running on the cores you want to boot your OS
    to configure those links and kick of the LTSSM to bring them up
    before you can load the OS.


    [snip long very interesting case]

    The lack of trust is the deal breaker here.

    That trust has been lost, both politically (which may be fixable
    in 10-15 years), and technically (which is not fixable now we know
    what those blobs and hardware contain).

    You don't continue to employ a maid once they have been caught stealing
    from you. Likewise, something very, very dramatic would have to
    happen before trust in the current infrastructure could be restored.

    So the question is: does the boot-up architecture really need to be
    this complex ? Do we tradeoff, say, a 20% performance loss, to get
    a far easier to verify architecture that _we_ and not the vendor
    controls ?

    Does that more simple architecture even have unexpected benefits such
    as reduced power consumption ?


    MAC policies can very tightly lock down resources for different services >>running on the same server. For example, different services can be given >>access to different collections of network ports, which malware cannot >>override. Likewise, you can tightly label different parts of filesystems >>with various MAC labels.

    Running one service per container may be a partial solution, but you
    still need a container-specific firewall because by removing MAC, you
    have just given the malware the ability to open whatever ports it wants,
    at least within the container. Also, at some point, those different >>services may need to share data so you are back to the controlling access >>to the filesystem problem.

    Well, note that I didn't say "containers" I said "containment",
    which is different.


    Yes, I know. You did say "containment" and the only thing I know of
    that currently exists which can even begin to help is MAC based security.
    and that by itself may not be enough in all cases.

    Containers certainly are not enough, which is why I raised them as an
    example. (In the past, when I have talked about MAC based security,
    some people seem to have jumped straight to containers as an alternative
    for some reason.)

    I have no doubt that MAC policies can do it. I question whether
    focusing on a MAC policy as the solution ignores the larger
    problem, and if other mechanisms may be usefully employed here.
    A capability-based system, for example, has many of the same
    properties.


    Which is something I now would very much like to see deployed in early
    general use (now I know there's finally movement in this area), so we
    can see how it works against real-world security threats. There is
    something potentially very exciting there but it's no good until we've
    got something we can work with to see if the potential matches reality.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Stephen Hoffman@seaohveh@hoffmanlabs.invalid to comp.os.vms on Fri Jun 12 21:35:24 2026
    From Newsgroup: comp.os.vms

    On 2026-06-05 12:54:18 +0000, Simon Clubley said:

    On 2026-06-04, John Dallman <jgd@cix.co.uk> wrote:

    What is "really secure"? The military have brute-force answers to that,
    via air gaps, but nobody want to buy such systems. Few are willing to pay
    for any security overheads.

    ...
    Any additions to this list ?

    For an existing implementation targeting distributed trust and privacy,
    some reading:

    https://security.apple.com/documentation/private-cloud-compute https://security.apple.com/blog/expanding-pcc/
    --
    Pure Personal Opinion | HoffmanLabs LLC

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Sat Jun 13 12:37:10 2026
    From Newsgroup: comp.os.vms

    In article <110ed5h$1frq7$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-10, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <1109q72$8pnm$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-08, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <10vugtq$15a62$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote: >>>>>2) Linus is on the wrong side of the microkernel argument. There was a >>>>>performance argument 30 years ago, but that argument no longer exists >>>>>in today's world. We need to get today's monolithic and fully privileged >>>>>kernels broken up and isolated into a microkernel infrastructure.

    Next time you get some Linux patch notifications, spend some time >>>>>reading the kernel ones and following the CVEs and then remember all >>>>>those bugs are running in one single fully privileged address space.

    Microkernels are a lot more secure and robust than monolithic kernels. >>>>
    This bears some scrutiny. In particular, what are the assumed
    characteristics of microkernels that make them more secure
    and/or robust, in your estimation?

    More secure:

    Outside of the core functionality, which must remain in kernel mode,

    I think if security is our major criteria, one must define what
    one means by "core functionality". Is that memory management?
    Handling interrupts? Process scheduling? Core block storage
    abstractions, or something else?

    There isn't one answer to that question as it varies by microkernel
    design. Simon's answer is "the smaller the kernel footprint the better". :-)

    Well, that's kind of the point, though. If we want to talk
    about security from a systems design perspective, we need to
    nail those specifics down. "Microkernels are better because
    tasks run in their own address space" doesn't hold if those
    tasks all share a single address space, as they did in Minix 1.

