On 9/17/15 10:43 AM, Hartman, Steven M. wrote:
> We are currently in the middle of a cyber security audit of our
> accelerator control system. The auditors have asked if there has ever
> been a formal security assessment of EPICS / Channel Access.
>
> Any comments?
Hi, Steven.
I don't know if there has ever been a security audit, but I can tell
you the result of an audit if there were one: EPICS/CA is completely
insecure.
This is not intended as a knock against EPICS; it was designed that
way. Anyone on the same network as an IOC can write to any PV on that
IOC. The EPICS access security subsystem is trivial to bypass. The
Application Developer's Guide says as much about access security: "No
attempt has been made to protect against the sophisticated saboteur.
Network and physical security methods must be used to limit access to
the subnet on which the iocs reside."[1]
As far as traditional security vulnerabilities--buffer overflows,
etc.--that could lead to remote code execution, I'm sure EPICS is
riddled with them. EPICS is designed only to be run on a trusted
network.
Regards,
Lewis
[1] Application Developer's Guide, c. 8, "Access Security," s. 8.3.2,
"Limitations"
- References:
- "security audit" of EPICS / Channel Access? Hartman, Steven M.
- Navigate by Date:
- Prev:
Re: *****SPAM*****makeBaseApp.pl Error J. Lewis Muir
- Next:
ai record doesn't do convert for floats? Pearson, Matthew R.
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
<2015>
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: "security audit" of EPICS / Channel Access? Hermann-Josef Mathes
- Next:
makeBaseApp.pl Error ishita bhatia
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
<2015>
2016
2017
2018
2019
2020
2021
2022
2023
2024
|