Introduction

System integrity is the inability of any program not authorized by a mechanism under the installation's control to circumvent or disable store or fetch protection, access a resource protected by a Security Server/Manager, or obtain control in an authorized state; that is, in supervisor state, with a protection key less than eight (8), or Authorized Program Facility (APF) authorized.

Program Call (PC) and Supervisor Call (SVC) routinesStart of change, as well as AC(1), setuid, and setgid programs,End of change provide a variety of critical services to z/OS®. Some are created and maintained by IBM® or IBM business partners as part of core z/OS subsystems and middleware products, for example. Others are created by vendor applications for z/OS. Some are implemented by system programmers to provide specialized in-house functionality for a client's enterprise.

PCs and SVCs have the architectural capability, depending on how they are defined, to allow an unauthorized program to invoke them, yet execute in an authorized state. The implementation of these PC and SVC routines must, therefore, handle this critical boundary carefully to ensure the system integrity of z/OS. Untrusted parameters, for example, need to be safely copied with architected instructions such as MVCSK and MVCDK so that an unauthorized program cannot fetch or update storage where it could not otherwise do so. For more information, see the z/Architecture® Principles of Operation.

Start of changeAC(1) programs linked with SETCODE AC(1) in an APF authorized library allow any user to invoke them as a job step in a batch job, yet execute in an authorized state. Similarly, z/OS UNIX binaries with the APF extended attributed and linked with SETCODE AC(1) allow any user with z/OS UNIX permissions to execute them, yet they run in an authorized state. z/OS UNIX binaries with the setuid or setgid attributes can also be executed by any user with z/OS UNIX permissions to execute them, yet execute using a different UID or GID, which could be a UID or GID with elevated privileges.End of change

If a PC or SVC routineStart of change, AC(1) program, or program with the setuid or setgid flags set,End of change is implemented incorrectly, a security vulnerability may be introduced that compromises the system integrity of z/OS. The IBM z/OS Authorized Code Scanner (zACS) provides the ability to test Start of changethese routinesEnd of change on a given z/OS V2R4 or above instance to address this.