    Similarly, if the security of the design is predicated on
    minimalism in a ukernel as TCB, then we need to know what is in
    the TCB and what is not.

    [snip]
    There are drivers and components even in a microkernel that if you
    manage to compromise you could still use to do damage but you now
    face the harder job of getting to them because they are isolated
    in user processes behind those message interfaces.

    Any non-trivial message in a message-passing system must be
    stored in memory somewhere, unless the message passing interface
    restricts itself to only passing messages that fit in the
    machine's registers, and requires the ukernel core to copy those
    around. That opens up new challenges, and avenues for attack,
    including speculating on the contents of messages.

    Yes. Another way of looking at it is from the economic point of view.
    In other words, to try and make the cost of mounting an attack against
    you greater than the benefits an attacker gains from mounting that attack.
    I would also argue that in addition to the technical benefits, microkernels >bring economic benefits in that they increase the costs of mounting an >attack.

    I'm not sure how this relates to what you quoted above, but I
    agree with the general sentiment. It's about raising the bar to
    make it unattractive to attack the safer system vs the other.

    The analogy is like, "The Club" (which is an anti-theft device
    for cars that was popular in the US in the 1990s). This was
    basically a lockable bar that you would attach to the steering
    wheel when parked; if angled properly, it prevented the wheel
    from turning.

    A professional car thief (some profession!) weighed in on it and
    they said they could hack through it in like 30 seconds or
    something. BUT, and here's the thing, if two cars of equal
    value were sitting next to each other and one had the club and
    the other didn't, the thief would go for the one that did not;
    why accept the risk of the taking an extra 30 seconds to steal
    the car when you didn't need to? From the thief's perspective,
    there's no objective difference between the two, so it makes
    sense to go for the softer target.

    Also in reality, and sadly also based on history, that is indeed looking >>>like the OS.

    I'm not sure it _can_ be the OS. Consider the "boot problem":
    you've got a fancy secure ukernel-based OS, but the OS image:
    the ukernel and all the little programs that make it up, are
    copied into a file or files on a block storage device that's at
    the far end of a PCIe link. But on a lot of systems you need
    systems software running on the cores you want to boot your OS
    to configure those links and kick of the LTSSM to bring them up
    before you can load the OS.

    [snip long very interesting case]

    The lack of trust is the deal breaker here.

    That trust has been lost, both politically (which may be fixable
    in 10-15 years), and technically (which is not fixable now we know
    what those blobs and hardware contain).

    Sadly, I'm not sure that it is. It's one thing to know _how_ to
    write the software; it's another thing entirely to get it into a
    CPU and get the CPU to use it. On AMD parts, for example, you
    cannot easily replace the firmware on the ASP, even if you could
    write it yourself; the ASP really need a signed image (measuring
    and loading happens very early in boot) and the verification key
    is in a secure enclave that is very difficult to replace unless
    you are AMD.

    You don't continue to employ a maid once they have been caught stealing
    from you. Likewise, something very, very dramatic would have to
    happen before trust in the current infrastructure could be restored.

    So the question is: does the boot-up architecture really need to be
    this complex ? Do we tradeoff, say, a 20% performance loss, to get
    a far easier to verify architecture that _we_ and not the vendor
    controls ?

    Yes and no. I can say with some experience that it doesn't need
    to be _as_ complex _if_ you're not trying to solve the full,
    general case. The actual code to turn on the IO devices and so
    on in the SoC isn't _that_ much (it's measured in the low 10s of
    KLOC), and a lot could (in princple) be shared between uarch's,
    at least from the same manufacturer.

    But in addition to the signing issue mentioned above,
    configuring the devices themselves is helaciously difficult; the
    speeds we're talking about require complex algorithms to do
    things like timing training and eye measurement on PCIe links,
    and you really need a dedicated DSP to do it, not a general
    purpose CPU. And it's different for every vendor and every
    microarchitecture. And that's to make it work _at all_;
    a performance drop is irrelevant if you can't make the thing
    talk in the first place.

    Does that more simple architecture even have unexpected benefits such
    as reduced power consumption ?

