Brief Description: Type data is kept as part of the file label on a tape. This data is not integrity checked.
Detailed Description: The Burroughs B6700 used bounds registers to limit program access to memory. The programs themselves loaded the registers, so the designers had to ensure that only programs produced by trusted compilers could be run. They assigned a type to each file. Program files were of type "code-file." Only a trusted compiler could assign this type to a file. Thus, a user could write code to alter registers, but as the file would not be of the proper type, it could not be executed. However, users could write the file to tape, and the file type was stored as part of the file header on the tape. So, an attacker would create a file with instructions to alter the bounds registers to allow access to any desired portion of memory. This file would be written to tape. As tape manipulation programs could alter any pattern of bits on the tape, the attacker would use these programs to change the bit pattern in the file type field to correspond to the tye "code-file". The attacker would then restore the file to disk, resulting in the creation of a file of type "code-file" that would allow access to the desired portion of memory.
Component(s): Burroughs B6700
Version(s): all versions
Operating System(s): Unknown
Effects:Any location in memory could be read or altered.
Detecting the Vulnerability:
* Check the version of the system you are using. If it is as described above, you have the vulnerability.
Fixing the Vulnerability:
* Do not allow files of type "code-file" to be loaded from tape.
Keywords:loader, bounds register, tape
Attack Methods or Tools: Not provided.
Advisories and Other Alerts: None.
Related Vulnerabilities: None.
First Report We Know Of: by A. L. Wilkinson et al., date "A Penetration Analysis of a Burroughs Large System," Operating Systems Review 15(1) pp. 14-25, in Jan. 1981
Revisions of Database Record
1. Matt Bishop(January 30, 1999): Entered into DOVES