By Joab Jackson
The National Security Agency and Sun Microsystems have begun work on a
patch that will outfit Sun's Solaris operating system with the National
Security Agency's mandatory access control (MAC) mechanism, the two
organizations announced last week.
Both parties will work on the implementation, called Flexible Mandatory
Access Control with the OpenSolaris developer community. OpenSolaris is
an open-source implementation of Solaris, in which changes are
contributed by outside developers.
The new project will use NSA's Flux Advanced Security Kernel (FLASK)
architecture to implement the MAC controls.
"NSA is pleased that the work of its research organization in the area
of secure computing is being used as a foundation for secure solutions
by industry," said Dick Schaeffer, chief of NSA's Information Assurance
Directorate, in a statement. "We are committed to promoting transfer of
those technologies to the private sector to improve the assurance of
commercial products that are becoming more critical to the future of the
U.S. government infrastructure."
FLASK can be used as the basis for building a high-security, or trusted,
operating system. In addition, FLASK forms the basis for Security
Enhanced Linux (SELinux), a MAC implementation for Linux. Work is also
being done to develop MAC patches for the TrustedBSD and the Apple
Macintosh OSes as well.
At present Solaris uses another approach to offer a highly managed
secure environment, called Trusted Extensions. The two operate on
different principals, said Bill Vass, president at Suns federal
"With Trusted Extensions, you can create a container that is labeled as
classified or unclassified, and any application you run within that
container is protected and runs within that classification level," Vass
said. "With Flask, you create a global zone, and then you apply a policy
to" each particular application.
Other contributors to the MAC community applauded the effort.
"This is very exciting in terms of establishing compatible security
across operating systems, particularly for [MAC], which has
traditionally been narrowly focused and generally incompatible. With
FMAC, we're closer to seeing truly ubiquitous, cross-platform MAC
security," wrote James Morris, who is the lead SELinux kernel developer
for Red Hat, commented on his blog. I'll be interested to see how they
approach the integration, with the opportunity to learn lessons from the
FMAC is already available on the OpenSolaris site, though more work
needs to be done in integrating it into the Solaris kernel. "It will
come bundled with Solaris," and the organization can choose whether or
not to deploy it, Vass said. Sun has not established a date for when
FMAC would be included natively within Solaris.
Subscribe to InfoSec News