Sun Solaris to adopt NSA security model
- By Joab Jackson
- Mar 17, 2008
The National Security Agency and Sun Microsystems have begun work on a patch that will outfit Sun's Solaris operating system with the National Security Agency's mandatory access control (MAC) mechanism, the two organizations announced last week.
Both parties will work on the implementation, called Flexible Mandatory Access Control
with the OpenSolaris developer community. OpenSolaris is an open-source implementation of Solaris, in which changes are contributed by outside developers.
The new project will use NSA's Flux Advanced Security Kernel
(FLASK) architecture to implement the MAC controls.
"NSA is pleased that the work of its research organization in the area of secure computing is being used as a foundation for secure solutions by industry," said Dick Schaeffer, chief of NSA's Information Assurance Directorate, in a statement. "We are committed to promoting transfer of those technologies to the private sector to improve the assurance of commercial products that are becoming more critical to the future of the U.S. government infrastructure."
FLASK can be used as the basis for building a high-security, or trusted, operating system. In addition, FLASK forms the basis for Security Enhanced Linux (SELinux), a MAC implementation for Linux
. Work is also being done to develop MAC patches for the TrustedBSD
and the Apple Macintosh OSes
At present Solaris uses another approach to offer a highly managed secure environment, called Trusted Extensions. The two operate on different principals, said Bill Vass, president at Sun's federal subsidiary.
"With Trusted Extensions, you can create a container that is labeled as classified or unclassified, and any application you run within that container is protected and runs within that classification level," Vass said. "With Flask, you create a global zone, and then you apply a policy to" each particular application.
Other contributors to the MAC community applauded the effort.
"This is very exciting in terms of establishing compatible security across operating systems, particularly for [MAC], which has traditionally been narrowly focused and generally incompatible. With FMAC, we're closer to seeing truly ubiquitous, cross-platform MAC security," wrote James Morris, who is the lead SELinux kernel developer for Red Hat, commented on his blog
. 'I'll be interested to see how they approach the integration, with the opportunity to learn lessons from the SELinux experience."
FMAC is already available on the OpenSolaris site, though more work needs to be done in integrating it into the Solaris kernel. "It will come bundled with Solaris," and the organization can choose whether or not to deploy it, Vass said. Sun has not established a date for when FMAC would be included natively within Solaris.
Joab Jackson is the senior technology editor for Government Computer News.