2. What is Solaris Trusted Extensions?
• An extension of the Solaris 10 security foundation
providing access control policies based on the
sensitivity/label of objects
• A set of additional software packages added to a
standard Solaris 10 system.
• A set of label-aware services which implement
multilevel security
• A secure design to meet the Government set of
security standards
3. Secure S10 Foundation
Solaris 10 Security
Digital Certificates Everywhere
Secure Execution*
User Rights Management
Process Rights Management
Cryptographic Framework
IPFilter
Kerberos Single Sign On
Secure By Default
* Coming in future update
4. Network Protection
• IP Filter firewall
> Sun supported stateful firewall
> Allows selective access to ports based on IP addr.
> Compatible/manageable like open source IPF
• TCP Wrappers
> Limit access to TCP/UDP service by domain name
• Limiting Networking Services
> Reduced Networking MetaCluster – Ultra small Solaris
> Generic Limited Networking Service Profile
> Will be enhanced in Solaris 10 update to include better 'out-ofthe-box' security, full function desktop and no exposed network
svcs
5. Cryptographic Framework
●
●
Extensible cryptographic interfaces.
> A common kernel and user-land framework for providing
and using cryptographic functionality.
> A common interface for cryptographic functions whether
completed in hardware or software.
> Extensible framework for vendors to provide
custom functionality.
By default, supports major algorithms.
> Encryption: AES, RC4, DES, 3DES, RSA
> Hashing: MD5, SHA-1
> MAC: DES MAC, MD5 HMAC, SHA-1 HMAC
> Optimized for both SPARC, Intel and AMD
6. Remote Access and Auditing
• Solaris Secure Shell
> Standards-based encrypted remote access
• Kerberos Single Sign On
> Standards-based enterprise single sign on
> Optional encryption of NFSv3 and NFSv4 file shares
• IPSec/IKE
> Transparently encrypted communications
• Auditing of activities
> Audit records for all activities track users and roles
> Output in XML format for parsing and analyzing
> Centralized auditing and per-container audits
7. User Access and Rights
• User Rights Management
> Roles defined with specific commands and
authorizations they can perform
> Users associated with roles. All audit logs record specific
user and what role they were in at the time
> Roles and non-logins can be used for system services
• Password Management
> New password capabilities prevent easily guessed or reused passwords and provide account lockout
> Pluggable Authentication Modules for expansion
8. Zones Example
• Highly secure
• Invisible to each
other
• Very efficient
• No performance
penalty
• Separated file
systems
• 8,000 per OS
instance
• Resource mgmt
globally and per
container
9. File Integrity and Secure Execution
• BART – Basic Audit and Reporting Tool
> Checksums compared periodically against known good
list of files that customer generates
> Can be used with Sun-supplied Fingerprint Database
• Solaris Secure Execution*
> Almost all applications are signed in Solaris 10
> Sys-admins can manually verify them today
> Future update will verify integrity at load time
>Customers can sign their own files, or 3rd party
>Can customize EXACTLY which apps can be run on
whole system, preventing ANY unauthorized app from
running
10. Encrypted File Systems
• Loopback-based
> One physical file on disk, contents encrypted
> Mounted as file system via loopback
> No application modification required
> Works with NFS & local file sharing
> Early update of Solaris 10
• ZFS Module for Encryption
> ZFS offers modular structure for enhancements
> Would encrypt a full ZFS file system on disk
> No application modification required
> All other aspects of management preserved
> Sometime after ZFS is released in Solaris update
11. Solaris 10 Privileges
“contract_event”
Request reliable delivery of events
“contract_observer”
users
"cpc_cpu”
"dtrace_kernel"
"dtrace_proc"
"dtrace_user"
"file_chown"
"file_chown_self"
"file_dac_execute"
"file_dac_read"
"file_dac_search"
"file_dac_write"
perms
"file_link_any"
"file_owner"
ops
"file_setid"
"ipc_dac_read"
Mem perms
"ipc_dac_write"
Mem perms
"ipc_owner"
"net_icmpaccess"
"net_privaddr"
(<1023+extras)
"net_rawaccess”
"proc_audit”
"proc_chroot”
Observe contract events for other
Access to per-CPU perf counters
DTrace kernel tracing
DTrace process-level tracing
DTrace user-level tracing
Change file's owner/group IDs
Give away (chown) files
Override file's execute perms
Override file's read perms
Override dir's search perms
Override (non-root) file's write
Create hard links to diff uid files
Non-owner can do misc owner
Set uid/gid (non-root) to diff id
Override read on IPC, Shared
Override write on IPC, Shared
Override set perms/owner on IPC
Send/Receive ICMP packets
Bind to privilege port
Raw access to IP
Generate audit records
Change root
"proc_lock_memory"
"proc_owner"
"proc_priocntl"
"proc_session"
process
"proc_setid"
"proc_taskid"
“proc_zone”
zones
“sys_acct”
(acct)
“sys_admin
(node/domain name)
"sys_audit"
"sys_config"
"sys_devices"
(exclusive)
"sys_ipc_config"
"sys_linkdir"
"sys_mount"
"sys_net_config"
interfaces,routes,stack
"sys_nfs"
"sys_res_config"
"sys_resource"
"sys_suser_compat"
"sys_time"
Lock pages in physical memory
See/modify other process states
Increase priority/sched class
Signal/trace other session
Set process UID
Assign new task ID
Signal/trace processes in other
Manage accounting system
System admin tasks
Control audit system
Manage swap
Override device restricts
Increase IPC queue
Link/unlink directories
Filesystem admin (mount,quota)
Config net
Bind NFS ports and use syscalls
Admin processor sets, res pools
Modify res limits (rlimit)
3rd party modules use of suser
Change system time
12. Kerberos and Secure Shell
●
●
Kerberos Enhancements
● MIT Kerberos 1.3.2 Refresh
● KDC Incremental Propagation
● Migration Tools
● Kerberized network clients (telnet, rcmds, etc.)
