The NSA Works with Sun to Boost Solaris Security
Published: March 27, 2008
by Timothy Prickett Morgan
Any time the U.S. National Security Agency is involved, you can bet the situation is pretty serious. With government computer systems the world over being primary targets for hackers, crackers, malware, and other forms of attack because of the value and sensitivity of the information that governments store, the NSA and similar security agencies are in an arms race with hackers--who might just be coming from other governments, if you are a cynic.
The Solaris Unix platform from Sun Microsystems is well-regarded in governments because of the sophisticated security that has been embedded in its Unix platform, particularly with the mandatory access controls and other features that were part of Trusted Solaris 8 and the Trusted Extensions for Solaris 10. But there is always more work to do in operating system security.
The NSA and Sun recently said that they would be working together through the OpenSolaris development community to integrate a new form of mandatory access control, called Flux Advanced Security Kernel, or Flask for short, into the Solaris platform. The NSA has been working with Red Hat and other commercial Linux distributors to put the features from the initial Flask projects from the early 1990s (which were created into a project called OSkit at the University of Utah) into something called Security Enhanced Linux, or SE-Linux. Red Hat has been a champion of SE-Linux, ironically, while Novell has championed a different kind of security controls embodied in its AppArmor security extensions for SUSE Linux. The Flask architecture is also used in the TrustedBSD variant of FreeBSD Unix, which is also sponsored by the NSA, the Defense Advanced Research Projects Agency, Apple Computer (Mac OS X is a variant of BSD), Yahoo (a big user of BSD Unix), and others. Flask security has also been woven into the open source Xen hypervisor, the PostgreSQL database, and X server code.
The key advantage of Flask--and one that must have been missing from Trusted Solaris 8 and Trusted Extensions for Solaris 10--is a modular approach to kernel security. Flask allows different security servers (sometimes called policy engines) to be plugged into the operating system without necessitating a modification of all the rest of the operating system. The kernel's security is managed by the security server and higher-level operating system code and even higher applications are thankfully abstracted from this, which means the security server can be changed when new functions or approaches become available without impacting the operating system or applications.
Sun now has to figure out how Flask, Trusted Extensions, and Xen can all weave together. You can also bet that Flask features will be added to MySQL and other Sun middleware, which will allow Sun to pitch secure systems to the governments of the world.
Sun Finally Gets Solaris 10 11/06 Update Out the Door
Solaris 10 with Trusted Extensions Readied for 11/06 Update
Sun Begins Common Criteria Testing for Solaris 10 and Trusted Extensions
Sun Previews Next Rev of Solaris 10
Sun Modifies Its Packaging of Trusted Solaris
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot