Post by Simon Clubley
Given the various revelations about UEFI vulnerabilities and
outright backdoors, I wonder if VSI are doing anything to reduce
the possibility of VMS x86-64 systems being compromised via
a UEFI attack mechanism ?
Microsoft: Bringing you 1980s technology to a 21st century world
This is the world VMS will be walking into
Going from security by obscurity to running with the rest of the crowd
This is precisely why I said VMS had better get its ducks in a row because a slip-up on the road to making a come-back in the security arena will spell the end of VMS quick-smart, IMO
When one looks at the exploits that are around and are being pursued, you see that they are targeting lower and lower mechanisms down the stack
In a recent article I read, there is even talk that there have possibly been exploits put into CPU design!
A few years back researches found a weakness in certain encryption hardware. I think what they found was if you constantly polled a particular port, the randomness of the port starts to fail as the hardware starts to loose it's random abilities and you effectively carve out a reinforced pathway in the hardware. You never actually compromise the hardware because that would be detectable but you leave it in a state where you skew the results so that statistically you can predict and therefore exploit the outcome in your favour to gain entry. Seriously fascinating stuff. It's become a matter of compromise but don't fully expose your exploits now, meaning that exploits often exist for months to years
How much does VMS rely upon the underlining hardware to be secure?
I wonder what can be done on a cluster basis to have VMS check itself as a mechanism for bolstering security. Safety in numbers? Could become a selling point for VMS clusters perhaps if one can develop a security model that increases with the node numbers
This issue is similar in nature to the mental patient problem. How does a mental patient verify their own sanity when they cannot trust their own cognitive abilities. You need an external source and/or internal routines that cannot be compromised or exploited
An external VMS security audit server perhaps?
VSI could develop a system that performs random audits at random locations involving random aspects of the VMS OS, all for a fee of course. do I smell a blockchain somewhere ;-)
How to harden VMS?