    Probably, but if you're trading speed for simplicity, you need
    more of them to handle the same workload, so you might end up
    with net greater power consumption.

    That said, every now and again something comes along that is a
    dramatic simplication. Again, I'll use PCI as my example,
    specifically MSI: Message Signaled Interrupts. The original PCI
    spec defined a parallel bus with four active-low,
    level-triggered lines for signaling interrupts. Figuring out
    what line on what device was connected to which input on the
    interrupt controller was super annoying, especially as SMP
    machines started to become common. So called "PCI Interrupt
    Routing" required support from the BIOS (or deep knowledge of a
    particular system, which was not portable). Moreover, because
    interrupts were signaled over an electrical channel independent
    of memory, it was possible to get an interrupt for a completed
    DMA while the DMA was still in-flight.

    To address this, PCI introduced Message Signaled Interrupts,
    where a particular kind of PCI message (sent over the normal
    memory-oriented bus) could be used to signal an interrupt; to
    make use of this, you just wrote into a pair of registers that
    were exposed through a capability in PCI config space. The data
    you wrote included a CPU you wanted to send the interrupt to,
    and the vector your wanted to use on that CPU. It was a
    dramatic simplification, faster, and avoided the entire issue
    with sequencing between DMA and interrupts.

    The point is, simplification can yield unexpected benefits for
    system designers, but we tend towards these local maxima until
    something happens that forces us to shift our focus.

    MAC policies can very tightly lock down resources for different services >>>running on the same server. For example, different services can be given >>>access to different collections of network ports, which malware cannot >>>override. Likewise, you can tightly label different parts of filesystems >>>with various MAC labels.

    Running one service per container may be a partial solution, but you >>>still need a container-specific firewall because by removing MAC, you >>>have just given the malware the ability to open whatever ports it wants, >>>at least within the container. Also, at some point, those different >>>services may need to share data so you are back to the controlling access >>>to the filesystem problem.

    Well, note that I didn't say "containers" I said "containment",
    which is different.

    Yes, I know. You did say "containment" and the only thing I know of
    that currently exists which can even begin to help is MAC based security.
    and that by itself may not be enough in all cases.

    Containers certainly are not enough, which is why I raised them as an >example. (In the past, when I have talked about MAC based security,
    some people seem to have jumped straight to containers as an alternative
    for some reason.)

    I would point to capabilities as an alternative. seL4, Fuchsia,
    etc, are examples here.

    I have no doubt that MAC policies can do it. I question whether
    focusing on a MAC policy as the solution ignores the larger
    problem, and if other mechanisms may be usefully employed here.
    A capability-based system, for example, has many of the same
    properties.

    Which is something I now would very much like to see deployed in early >general use (now I know there's finally movement in this area), so we
    can see how it works against real-world security threats. There is
    something potentially very exciting there but it's no good until we've
    got something we can work with to see if the potential matches reality.

    I think there is some precedence here.

    I suspect this has little to do with VMS, though. One wonders
    if we should lobby to bring back comp.os.research ?

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Sat Jun 13 12:41:16 2026
    From Newsgroup: comp.os.vms

    In article <110e9j5$1edps$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-10, Dan Cross <cross@spitfire.i.gajendra.net> wrote:

    No, what happened is not at all what happened. I suppose there
    is nothing immediately classified about, say, weapons serial
    numbers, but that data should never have been collected together
    on NIPR in that way.

    Tut, tut, Dan. They should have told you differently than that back
    in your military academy... :-)

    https://en.wikipedia.org/wiki/German_tank_problem

    Simon.

    PS: Above tone is very much good natured...

    Heh. No problem. I just mean that a rifle serial number is not
    a priori classified; that doesn't mean one should be
    irresponsible with broadcasting it.

    Funny, something similar happened when I was working at Google.

    Google is famously tight-lipped about the size of its fleet, but
    people who work there publish regularly at industry conferences.
    There's some process for doing that, where your paper is
    reviewed, and possibly some things that are considered
    proprietary are redacted.

    Someone gave a paper on storage, and had a graph of (I think)
    disk drive failures over time. Someone outside used that to
    extrapolate the number of disks Google had at the time, and then
    concluded that the number must be wrong because it was "too
    big." We all laughed because they were only off by a factor of
    two (on the small side).

