"Magic SVC" in 2020? - The year of the mainframe security
Angel Gómez - Security, Compliance and Mainframe S.
Worldwide Expert security & Compliance Mainframe, Master of the only online course of hack, admin, & audit of z/OS.
I hope this is the Happy Year of security in the mainframe environment.
Years ago, we decided to create our VA060 Audit, Security, and Hacking course in mainframe environments.
One of the biggest internal debates we had was deciding where the red line of teaching was in mainframe hacking techniques.
We then made the decision only to tell what we could find disclosed on the Internet, by other people.
Over the past five years, sensitivity to the need to adequately secure z / OS environments has grown exponentially. In Bsecure, we believe that we have contributed a great effort to this evangelization.
In our view, there are two main reasons:
1) External attacks on supposedly hidden and secure mainframe infrastructures, behind firewall walls such as the Nordea Bank or Logica incidents, have begun to be disseminated on the Internet and specialized press.
https://www.pcworld.com/article/2034733/pirate-bay-cofounder-charged-with-hacking-ibm-mainframes-stealing-money.html
Although this is the tip of the iceberg, why external attacks account for 3.0% (growing) of serious security incidents in the mainframe environment, the other 97% is done by people who are within the organization and have legal access to the platform.
2) The second reason is a large amount of information available on non-profit outreach forums, such as SHARE mounted by users of this IBM technology. And also, you can find information in specialized conferences such as the annual Vanguard Professional services or Broadcom (CA) in the USA, among others.
Well, there is so much information that we can find on the Internet that we could practically disclose 80% of the professional white hacking techniques that we use in our daily work.
But we are going to our proposal for the title of this first article in 2020.
First, we have to explain what a "Magic SVC" is. For this, we have to go back to the 80s, where the MVS operating system was the king of business operative systems.
At that time, there was no real security subsystem like what is now RACF. There were only two third-party subsystems: Top-Secret, from Computer Associates (CA), and ACF2 from SKK. Later CA would also buy ACF2, becoming the leading distributor of security software for Mainframe.
At that time, system technicians needed to adapt the operating system following the possibilities provided by the manufacturer (IBM). The reason was the need for specific programs to run as super users on certain occasions.
This action could be done mainly with two main techniques:
- System exits
- User SVCs.
And all in assembler 370 languages.
There were no robust subsystems like with z/OS (the current version of the MVS) has now, allowing the granularity of the extraordinary actions of its subsystems (RMM, RMF, SMF, SMS, SDSF, TSO, VTAM, RACF, SNA, JES2, JES3, TCP/IP ...)
All the functionalities that made the Mainframe a general-purpose infrastructure (online in the day and batch at night), had to be codified in the systems management team itself since the primary system features were "short."
The best technique, and the one that became more popular, was to create a user SVC that could run in "Authorized" mode and could call any system function, without it doing any security check. Generally, with SVC number 242, although it could have another between 200 and 255.
User application programs written in Cobol (not just assembler), could access, for example, read and write in memory locations, by default prohibited to preserve the integrity of the system, in their address space.
They only had to call the "Magic SVC" and request in the calling protocol that provides to its the property of writing in those prohibited areas of their memory be activated. The SVC "magically" granted that feature regardless of whether or not there was a security manager subsystem like RACF, Top Secret, or ACF2.
Another example was the feature of accessing and modifying any file within the system without going through the security manager or knowing its password (minimum security level when there was no security management software).
In that age, the more "usual" security technique was obscurantism. Only system programmers knew what the calling protocol was. If the caller program did well, the SVC granted the requested capability. Otherwise, it would give an authorization error (usually an s047).
What does this grandfather's history in the 80s have to do with the year 2020?
Security has a terrible enemy summed up in:
"If it works: DO NOT change it, DO NOT delete it, DO NOT touch it."
These words mean, for example, that there are databases of security rules with tens of thousands of rules that nobody would know at present, which would be the current ones and which ones would be obsolete?. An old rule may become active at any time and grant uncontrolled privileges to unauthorized persons and programs. Therefore, one of the most popular jobs for those who hire us is the controlled cleaning of these security databases.
In the last three years, we have found in our work with extensive computer facilities, with tens of years of experience in mainframe technology, which still had "Magic SVC's" active in their systems.
Some (a tiny part), had re-coded the SVC to adapt it to the rules of the integrity of system programming.
But most of them continued executing in the 21st century the same SVC that was coded in the 80s to help extract the maximum productive capacity from their then expensive machines and clumsy mainframe computing.
IBM has done a great job during the more than 50 years that they have been operating their operating systems: OS / VS1, MVS, MVS / XA, MVS / ESA, OS390, and finally, the z / OS and its counterparts: VSE and VM. Their laboratories have always protected their clients' investments so that any code wrote in 1980 still works flawlessly in 2020. Few operating systems have this advantage. But in this case, it becomes a severe security flaw.
The problem is that what was something hidden, only for beginners in mainframe system programming and security aspects, has become something fully known and documented in open specialized forums.
You can already find an example of the "Magic SVC's" source code, where we can understand what the calling protocol is like for them to work for us.
For example, if the SVC exists and I know how to call it, my program (which is not authorized) can become RACF SPECIAL, and from that moment, execute any command against the RACF BD, without being detected as standard. You can define new rules, sign up for access to sensitive data or business applications.
Or I can become RACF OPERATIONS, to take any business data file or plague "open doors" system libraries infecting them.
Darkness no longer works. Now,
Security is knowledge!
For us, it all starts with our Online Course: VA060.-
https://www.go2bsecure.com/audihack/
It is a basic course of any professional that has to do with the management and security of mainframe environments.
We will add a couple of lessons this year about these aspects.
Happy new year 2020 !!
ángel Gómez