Products/PS-Shell
Pathway

PS-Shell

PATHWAY Server Security

Controls all OPEN events directed toward PATHWAY servers and automatically rejects unexpected ones.

Overview

Most applications on Tandem systems use PATHWAY as their run time environment. Besides providing NonStop applications with scalability, availability, automatic load balancing and server monitoring, PATHWAY offers a very basic security system to prevent PATHMON from being re-configured, PATHWAY programs from being executed, and PATHWAY servers from being called by unauthorized PATHSEND events.

These basic features generate the impression of a good level of security. But one important aspect is missing: PATHWAY servers — in operating-system terms — are processes, and a process can be opened by anybody, independent of the user ID.

When a process can be opened, it can be used to exchange information with requestors outside the PATHWAY environment. All that is needed is some knowledge of the expected message structure. Anybody knowing a PATHWAY server process and its message structure can abuse the server to:

  • retrieve and abuse unauthorized data, compromising confidentiality
  • manipulate data, compromising data integrity
  • “overheat” the server through a large number of opens and messages, compromising availability

Not knowing the message structure can cause invalid messages to bring the whole application down, or enable a Denial-of-Service attack against the server process.

The requirements

GreenHouse became aware of this vulnerability during a security review and developed a solution so customers can save the time and budget of modifying thousands of servers. Product requirements were: no SAFEGUARD ACLs on processes; no change in PATHWAY servers; easy plug-and-play install; three run-time modes; easy configuration of exceptions; no restart on configuration change; an action log; and real-time reporting.

  • ALL — collects and logs all system-wide OPEN events to processes and sub-processes
  • TEST — collects and logs all PATHWAY server relevant OPEN events
  • PRODUCTION — collects and logs all PATHWAY server relevant OPEN events, and rejects the unexpected ones

PATHWAY Security Shell (PS-Shell) combines all these requirements. In PRODUCTION mode it prevents all unexpected OPEN events by generating an error 48 (security violation) to the OPEN request and reports them to a log file.

Demonstrating the risk: TESTOPEN

To demonstrate how easy it is to open a process, GreenHouse developed a tool named TESTOPEN. It performs nothing but an OPEN to a given process. An unprotected server accepts the open; a protected one rejects it with error 48:

$GHS1 PSSHELL 86> testopen $sman
Process $sman successful opened.        <- server is in danger

$GHS1 PSSHELL 88> testopen $ich
OPEN error 40 on process $ich          <- no IO possible, secure

$GHS1 PSSHELL 89> testopen $sman       (with PS-Shell installed)
OPEN error 48 on process $sman         <- protected, open rejected

A free one-month test version can be made available. For a commercial proposal please contact info@greenhouse.de.