[SC-L] COBOL Exploits

Andrew van der Stock vanderaj at owasp.org
Sun Nov 18 00:58:16 EST 2007 

I've been researching web app -> mainframe security from a software  
engineering perspective for about the last six months. If anyone from  
a mainframe background wants to collaborate, I'd be more than happy to  
share as I have a few challenges:

a) I'm working from secondary resources (web pages, manuals, PDFs)
b) I don't have access to a z/OS or similar system and thus cannot  
mock up a test environment to prove or disprove my hypotheses on how  
best to prevent certain classes of attack
c) I really don't have a lot of experience with z/OS, COBOL, DB2, IMS,  
or CICS. Therefore, I could be missing some great resources and  
features.

Saying that, I have made a bit of headway by applying first principles  
and trying to discover what is available to assist and protect against  
certain threats and attacks. I've just posted a draft entry to my blog  
detailing the first (and I mean first) post I've had brewing since May  
this year. It's nowhere near as good as I would have liked.

I don't do exploits. You will not be seeing any "how to hax0rs b1g  
ir0n" from me. I don't see the relevance of arming script kiddies.  
Only the architects and developers need to know how to develop and  
maintain safer designs and code, and folks like me need to know what  
to look for to make sure it's in place.

That said, from my personal research, this area is a total greenfield.  
The folks who know mainframe security simply don't come out of their  
shells often enough. They have the goods, but the goods are not really  
well known amongst the architects and devs I've dealt with. Most of  
the business folks who ask for their shiny new dodgy code to talk to  
old dodgy transactions don't see this risk and refuse to pay to have  
qualified folks review and remediate the security of the mainframe  
side. They see it as this reliable old workhorse - which is not broke,  
so don't fix it. And in my personal experience, they NEVER fix it.

On another note, I'm really happy to see Fortify tackle the mainframe  
with their SCA products. It's really late and delayed, but better late  
than never. I know a bunch of sites that could use that tool if it  
works even 1% as well as the marketing is likely to make out.

thanks,
Andrew van der Stock
Executive Director, OWASP
Project Lead & Author, OWASP Guide

On Nov 2, 2007, at 1:45 PM, Peter G. Neumann wrote:

> Searching through
>  http://www.csl.sri.com/neumann/illustrative.html
> gives these COBOL-related RISKS items.  The initial
> character descriptors are defined there.  In the citations,
>
> * R relates to RISKS (archives at risks.org)
> * S relates to SIGSOFT Software Engineering Notes (archives at
>    www.sigsoft.org/SEN/ although more recent items also in RISKS)
>
> Vf  West Drayton ATC system bug found in 2-yr-old COBOL code (S 16  
> 3, R 11 30)
>
> \$fe IRS COBOL reprogramming delays; interest paid on over 1,150,000  
> refunds
>  (S 10 3:12)
>
> S[H?] Election frauds, lawsuits, spaghetti code, same memory locations
> used for multiple races simultaneously, undocumented GOTOs, COBOL
> ALTER verb allowing self-modifying code, calls to undocumented/unknown
> subroutines, bypassable audit trails (S 11 3);
> Report from the Computerized Voting Symposium, August 1986 (S 11 5)
>
> Sie
> Data transfer Excel-COBOL loses voter data in 2003 Greenville
>  Mississippi election (R 22 95)
>
> \$hi Man gets \$218 trillion phone bill (R 24 24); COBOL program?
>  (R 24 27,29,30,33)
>
> f Discussion of date and century roll-over problems:
> Fujitsu SRS-1050 ISDN display phones fail on two-digit month (10);
> 1401 one-character year field; COBOL improvements; IBM 360 (S 20 2:13)
>  [See Fred Ballard and Walt Murray  (R 16 70 ff).]
>  [Lots of stuff is relevant on COBOL's two-character year field
>  and the entire Y2K saga.]
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com 
> )
> as a free, non-commercial service to the software security community.
> _______________________________________________

Andrew van der Stock
Executive Director, OWASP
Lead Author, OWASP Guide



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2458 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20071118/c014d2fd/attachment.bin

More information about the SC-L mailing list