Sun certifies Solaris for security label use
- By Joab Jackson
- Jul 29, 2008
A version of Solaris 10 with Trusted Extensions has been
certified through the Common Criteria program for handling labeled
security tasks, Sun Microsystems announced last week.
The certification allows this version of Solaris to be used in
multi-level security environments, according to Mark Thacker,
Sun’s group product manager for security and
Specifically, version 11/06 of Solaris 10 with Solaris Trusted
Extensions has achieved Common Criteria Certification for the
Labeled Security Protection Profile(LSPP) at Evaluation Assurance Level (EAL) 4+.
CGI Information Systems and Management Consultants of Ottawa,
Canada, conducted the certification process, which was approved
under Canada's Communications Security Establishment.
Trusted Extensions, Sun's plug-in for enabling mandatory access
control, labels each process and file with a security level that is
defined by the organization running the machine. Any action
requested by the user is then checked by the operating system
kernel to ensure that the label of the action or data matches the
security level of the user. "The kernel becomes an enforcement
point," Thacker said. Sun has established Trusted Extensions as a
replacement for Trusted Solaris, it's former offering for
multi-level security users.
The configuration also incorporated Lightweight Directory Access
Protocol-based directory server, the Gnome graphical user interface
and Sun's Containers-based operating system virtualization.
Prior to this certification, Solaris 10 11/06 received EAL 4+
Common Criteria certification for the Controlled Access Protection
Profile (CAPP) and Role Based Access Control Protection Profile
To certify Solaris at Level 4 LSPP, CGI reviewed the
documentation, the design process and the actual working code, all
in order to ensure the software enforces labels in a way that it
supposed to, Thacker said.
Overseen in the United States by National Information Assurance
Partnership (NIAP), Common Criteria is an ISO-recognized set of
security requirements established by government agencies and
private companies. To have their products certified, vendors must
provide a set of security attributes for each product, which an
independent laboratory verifies.
The Defense Department uses the Common Criteria as a baseline
for buying information technology products for secure networks.
NIAP is a partnership between the National Institute of Standards
and Technology and the National Security Agency.
Joab Jackson is the senior technology editor for Government Computer News.