Installation Supervisor Calls ("User SVCs")

User SVCs - What You Don't Know CAN Hurt You

The most obvious route to a successful penetration test would be to find an unprotected APF library, and we have found many over the years (see APFCHECK). But we have never used such an opening in any of the successful tests we have been part of. We've never had to. In almost every MVS shop we have ever worked in, we were able to identify an SVC that lacked integrity and could be abused to bypass RACF (and any other control).

The integrity statement for MVS provided by IBM covers the many Supervisor Calls that are part of the operating system. In short, it says "we (IBM) don't know any way this code could be improperly invoked to bypass security, and if you show us a way we're committed to fixing it." But virtually all customers add additional SVCs which may not come with such assurances. "Installation" or "User" SVCs may be part of a purchased product or may be locally written. Once installed, they have the same status as IBM SVCs - they get control in Supervisor State and Key 0, and they must be coded such that they do appropriate validity checking and cannot be invoked improperly.

It turns out this is easier said than done, and although the vendors have improved greatly in this area over time, we can still usually find a problem. Sometimes it's an SVC that's old and no longer needed. Sometimes it's a new problem in a "fixed" version. We've found bad SVCs front-ending IBM SVCs, in "reserved" slots (numbers 0-199), in the traditional "user range" (200-255), and in the ESR (Extended SVC Router) slots.

Most installations are surprised to learn they have another security/integrity concern that has virtually no connection to RACF. And it's not always easy to fix a problem in this area, since it's usually the vendor that needs to make a change. Nevertheless, this is an area that should be addressed even before tightening RACF controls, because you cannot rely on anything you're doing at the RACF level if there is a bad SVC lurking somewhere in MVS.

Here's an article we wrote years ago for "Technical Support" that provides more detail.