Mainframe [z/OS] Reverse Engineering and Exploit Development

Conference:  BlackHat USA 2018



The presentation discusses the mainframe architecture, CPU instructions, binaries, vulnerabilities, and tools to exploit them. It emphasizes the importance of understanding the mainframe's unique features and backwards compatibility.
  • The mainframe architecture is a rack full of CPU, memory, and storage.
  • The CPU is a different architecture from x86 and ARM, with problem state and supervisor state.
  • The CPU mode can run 24-bit, 31-bit, and 64-bit binaries.
  • Access storage keys determine which memory pages a process can access.
  • The mainframe is backwards compatible to a fault, allowing code from the 70s to run on current models.
  • The goal of exploits is to get supervisor state key 0 to execute all instructions and read/write all memory.
The speaker notes that many people associate mainframes with COBOL, but it is just one of many programming languages that can run on the operating system. They also mention that learning COBOL can lead to job security and high pay. The speaker also highlights the siloed nature of mainframe shops, with experts in networking, security, and storage working together to optimize performance.


Speak with any Fortune 500 running mainframe and they'll tell you two things: (1) without their mainframes they'd be out of business (2) they do not conduct any security research on them, let alone vulnerability scans. The most infuriating part is that mainframes are simply computers, they're different from what you're used to, but that doesn't mean they can't be hacked. Previous talks about this topic have covered the platform from a high level, imploring you to do the basics. This talk continues this series of talks, given by others, around mainframe hacking. Previously covered topics included network penetration testing and privilege escalation. To complement those talks, this talk will expose attendees to the various tools that exist on the platform to help you do your own reverse engineering, followed by detailed steps on how to start your own exploit development. Attendees will learn what debuggers are available on the platform, such as dbx and ASMIDF, as well as the challenges you'll have using them. After learning how to RE, attendees will then learn how to develop their own exploits and buffer overflows on the platform using C, assembler and JCL. A demo program will be used to teach all these items so people can follow along. Topics included in this discussion are APF authorization, bypassing RACF/ACEE, TSO, Unix System Services.



Post a comment

Related work

Authors: Jared Watts, Nic Cope, Matthias Luebken, Bob Haddleton

Conference:  Defcon 31
Authors: Ron Ben-Yizhak Security Researcher at Deep Instinct

Authors: Jared Watts, Christopher Haar, Steven Borrelli, Yury Tsarev