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Tue Jun 16 18:54:44 2026
    From Newsgroup: comp.os.vms

    On 2026-06-13, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <110ed5h$1frq7$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-10, Dan Cross <cross@spitfire.i.gajendra.net> wrote:

    The lack of trust is the deal breaker here.

    That trust has been lost, both politically (which may be fixable
    in 10-15 years), and technically (which is not fixable now we know
    what those blobs and hardware contain).

    Sadly, I'm not sure that it is. It's one thing to know _how_ to
    write the software; it's another thing entirely to get it into a
    CPU and get the CPU to use it. On AMD parts, for example, you
    cannot easily replace the firmware on the ASP, even if you could
    write it yourself; the ASP really need a signed image (measuring
    and loading happens very early in boot) and the verification key
    is in a secure enclave that is very difficult to replace unless
    you are AMD.


    We are really screwed as a society. We just don't know it yet. :-(

    We have been lulled into a false sense of complacency because we no
    longer see ourselves as being threatened by existential-level threats.
    Boy, are we wrong about that.

    Someone who gets control over that kind of firmware at that level or
    the next few levels up can use it to extort/cripple entire countries
    into conforming to their will and there's not a damn thing they can
    do about it.

    Firmware, BTW, written to a budget and shipped once it "appears" to work.

    Does that more simple architecture even have unexpected benefits such
    as reduced power consumption ?

    Probably, but if you're trading speed for simplicity, you need
    more of them to handle the same workload, so you might end up
    with net greater power consumption.

    That said, every now and again something comes along that is a
    dramatic simplication. Again, I'll use PCI as my example,
    specifically MSI: Message Signaled Interrupts. The original PCI
    spec defined a parallel bus with four active-low,
    level-triggered lines for signaling interrupts. Figuring out
    what line on what device was connected to which input on the
    interrupt controller was super annoying, especially as SMP
    machines started to become common. So called "PCI Interrupt
    Routing" required support from the BIOS (or deep knowledge of a
    particular system, which was not portable). Moreover, because
    interrupts were signaled over an electrical channel independent
    of memory, it was possible to get an interrupt for a completed
    DMA while the DMA was still in-flight.

    To address this, PCI introduced Message Signaled Interrupts,
    where a particular kind of PCI message (sent over the normal
    memory-oriented bus) could be used to signal an interrupt; to
    make use of this, you just wrote into a pair of registers that
    were exposed through a capability in PCI config space. The data
    you wrote included a CPU you wanted to send the interrupt to,
    and the vector your wanted to use on that CPU. It was a
    dramatic simplification, faster, and avoided the entire issue
    with sequencing between DMA and interrupts.

    The point is, simplification can yield unexpected benefits for
    system designers, but we tend towards these local maxima until
    something happens that forces us to shift our focus.


    [Nice. Elegance over brute force. We could do with a lot more of that...]


    Yes, I know. You did say "containment" and the only thing I know of
    that currently exists which can even begin to help is MAC based security. >>and that by itself may not be enough in all cases.

    Containers certainly are not enough, which is why I raised them as an >>example. (In the past, when I have talked about MAC based security,
    some people seem to have jumped straight to containers as an alternative >>for some reason.)

    I would point to capabilities as an alternative. seL4, Fuchsia,
    etc, are examples here.


    Yes, I know about these, but they are implemented in software and do
    not exist in production-ready OSes that you can use off the shelf.
    I would also really like to see this taken to the next level and see
    this functionality implemented in hardware (which takes us several
    messages back. :-))

    Also a line from the ACM report has stuck in my memory, which I repeat
    here as a warning:

    "We assume correctness of compiler, assembly code, hardware, and boot code."

    https://cacm.acm.org/research/sel4-formal-verification-of-an-operating-system-kernel/

    Which is something I now would very much like to see deployed in early >>general use (now I know there's finally movement in this area), so we
    can see how it works against real-world security threats. There is >>something potentially very exciting there but it's no good until we've
    got something we can work with to see if the potential matches reality.

    I think there is some precedence here.

    I suspect this has little to do with VMS, though. One wonders
    if we should lobby to bring back comp.os.research ?


