Validating parameters

Interfaces to the IBM® i operating system are system state programs in the user domain. When parameters are passed between user state and system state programs, those parameters must be checked to prevent any unexpected values from jeopardizing the integrity of the operating system.

When you run your system at security level 40 or 50, the system specifically checks every parameter that is passed between a user state program and a system state program in the user domain. This is required for your system to separate the system and user domain, and to meet the requirements of a Common Criteria level of security. You might notice some performance effect because of this additional checking.

Parameter validation is checking done by every IBM i API. APIs are defined as user domain, system state which makes them directly callable by user applications. These are the interfaces that are called directly by user applications. Parameter Validation is checking done by the IBM i API program to test the parameters that are passed by the user application to the system state IBM i program. Each parameter is tested to ensure that both the parameter value itself (typically a pointer to the actual parameter string) as well as the value are in storage that is read/write to the user application. If the parameter and value are in storage that the user application has access to, then everything is fine. If the parameter or value is in storage that the user application cannot access, the parameter validation signals an error message and will not continue. This checking is on for security level 40 and 50 only and not on for security level 30 (and no auditing is done on security level 30). This checking is necessary to prevent a user application from tricking a system program into writing over storage that the user application would not have access to. This could be done by passing a parameter, to a “return value”, that addresses protected storage and have the system program write over the control block when setting the “return value” (because the system program has access as it runs with higher privilege than the user program). Without parameter validation, the system control blocks would be at risk of being compromised and thus the system would not function correctly if the control block contained “bad” data.