Sun Solaris to adopt NSA security model

Sun Solaris to adopt NSA security model
Sun Solaris to adopt NSA security model 

By Joab Jackson

The National Security Agency and Sun Microsystems have begun work on a 
patch that will outfit Sun's Solaris operating system with the National 
Security Agency's mandatory access control (MAC) mechanism, the two 
organizations announced last week.

Both parties will work on the implementation, called Flexible Mandatory 
Access Control with the OpenSolaris developer community. OpenSolaris is 
an open-source implementation of Solaris, in which changes are 
contributed by outside developers.

The new project will use NSA's Flux Advanced Security Kernel (FLASK) 
architecture to implement the MAC controls.

"NSA is pleased that the work of its research organization in the area 
of secure computing is being used as a foundation for secure solutions 
by industry," said Dick Schaeffer, chief of NSA's Information Assurance 
Directorate, in a statement. "We are committed to promoting transfer of 
those technologies to the private sector to improve the assurance of 
commercial products that are becoming more critical to the future of the 
U.S. government infrastructure."

FLASK can be used as the basis for building a high-security, or trusted, 
operating system. In addition, FLASK forms the basis for Security 
Enhanced Linux (SELinux), a MAC implementation for Linux. Work is also 
being done to develop MAC patches for the TrustedBSD and the Apple 
Macintosh OSes as well.

At present Solaris uses another approach to offer a highly managed 
secure environment, called Trusted Extensions. The two operate on 
different principals, said Bill Vass, president at Suns federal 

"With Trusted Extensions, you can create a container that is labeled as 
classified or unclassified, and any application you run within that 
container is protected and runs within that classification level," Vass 
said. "With Flask, you create a global zone, and then you apply a policy 
to" each particular application.

Other contributors to the MAC community applauded the effort.

"This is very exciting in terms of establishing compatible security 
across operating systems, particularly for [MAC], which has 
traditionally been narrowly focused and generally incompatible. With 
FMAC, we're closer to seeing truly ubiquitous, cross-platform MAC 
security," wrote James Morris, who is the lead SELinux kernel developer 
for Red Hat, commented on his blog. I'll be interested to see how they 
approach the integration, with the opportunity to learn lessons from the 
SELinux experience."

FMAC is already available on the OpenSolaris site, though more work 
needs to be done in integrating it into the Solaris kernel. "It will 
come bundled with Solaris," and the organization can choose whether or 
not to deploy it, Vass said. Sun has not established a date for when 
FMAC would be included natively within Solaris.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods