Saturday, May 15, 2021

Sun Set to Bring NSA Tech to Solaris

Back in 2004, the U.S. National
Security Agency (NSA) helped the Linux community to build something called
, which brings mandatory access control (MAC) policies to the
Linux kernel.

Now four years later, Sun is getting the same technology from
the NSA to use with its Solaris operating system. Sun’s OpenSolaris community will work on integrating the NSA’s Flux
Advanced Security Kernel (Flask) architecture, which is a form of mandatory
access control, for type enforcement. Flask is the basis of SELinux.

The Flask enhancements will be added to Sun’s Trusted
, which provide high-security labeling features to meet
regulatory and compliance requirements.

The difference between the Type
enforcement of Flask/SELinux and the Labeling of Trusted Extensions is an
important distinction to how security policies can be enforced and managed.
The NSA’s technology is critical to US Government customers that require
high degrees of security assurance policies and controls.

“The labeling in Trusted Extensions separates applications and it applies a
multi level protection profile and it separates them within the same
operating system,” Bill Vass, president and COO of Sun Microsystems Federal told

“In the Flask model you have multiple
applications running at different levels inside the same instance of the
operating system. In the Trusted Extensions model you have lots of
applications running inside each different instance of the operating system
running on the same server,” he said.

Vass explained that the advantages to the Flask model is very granular level
control over what the application does. The drawback of the Flask model is
that there is also a lot of work in managing that policy. On the other side,
the advantage to labeling is you don’t have any policy to mange, you just pop
the application inside the label and it does whatever it needs to do.

The NSA’s Flask controls have been made available to Sun under what Vass
described as a Public Domain license. Sun in turn will re-license the
technology inside of OpenSolaris under the open source CDDL license (Common
Development and Distribution License).

Vass noted that initially a user will only be able to run either the Flask
control or the labeling (traditional Trusted Extensions) control but not
both at the same time. The plan going forward is to work within the
OpenSolaris community with the continued assistance of the NSA to make a
dual type/labeling control possible.

The new Flask based controls for OpenSolaris will not get their own branded
name from Sun, like an SELinux, but instead will simply just become a
different feature available as part of Sun’s Trusted Extensions.

This article was first published on To read the full article, click here.

Similar articles

Latest Articles

How IBM has Changed...

Think is IBM’s big annual conference, and again this year, it was digital. I’m noticing a sharp quality difference in shows like this where...

Database-Tuning Platform Launches and...

PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

Top 10 Professional Services...

Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

What is Data Aggregation?

Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...