● Interoperability Fixes
Secure Shell Enhancements
● OpenSSH 3.6p2 Refresh
● GSS-API Support
● Keyboard “Break” Sequence Support
● X11 Forwarding “on” by default
● ARCfour, AES CTR mode Encryption Support
● /etc/default/login Synchronization
● SSH2 Rekeying, Service Side Keepalives, etc...
13. Auditing
• Solaris Auditing
> Updated to support output to SYSLOG
Oct 29 01:52:56 lennox audit: [ID 225229 audit.notice] su ok session 3285174027 by
root as root:root from lennox text success for user sys
> Updated to support translation to XML (praudit -x)
<record version="2" event="su" host="lennox" iso8601="2004-10-29 01:52:56.862 -04:00">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="234" sid="3285174027" tid="0 0 lennox"/>
<text>success for user sys</text>
<return errval="success" retval="0"/>
</record>
• What do I need to know?
>
>
>
>
SYSLOG is not a guaranteed protocol
Subset of audited events can be sent via SYSLOG
Using SYSLOG events can be sent off-host.
Beta XML Audit Parser available (unsupported)
14. Access Management
• Account Access
> Users versus Roles
>Leverage 'roles' for service and shared accounts!
> Non-Login versus Locked Accounts
>New passwd(1) options to manage
> Account Lockout (Global or per-User)
>“Three strikes” requires administrator to unlock.
• File system Object Access
> Unix Permissions and ACLs
>Same as previous Solaris releases
> New mount option - “noexec”
>Useful for file systems containing only data.
15. User Rights Management
• Decompose superuser
into less powerful roles
based on job
requirements.
• Assign rights to roles;
and roles to users.
• Audit user actions.
• In Solaris 8, 9, 10
• In Trusted Solaris &
Trusted Extensions
• Centralized mgmt.
S
Rights
R
U
U
U
R
16. User/Password Management
• Password Complexity Checks
> Login Name, White Space
> Minimum Alpha, Non-Alpha, Upper, Lower,
(Consecutive) Repeats, Special, Digits, etc.
• Password History (0 – 26 passwords)
• Banned Password List (Dictionary)
• What do I need to understand?
> Complexity checks apply to everyone - but 'root'
> Password history is 'files' only.
> Password aging is 'files', NIS+ and LDAP only.
17. Solaris Secure Execution
• Verifies integrity of the executable portion of almost all
applications, drivers, modules
• Customers can sign their own or 3rd party applications – no changes
needed
• Manual verification in Solaris 10 03/05
> $ elfsign verify -e /usr/bin/login
> elfsign: verification of /usr/bin/login passed.
