WhiteWinterWolf Practical IT security, *nix systems & networking

Mainframes are often designated as “legacy platforms”. This triggers the mental image of those old 80’s era enormous bulky computers which can be found in any good computers museum and vintage videos, and leaves a mixed feeling about the place of such machines in todays computing world.

However, nothing could be such wrong:

1. A lot of the technologies which made today’s computing what it is actually owe to the mainframe world.

   Things like non-executable memory, process isolation, virtualization and symmetric multiprocessing to name just a few are all technologies that were first developed for mainframes environments, and only then ported onto other architectures.

2. Today’s mainframes hardware has nothing in common with antique computers, they evolved as the rest of the computer world did.

   They are bulky but not as much as one may imagine, the size of a large fridge to give a rough idea. They remains made of thick steel though with the main unit weighting a around a ton, hence their pet name of “big iron”. Despite of this, some student managed to install one in his basement, and the Australian custom’s cargo processing and intelligence center in Sydney International Airport managed to get two simply stolen from their top-security room.

   On the inside, the latest generation (introduced in July, 2017) can host up to 170 central processors, each with 10 cores and backed by numerous other purpose specific processors, the whole thing lying on up to 32 TB RAM and fiber channels for data communication.

This is not exactly what I would call a “legacy system”. What is usually legacy in fact is not the system itself, but the application running on it.

One of the key point of the mainframe system is indeed backward-compatibility. Mainframes are used in the most sensitive environments where any bug will most likely have huge consequences. In such environments, as long as things work, people are always wary of touching anything. The usual motto is:

If it ain’t broke, don’t fix it.¹

So don’t think of rewriting or migrating to a different software: things worked this way by the past, so the best way to make work in the future is to keep them as-is.

Mainframe architecture and its main operating system z/OS (a mainframe is designed to run several operating systems in parallel, even Linux including KVM support) ensure that the applications that worked for the last 20 years will continue to work the same on newer systems.

Despite the system characteristics mentioned above, mainframe systems must however not be confused with super-computer (which usually run Linux as their main operating system by-the-way):

• As expected super-computers excel in fast processing. They can handle highly complex computational tasks, such as weather forecasting, very quickly and very efficiently.

• On the other side mainframes computers would be inefficient for such task. Where they particularly shine however is parallel processing. They can handle thousands of simultaneous transactions with very high exigences in terms of throughput, reliability, integrity and accountability. This is for instance a mainframe which will at the end update your bank account when you fetch some money at a cash dispenser.

What On Earth is a Mainframe? (David Stephens)

What On earth is a Mainframe is a low-technical introduction to the mainframe world. It is subtitled “An introduction to IBM zSeries Mainframes and z/OS Operating System for Total Beginners”, which accurately describes the content of this book.

David Stephens worked in various positions at managing and operating mainframes and condensed in a short (200 pages) and easy-to-read book all you need to know to become more familiar with what may first appear as an obscure world:

• A bit of history but mostly to focus on the principles that made the mainframes what they are now and explain how they acquired and kept their position at the core of the most critical infrastructures.

• A good description of the hardware, the storage, terminals, networking.

• The operating system and the main software you will usually encounter in mainframe environments (including from non-IBM providers).

• The people gravitating around the mainframe system and their respective roles and duties.

• The procedures designed to reduce unavailability time, such as change management and disaster recovery, as they are applied in such sensitive environments.

This book manages to be both high-level enough to remain readable and interesting to low-technical people, while still remaining accurate, factual and informative to be also interesting to technical people not used to the mainframe world or only to a part of it and who would-like to grasp a larger picture of it.

Buy on Amazon

Mainframe Basics for Security Professionals (Pomerantz, Vander Weele, Nelson & Hahn)

This book is designed for people who come from a Unix background and would-like to know more about mainframe security from a practical perspective.

This book too is short, around 200 pages, and relies heavily on practice. In fact, the reader is expected to read it while having access to a z/OS image where he can test and play with the book’s commands.

• This book assumes no previous knowledge on mainframes, so it start very slowly with how to connect to a mainframe and display a first “Hello world” on the TSO prompt.

• Then it builds over that, step-by-step and covering users management, data protection (including z/OS UNIX and Security Labels, the latter should remind something to people already familiar with SELinux ;) ) and logging.

• Once these technical basis are set mainframes auditing and limited-authority administrators are covered.

• At last the books closes with a more theoretical overview of enterprise-wide security.

It is designed as a practical entry into the mainframe world, and accomplishes this task very well. A number of subjects are only over-viewed to keep the book short and to-the-point, but this is always clearly told and numerous references to the official documentation is provided to deepen any particular subject.

Buy on Amazon

Pentesting mainframes (Philip Young and Dominic White talks)

Philip Young is an advocacy of practical testing of mainframe security. He gave numerous talks, stating the same fact:

There is a huge disconnect between security and the mainframe world, even-though the mainframe is sort of build as this amazing security platform.

I recommend you in particular the following presentations:

• Smashing the Mainframe for Fun and Prison Time, speaking of mainframes in front of hackers.
• How to Embrace Hacker Culture For z/OS, speaking of hackers in front of mainframes administrators and operators.

He describes the researches he started back in 2012, and the trouble he got as it was during the same period that a major hack targeting mainframes notably used by the Swedish government happened². He then describes the vulnerabilities that were revealed by these attacks plus some others from his own research.

The Swedish government had to force IBM to publish CVEs for the vulnerabilities revealed by the above-mentioned attack. In fact, mainframe vulnerabilities are normally kept secret by IBM. This is also a subject of worry to Philip who find it “unbelievable that vulnerabilities are kept secret”:

People are more concerned about their system’s availability than they are in having them tested. In the Windows and Linux world where I come from you just assume it gets tested all the time. If you put a machine on the Internet, it’s just getting hit non-stop. It’s just background noise on the Internet.
[…]
The more people you have looking at something, the more secure it’s going to be. The more people who are actively to break into a system (in their spare-time, at home, they aren’t breaking into their bank), the more secure it’s going to be for you and for the world.

Personally what worries me even more is that for most of their life mainframes could indeed be assumed as secure because:

• The knowledge how to operate them was uncommon.
• They ran unusual services.
• They were not connected to common networks (old-generation mainframes had no IP support, you used SNA/LU instead, don’t expect to use nmap or netcat over this!).
• Enough profit could be obtained by exploiting far easier targets than having to deal with the big iron thing.

However time went on:

• Anyone can learn and study mainframes at home now: enough software and documentation is available.
• Mainframes now run Unix with standard services, they run Java, parse XML files.
• They are widely connected to IP networks, some are even directly facing the Internet.
• Due to years of extensive testing, the rest of the infrastructure became more and more protected by equipping itself with IDS, IPS, SIEM, network segmentation, next-generation firewalls, hardened hosts and services, and so on. The lack of practical testing of the mainframe system can now easily turn it from the central, secure and safe position it had to become part of the weakest components of the security chain, where the expected profit vs. exploit complexity ratio could designate it as the most interesting target. The talks linked here show how security issues that were solved dozens of years ago on classical architectures (what is the last time you saw a Unix server still using DES to protect system passwords?) are still current on mainframes.

In case you are still not depressed enough, note that Philip mainly focuses his research on the mainframe system itself. Dominic White on his side focuses on mainframe applications just to find that the picture was the same with blatant security holes including security relying on the client through the use of hidden fields just like if a web server would store your access level in clear in a cookie and rely on it to determine your privileges, that applied to systems critical to governments, financial institutions, etc.