[ISN] Sun to pull plug on Trusted Solaris

[InfoSec News]

http://www.gcn.com/vol1_no1/daily-updates/37225-1.html

By Joab Jackson 
GCN Staff
10/06/05 

Sun Microsystems Inc. plans to phase out its Trusted Solaris secure 
operating system and replace it with security extension software that 
can be used with its Open Solaris operating system, said Mark Thacker, 
product line manager of Solaris security. 

Open Solaris and the Solaris Trusted Extensions software will provide 
the full functionality of Trusted Solaris, according to Thacker. 

"This product will simply layer on top of Solaris 10. It will run on 
top of any piece of hardware that Solaris 10 runs on," Thacker said. 
Trusted Extensions should be available by mid-2006. 

Long used by agencies with classified and sensitive data networks, the 
current version of Trusted Solaris, version 8, has been certified to 
Common Criteria Level 4+ Evaluation Assurance for three different 
protection profiles. 

Recently, Sun submitted its Solaris 10 operating system for Common 
Criteria Evaluation for two of those profiles. The Solaris Trusted 
Extensions will cover the third profile and will also undergo Common 
Criteria evaluation starting later this year, Thacker said. 

The reason behind the rearrangement is to consolidate the code base 
for Solaris, according to Thacker. Trusted Solaris has a different 
operating system kernel than the more widely used Solaris 10, though 
the two are similar. 

When Sun upgraded Solaris to version 10, it incorporated about 85 
percent of the security features in Trusted Solaris. "We took some of 
the concepts in Trusted Solaris, like process rights management, user 
rights profiles, [and] process containments and built them into 
Solaris," Thacker said. 

The major missing component was a feature called labeled security, 
which applies a tag identifying the appropriate security level to each 
data file. Although this feature is not widely used, it is valued by 
intelligence agencies, Thacker said. It has a set of labels that map 
directly to sensitivity levels from agencies such as the National 
Security Agency and the Central Intelligence Agency. The labels allow 
the operating system to handle the data with appropriate controls. 

"Because of that classification and their relationships with one 
another, I can express how data can flow up and down the chain of 
command," Thacker said. The feature allows computers to handle data 
from networks with differing security levels. It eliminates the need 
to keep multiple computers, each for a different security level, for 
each user's desk. 

Trusted Extensions will include this labeled security feature. 
Government users who would have purchased Trusted Solaris will instead 
purchase Solaris 10 and the Solaris Trusted Extensions software. 

The National Information Assurance Partnership's Common Criteria 
Evaluation and Validation Scheme is a collection of Protection 
Profiles and Evaluation Assurance Levels. A Protection Profile is a 
list of specifications of what a system should do in a given area. 

Solaris 10 is currently being evaluated against the Controlled Access 
Protection Profile and the Role Based Access Control Protection 
Profile, at Evaluation Assurance Level 4+. CGI Information Systems and 
Management Consultants Inc. of Ottawa will conduct the evaluations. 

Last Week, Red Hat Inc. of Raleigh, N.C., announced its Red Hat 
Enterprise Linux was undergoing Evaluation Assurance Level 4 
evaluation for IBM servers. That evaluation will include the Labeled 
Security Protection Profile, the Controlled Access Protection Profile 
and Role-Based Access Control Protection Profile. 

The combination of Solaris 10 and the Trusted Extensions will be 
available for all the platforms that Sun supports, including its own 
SPARC line of processors and x86 line of AMD and Intel processors as 
well, Thacker said.