Sun Set to Bring NSA Tech to Solaris
Page 1 of 1
Back in 2004, the U.S. National Security Agency (NSA) helped the Linux community to build something called SELinux, which brings mandatory access control (MAC) policies to the Linux kernel.
Now four years later, Sun is getting the same technology from the NSA to use with its Solaris operating system. Sun's OpenSolaris community will work on integrating the NSA's Flux Advanced Security Kernel (Flask) architecture, which is a form of mandatory access control, for type enforcement. Flask is the basis of SELinux.
The Flask enhancements will be added to Sun's Trusted Extensions, which provide high-security labeling features to meet regulatory and compliance requirements.
The difference between the Type enforcement of Flask/SELinux and the Labeling of Trusted Extensions is an important distinction to how security policies can be enforced and managed. The NSA's technology is critical to US Government customers that require high degrees of security assurance policies and controls.
"The labeling in Trusted Extensions separates applications and it applies a multi level protection profile and it separates them within the same operating system," Bill Vass, president and COO of Sun Microsystems Federal told InternetNews.com.
"In the Flask model you have multiple applications running at different levels inside the same instance of the operating system. In the Trusted Extensions model you have lots of applications running inside each different instance of the operating system running on the same server," he said.
Vass explained that the advantages to the Flask model is very granular level control over what the application does. The drawback of the Flask model is that there is also a lot of work in managing that policy. On the other side, the advantage to labeling is you don't have any policy to mange, you just pop the application inside the label and it does whatever it needs to do.
The NSA's Flask controls have been made available to Sun under what Vass described as a Public Domain license. Sun in turn will re-license the technology inside of OpenSolaris under the open source CDDL license (Common Development and Distribution License).
Vass noted that initially a user will only be able to run either the Flask control or the labeling (traditional Trusted Extensions) control but not both at the same time. The plan going forward is to work within the OpenSolaris community with the continued assistance of the NSA to make a dual type/labeling control possible.
The new Flask based controls for OpenSolaris will not get their own branded name from Sun, like an SELinux, but instead will simply just become a different feature available as part of Sun's Trusted Extensions.
As to why Sun is just getting around to trying implementing the SELinux-type technology from the NSA now, Vass was brutally honest.
"Had I been in charge 3 or 4 years ago we would have done it then, "Vass admitted. "There were a lot of politics involved and wishy-washiness back then."
Vass noted that in the last few years Sun has made tremendous strides to being more open and accepting of outside contributions and efforts. It's that openness that makes the addition of the NSA's technology a bit more doable now for Sun than it might have been four years ago.
"Now that we're community driven in Solaris it's a lot more advantageous for us to do these kinds of things," Vass said. "I wish we would have done it back then and I can't really explain to you why we didn't, other than I think we had a lack of maturity in our open source model around Solaris."