User-supplied addresses for protected control blocks

A potential integrity exposure exists whenever the control program (system key/privileged mode) accepts the address of a protected system control block from the user. For most system control blocks, this situation should not be permitted to exist. However, in certain cases it is necessary to allow the user to provide the address of a system control block that describes his allocation/access to a particular resource (for example, a data set), in order to identify that resource from a group of similar resources (for example, an user might have many data sets allocated). Inadequate validity checking in this situation can create an integrity exposure, because an unauthorized problem program could provide its own (counterfeit) control block in place of the system block and thereby gain the ability to:
  • Access a resource in an uncontrolled manner (because the control block in this case would normally define the restrictions, such as read-only for a data set, on the user's allocation to the resource).
  • Gain control in an authorized state (because such control blocks might contain the addresses of routines that run in supervisor state with PSW key 0-7.
  • Cause various other problems depending on exactly what data is in the control block involved.
To avoid this type of exposure, the control program must verify, for every such address accepted from a problem program, that the address is that of:
  1. A protected control block created by the control program.
  2. The correct type of control program block (for example, a TCB versus a DEB, or a QSAM DEB versus an ISAM DEB).
  3. A control block created for use in connection with the user (job step) that supplied the address.
In the system, verification is generally accomplished by establishing a chain or table of the particular type of control block to be validated. This chain or table is located via a protected and jobstep-related control block that is known to be valid. Addresses that are not allowed to be supplied by the user, are located via a chain of protected control blocks that begins with a control block known to be valid or fixed at a known location at IPL time, such as the CVT. Therefore, a control block can only be entered in the chain/table by:
  • An authorized program satisfying point 1.
  • Definition, where the chain/table establishes the type of control block satisfying point 2.
  • Definition, where each chain/table is located only through a jobstep-related control block satisfying point 3.
Note: This does not imply that a system routine must go back to the CVT or similar control block every time it wants to establish a valid chain. Typically, a control block address not too far down on such a chain is available and already validated in a register.
Parent topic: Elimination of potential integrity exposures