Because most hackers who want to insert malicious code into a web page don’t know mainframe object code but do know how to insert arbitrary Intel object code and java byte code and SQL to achieve their ends.
Maybe also because there are probably very few mainframe ALC programs that are directly interfacing with web pages or the internet in general. State-sponsored bad actors are a different animal, they very well may know mainframe object code (after all, US "intelligence" organizations certainly do), but again how many ALC programs are directly connected to the net? Probably much more COBOL these days, and even then through middleware like CICS. One can, of course, write insecure network code in ALC as in any other language, but the preponderance of network-connected code isn't written in ALC, and the IBM mainframe object code architecture isn’t very widely known in the hacker community compared to the Intel or ARM architectures. Peter -----Original Message----- From: IBM Mainframe Assembler List <[email protected]> On Behalf Of [email protected] Sent: Tuesday, November 17, 2020 10:40 AM To: [email protected] Subject: Re: security with storage allocation under z.OS How is this a security exposure for c but not ALC? I’m not a c programmer. Nor do I program with Java. I would like to understand this. Regards, Steve Thompson --- [email protected] wrote: From: Seymour J Metz <[email protected]> To: [email protected] Subject: Re: security with storage allocation under z.OS Date: Tue, 17 Nov 2020 14:28:31 +0000 It's a security exposure in C that is alleviated by putting the stack and heap in nonexecutable storage. -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