• Automatic run-time verification in update
> User selectable rules for checking
> Prevents modified or unsigned code from running
> Customized systems can now be signed and secured
18. Solaris System Auditing
• Audits all system events
• Records actual userid and what role and application
issued which system calls, command line or data access
• Captures complete command line and environment
variables for later analysis
• Audit compliance is required by Common Criteria
Controlled Access Protection Profile
• Same audit system used in Solaris 8, 9, 10
> Solaris 9 & 10 offer XML output & selective filtering of
system read-only activities
> Solaris 10 offers syslog channel for audit logs
20. What TX is NOT
• It is NOT Trusted Solaris 8 ported to Solaris 10
> It will NOT run Trusted Solaris 8 applications
• It is NOT a new operating system nor a new kernel
> Works with all Solaris patches
> Patches for TX added pkgs through normal patch site
• It does not have additional “commercial” security features
over and about standard Solaris
• It is NOT limited to SPARC processors
> Runs on SPARC, x86, x64
• Closed and proprietary
21. Multi-Level Labeled Security
Trusted Extensions
Adds labeled security to Solaris 10
Multi-level networking, printing
Multi-level GUI
Leverages User & Process RM
Uses Containers
Compatible with all Solaris apps
Target of CAPP, RBACPP, LSPP @
EAL 4+
22. Trusted Extensions in a Nutshell
• Every object has a label associated with it
> Files, windows, printers, devices, network packets,
network interfaces, processes, etc...
• Accessing or sharing data is controlled by the objects'
label relationship to each other
> Lower label objects do not see higher label objects
• Administrators utilize Roles for duty separation
> Security admin, user admin, backup, restore, etc...
• Programs/processes are granted privileges rather than
full superuser access
• Strong independent certification of security
23. Goals and Benefits
• Runs all Solaris applications
> It's still Solaris, with Containers
> It's still Solaris, just with extended security policy
> It's still Solaris, same kernel
> It's still Solaris, all Solaris patches work
• Runs all infrastructure software
> Backup, Web, middle-ware, dev tools, etc.
> Database, file systems, devices/drivers, etc.
• Preserve and transition
> CDE User interface, single and multi-level JDS/GNOME
> Solaris Mgmt. Cnsle with LDAP naming service
24. What are Label-Aware Services?
• Services which are trusted to protect multilevel
information according to predefined policy
• Trusted Extensions Label-aware service include:
> Labeled Desktops
> Labeled Printing
> Labeled Networking
> Labeled Filesystems
> Label Configuration and Translation
> System Management Tools
> Device Allocation
25. Mandatory Access Control and
Security Labels
• Users cleared at multiple security levels can
work on them simultaneously
• Compartmentalization of information is
possible with Security labels and MAC thus
facilitating server virtualization
Non-hierarchical
Commercial
Hierarchy
Government
Hierarchy
Internet
Exec Mgmt
Top Secret
VP & above
Secret
Directors
Confidential
All Employees
Unclassified
Trusted Extens.
Music
Net Inc. Online
Daisy's
Florists
Solaris 10 or Trusted Extensions
Trusted Extens.
27. Multilevel Architecture
Need-toknow
(local zone)
Internal Use
Public
(local zone)
(local zone)
Multilevel Desktop Services
(Global Zone)
Solaris Kernel
SPARC, x86 or x64 Hardware
Local or Sun Ray display
• Layered
architecture
implements:
> mandatory
access
control
> hierarchical
labels
> principle of
least privilege
> trusted path
> role-based
access
28. Trusted Extensions Implementation
• Each zone has a label
> Labels are implied by process zone IDs
> Processes are isolated by label (and zone ID)
> Files in a zone assume that zone's label
• Global zone is unique
> Parent of all other zones
> Exempt from all labeling policies
>No user processes—just TCB
>Trusted path attribute is applied implicitly
> Provides services to other zones
• Common naming service to all zones
29. Filesystem MAC policies
• Labels derived from a filesystem owner's label
• Mount policy is always enforced
> No reading-up
> Read-write mounts require label equality in labeled zones
> Reading-down
> Read-only mounts require dominance by client
> Can be restricted via zone's limit set and network label range
> Writing-up
> Cannot write-up to regular files
> Limited write-up to label-aware services (via TCP and doors)
> Writing-down
> Restricted to privileged label-aware global zone services
30. NFS Support for Zones
• NFS clients:
> Each zone has its own automounter
> Kernel enforces MAC policy for NFS mounts
• NFS servers:
> Global zone administrators a share table per zone
> Kernel enforces MAC policy for NFS requests
• The global zone administrator can export filesystems
from labeled zones
> Each export must be a single-level filesystem
> Zone's label automatically applied to each export
31. Networking:
Option 1: Per-Zone IP addresses
Need-toknow
Internal Use
Public
Multilevel Desktop Services
(Global Zone)
Solaris Kernel
1.2.3.10
1.2.4.10
1.2.5.10
1.2.6.10
• Each zone has
a unique IP
address
• Network
Interface may
be virtualized to
share a single
hardware NIC or
use multiple
NICs
32. Option 2: All-Zone IP addresses
Need-toknow
Internal Use
Public
Multilevel Desktop Services
(Global Zone)
Solaris Kernel
1.2.3.4
1.2.3.4
1.2.3.4
1.2.3.4
1.2.6.10
• All zones share
a single address
• Shared network
Interface may
be physical or
logical
• Both per-zone
and all-zone
assignment
strategies can
be used
concurrently
33. Multi-Level Desktop
• Trusted CDE standard
> Similar to Trusted Solaris 8
> Included in initial Common Criteria Evaluation
• Java Desktop System (GNOME)
> Single Level desktop
>Full accessibility requirements
>More modern look-and-feel to customers
> Multi-level desktop
>Included in initial release
>Test as part of the Common Criteria LSPP
34. Multilevel Session
●
●
An authorized user can work at multiple sessions
concurrently.