    It is always nice to explore new ideas, and learn from them, especially
    in a world that is actively moving towards implement-as-cheap-as-possible monocultures.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From cross@cross@spitfire.i.gajendra.net (Dan Cross) to comp.os.vms on Fri Jun 19 19:28:05 2026
    From Newsgroup: comp.os.vms

    In article <110s65k$1bd6t$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-13, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <110ed5h$1frq7$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
    On 2026-06-10, Dan Cross <cross@spitfire.i.gajendra.net> wrote:

    The lack of trust is the deal breaker here.

    That trust has been lost, both politically (which may be fixable
    in 10-15 years), and technically (which is not fixable now we know
    what those blobs and hardware contain).

    Sadly, I'm not sure that it is. It's one thing to know _how_ to
    write the software; it's another thing entirely to get it into a
    CPU and get the CPU to use it. On AMD parts, for example, you
    cannot easily replace the firmware on the ASP, even if you could
    write it yourself; the ASP really need a signed image (measuring
    and loading happens very early in boot) and the verification key
    is in a secure enclave that is very difficult to replace unless
    you are AMD.

    We are really screwed as a society. We just don't know it yet. :-(

    We have been lulled into a false sense of complacency because we no
    longer see ourselves as being threatened by existential-level threats.
    Boy, are we wrong about that.

    Someone who gets control over that kind of firmware at that level or
    the next few levels up can use it to extort/cripple entire countries
    into conforming to their will and there's not a damn thing they can
    do about it.

    Yup.

    Firmware, BTW, written to a budget and shipped once it "appears" to work.

    Double yup.

    [snip]
    Yes, I know. You did say "containment" and the only thing I know of
    that currently exists which can even begin to help is MAC based security. >>>and that by itself may not be enough in all cases.

    Containers certainly are not enough, which is why I raised them as an >>>example. (In the past, when I have talked about MAC based security,
    some people seem to have jumped straight to containers as an alternative >>>for some reason.)

    I would point to capabilities as an alternative. seL4, Fuchsia,
    etc, are examples here.


    Yes, I know about these, but they are implemented in software and do
    not exist in production-ready OSes that you can use off the shelf.

    Not true; check out Capsicum: https://www.cl.cam.ac.uk/research/security/capsicum/

    I don't know what's been going on with it recently, but it's an
    interesting project to follow, and showed the practicality of
    the approach in real systems.

    I would also really like to see this taken to the next level and see
    this functionality implemented in hardware (which takes us several
    messages back. :-))

    Sure; CHERI or something like it would be wonderful. However,
    you're always going to have something that's a pure software
    abstraction that you need to account for, and for that, having
    some sort of software support for caps is essential.

    Also a line from the ACM report has stuck in my memory, which I repeat
    here as a warning:

    "We assume correctness of compiler, assembly code, hardware, and boot code."

    https://cacm.acm.org/research/sel4-formal-verification-of-an-operating-system-kernel/

    Yeah. The seL4 formal verification work made a lot of
    assumptions. But as we were saying, the goal is to raise the
    bar, not eliminate all problems.

    To that end, I think we could make systems a _lot_ safer by
    a) getting serious about using type- and memory-safe languages
    by default; b) adopting modern development techniques including
    unit and property testing as a matter of course, rigorous code
    review, CI gating commit to the revision control repository, and
    thinking about the semantics of a program, not just its
    exposition in code. Finally, c) getting serious about applying
    formal methods and in particular formal models (Promela, TLA+,
    Alloy) not just proofs (Lean4) to software development. If the
    languages folks would start defining languages with formal
    semantics, _most_ of the problems of C and C++'s overuse of
    "undefined behavior" would similarly go away; hopefully other
    languages could get the same treatment.

    The first two can be done at the level of individual programmers
    and teams; the latter two, require more investment and
    engagement across industry and academia.

    Which is something I now would very much like to see deployed in early >>>general use (now I know there's finally movement in this area), so we
    can see how it works against real-world security threats. There is >>>something potentially very exciting there but it's no good until we've >>>got something we can work with to see if the potential matches reality.

    I think there is some precedence here.

    I suspect this has little to do with VMS, though. One wonders
    if we should lobby to bring back comp.os.research ?

    It is always nice to explore new ideas, and learn from them, especially
    in a world that is actively moving towards implement-as-cheap-as-possible >monocultures.

