Sun Modifies Its Packaging of Trusted Solaris
by Timothy Prickett Morgan
Sun Microsystems launched its Solaris 10 operating system in what was perhaps one of the longest product debuts in history. Sun talked up new features of Solaris 10 throughout the summer and fall of 2004 and into the early weeks of 2005, when it was finally released. And throughout that time, Sun inadvertently gave the impression that its high-security variant of Solaris, called Trusted Solaris, was being merged into Solaris 10. This is not exactly true.
To be precise, what Sun kept saying as it talked about Solaris 10 was that from 80 to 85 percent of the beefed-up security features that transformed regular Solaris into Trusted Solaris were now part of the Solaris 10 platform. That left many people with two false impressions, which Sun wants to clarify, says Chris Ratcliffe, director of marketing for Sun's operating platforms group. The first misconception is that there is 15 to 20 percent less security in the new Solaris platform compared to the ruggedized version of the old one, and the second misconception is that Sun will stop shipping a Trusted Solaris variant of Solaris 10.
Solaris 8 was launched back in January 2000, just as the dot-com bubble was starting to leak air and IT security was something we were thinking about because of hackers and viruses. In November 2000, the company delivered a beefed up version of Solaris that was called the Trusted Solaris 8 Operating Environment, which had security features above and beyond those needed by corporations (at that time they believed this, anyway) and which were an absolute requirement for some government and financial services institutions. Trusted Solaris 8 was literally a separate fork from the regular Solaris 8, and was hardened as separate implementation of Solaris. Trusted Solaris 8 offered mandatory access control for end users, role-based access control for system administrators, fine-grained rights profiles that allow administrators to give end users specific access to operating system and application features without inadvertently giving them access to any other features. Trusted Solaris 8 also includes sophisticated software that could allocate and de-allocate real devices (peripherals) and virtual devices (drivers that simulate devices) attached to the system, and perhaps more significantly, included features that would disable the copying or printing of information retrieved from application databases and posted on their screens. The important thing about Trusted Solaris 8, aside from all of this security, is that it was binary compatible with the real Solaris 8.
Trusted Solaris 8 got a kicker in May 2002 that boosted its certified security levels (as measured by the Common Criteria and Common Operating Environment specs) and provided support for UltraSparc-III processors, but the job of keeping Trusted Solaris in lockstep with real Solaris was problematic. In fact, when Solaris 9 was launched at that same time in May 2002, there was no Trusted Solaris 9, and because of the difficulties of creating the Trusted Solaris edition, there still is not a Trusted Solaris 9. And, according to Ratcliffe, it will not even be until later this year when Trusted Solaris 8 gets an update so it can be run on the dual-core UltraSparc-IV processors. This is a pretty big lag, of course, and one that neither Sun nor its increasingly security-conscious customers can tolerate. That is why Sun is taking a different tack with Trusted Solaris starting with Solaris 10.
While having a ruggedized version of Solaris was great for Sun and its customers, it required a substantially different kernel from regular Solaris to get all of those security features. Sun was careful not to break application compatibility with those tweaks to the kernel, but this is a time-consuming and costly exercise. That is one of the reasons why we never saw a Trusted Solaris 9 variant. That is also why Sun has moved a lot of these security features from Trusted Solaris 8 into the commercial variant of Solaris 10. And now, to get that other 15 to 20 percent of security that is missing from Solaris 10, customers will not have to buy a completely different version of Solaris 10, but rather they will have to bolt what will be called the Trusted Solaris Extensions onto Solaris 10. By taking this approach, Sun can significantly reduce the time lag and feature lag between regular and super-secure variants of Solaris 10.
Ratcliffe says Sun will deliver Solaris 10 plus the Trusted Solaris Extension add-ons sometime in mid-to-late 2005. He says Sun is still debating whether or not the extensions will be given away for free or will be a priced product. Ratcliffe says that of the 4 million so licenses that Sun has shipped of Solaris 8, 9, and 10 (including the Solaris 10 betas), about 10 to 15 percent of them were for Trusted Solaris 8. Two years ago, he explains, the vast majority (like 99.96 percent) of the Trusted Solaris installations were for government projects. "But now, security is such a big deal for everyone," he says, and companies like BancOne, which is building a secure payment system based on Trusted Solaris, are interested in getting the top security for their systems, too.
In addition to talking up the plans for the Trusted Solaris Extensions, Ratcliffe also pointed out there is a new feature called Solaris Secure Execution that is new with Solaris 10. The reason why Sun hasn't talked about this feature before, he says, is because the company was not sure if the feature was going to make it into the production version of Solaris 10 before it launched in January. With the Secure Execution feature, system administrators have a means of preventing the execution of unauthorized or potentially compromised programs on a Solaris machine. This is being accomplished by having digital signatures attached to applications, and having Solaris look for digital signatures either from Sun (which provides Solaris and a lot of middleware), from third parties, or from home-grown code. If code doesn't have an authorized signature, it can be stopped from running.
Ratcliffe says about 90 percent of the binaries in Solaris 10 have a digital signature from Sun, and the company hopes to get that up to 100 percent by the time the Trusted Solaris Extensions ship (though the two are not necessarily related). In the fourth quarter of this year, Sun will release the Secure Execution Policy Manager with the second update to Solaris 10, which will automate the testing of binaries for their signatures and will provide admins with finer-grained control over users and groups.