    I don't know that we are, anymore. It seems to me that we're
    heading for a world where you have to pay to play, and doing so enthusiastically, as fast as we can. It's weird to me that so
    many people are putting so much faith into LLMs so quickly, but
    here we are; the VC money is obviously subsidizing the costs for
    now, but once that dries up.... Anyway, my point is, I think "implement-as-cheap-as-possible" might be going away.

    - Dan C.

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From antispam@antispam@fricas.org (Waldek Hebisch) to comp.os.vms on Fri Jun 19 22:57:28 2026
    From Newsgroup: comp.os.vms

    Simon Clubley <clubley@remove_me.eisner.decus.org-earth.ufp> wrote:

    Also a line from the ACM report has stuck in my memory, which I repeat
    here as a warning:

    "We assume correctness of compiler, assembly code, hardware, and boot code."

    https://cacm.acm.org/research/sel4-formal-verification-of-an-operating-system-kernel/

    IIRC compiler correctness and translation to binary was handled in later
    work. They did not prove compiler correctness, rather they were able to correlate compiler generated code with source and prove that generated
    code matches semantics of the source.

    So, what remains is hardware, and boot code.
    --
    Waldek Hebisch
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Tue Jun 23 12:48:34 2026
    From Newsgroup: comp.os.vms

    On 2026-06-19, Dan Cross <cross@spitfire.i.gajendra.net> wrote:
    In article <110s65k$1bd6t$1@dont-email.me>,
    Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

    Yes, I know about these, but they are implemented in software and do
    not exist in production-ready OSes that you can use off the shelf.

    Not true; check out Capsicum: https://www.cl.cam.ac.uk/research/security/capsicum/

    I don't know what's been going on with it recently, but it's an
    interesting project to follow, and showed the practicality of
    the approach in real systems.


    Thanks Dan; you just added to my bigger-project TODO list. :-)

    I did not know about this and it looks like it's still a part of FreeBSD:

    https://wiki.freebsd.org/Capsicum https://man.freebsd.org/cgi/man.cgi?query=capsicum&sektion=4&n=1

    It's been a very long time since I last looked at FreeBSD. Looks like
    it is time to seriously look at it again. I see it has ARMv7 and ARMv8
    support which is rather exciting and very interesting for some potential
    uses.


    It is always nice to explore new ideas, and learn from them, especially
    in a world that is actively moving towards implement-as-cheap-as-possible >>monocultures.

    I don't know that we are, anymore. It seems to me that we're
    heading for a world where you have to pay to play, and doing so enthusiastically, as fast as we can. It's weird to me that so
    many people are putting so much faith into LLMs so quickly, but
    here we are; the VC money is obviously subsidizing the costs for
    now, but once that dries up.... Anyway, my point is, I think "implement-as-cheap-as-possible" might be going away.


    Humanity chasing the next cult until it all falls apart. We never learn. :-(

    Let's just hope it turns into something like another Ruby on Rails
    (remember the insane hype around that ?) Still in use for various things
    but all the insane-level hype has long since gone.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Simon Clubley@clubley@remove_me.eisner.decus.org-Earth.UFP to comp.os.vms on Tue Jun 23 12:51:24 2026
    From Newsgroup: comp.os.vms

    On 2026-06-19, Waldek Hebisch <antispam@fricas.org> wrote:
    Simon Clubley <clubley@remove_me.eisner.decus.org-earth.ufp> wrote:

    Also a line from the ACM report has stuck in my memory, which I repeat
    here as a warning:

    "We assume correctness of compiler, assembly code, hardware, and boot code." >>
    https://cacm.acm.org/research/sel4-formal-verification-of-an-operating-system-kernel/

    IIRC compiler correctness and translation to binary was handled in later work. They did not prove compiler correctness, rather they were able to correlate compiler generated code with source and prove that generated
    code matches semantics of the source.

    So, what remains is hardware, and boot code.


    Thank you. I looked at the initial work in depth but not so much
    any followup work because I wasn't seeing it being used anywhere
    that I could put it to use to try it out.

    Simon.
    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Walking destinations on a map are further away than they appear.
    --- Synchronet 3.22a-Linux NewsLink 1.2