The user can be authorized to do cut-and-paste
operations.
37. Trusted Java Desktop System Details
Workplace switcher
Task switcher
Trusted stripe and Trusted Path menu
38. Trusted Extensions Privileges
file_downgrade_sl
file_upgrade_sl
net_bindmlp
port
net_mac_aware
read-down
sys_trans_label
dominated labels
win_colormap
pseudo-colors
win_config
defaults
win_dac_read
X resources
win_dac_write
user's X resources
win_devices
pointer policies
win_dga
win_downgrade_sl
X resources
win_fontpath
win_mac_read
X resources
win_mac_write
resources
win_selection
selection manager
win_upgrade_sl
resources
file downgrade label
file upgrade label
bind to a multilevel
required for NFS
translate nonload custom
set X server
read another user's
modify another
set keyboard and
write to framebuffer
downgrade label of
install custom fonts
read hon-dominated
modify dominated X
bypass trusted
upgrade label of X
The privilege limit set for zones
will be configurable
Any of these privileges may be
assigned to zones
39. Benefits of Trusted Extensions
• Leveraging Solaris functionality:
> Process & User Rights Management, auditing, zones
> Make use of existing Solaris kernel enhancements
• Elimination of patch redundancy:
> All Solaris patches apply, hence available sooner
> No lag in hardware platform availability
• Extend Solaris Application Guarantee
• Full hardware and software support
> File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.)
> Processors (SPARC, x86, AMD64)
> Infrastructure (Cluster, Grid, Directory, etc.)
41. What is Common Criteria EAL?
●
CC Evaluation Assurance Levels (EAL)
●
●
●
●
●
●
●
●
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
Functionally Tested
Structurally Tested
Methodically Tested and Verified
Methodically Designed, Tested and Verified
Semi-formally Designed and Tested
Semi-formally Verified Design and Tested
Formally Verified Design and Tested
These are used to measure how well a
protection profile has been tested
42. Common Criteria Certifications
• Targets include : SPARC, x86/x64 based systems, full
networking, LDAP naming service, full GUI
• Solaris 10 3/05:
> CAPP, RBACPP @ EAL 4+
> Completed in December 2006
• Solaris 10 11/06:
> CAPP, RBACPP, LSPP @ EAL 4+
> Officially “In evaluation” as of June 2006
> Expected to complete by Summer 2007
• US-based upcoming requirements
> Basic, Single-Level Medium, Multilevel Medium
43. Some Common Customer Problems
• Allowing access to the coalition network from the national
network, but not vice versa
• Erect a “Chinese wall” between investment and brokerage
departments
• Prevent accidental disclosure of confidential information
• Data assurance – guarantee that a service does what it
claims to do
• Meeting privacy laws e.g. healthcare
45. Desktop consolidation - SNAP
• Desktop consolidation
> Permits access to those networks for which the user is
cleared or do not need to know about
> Denies transferring information from one network to the
other, unless the user is authorised to upgrade or
downgrade information
> Provides concurrent access to different classifications
• Based on configuration
> Can be used to prevent accidental disclosure (relabeling
requires confirmation)
> Provides access to only those networks for which the
user is cleared (Chinese wall)
46. Desktop Consolidation
RDP
(or other
protocol)
server
Secure Net
Apps 1,2,3
Secure Net
Apps 1,2,3
Secure Net
Apps 1,2,3
Secure Net
Apps 1,2,3
RDP (or...) client on Sun Ray
Session Server
Office #1
Office #1
Office #1
Secure Net A-Z
on One Terminal
47. Web-browsing
• Allow web-access from one network to other networks, but not vice
versa
• This can be done using a firewall, a well-configured “regular” Solaris
with a web proxy, or some variation on this theme
• Using Trusted Extensions
> in high-assurance environments to improve confidence
> In any environment to provide additional controls (protect against
misconfiguration)
48. Web-browsing
• Label-configuration has the different networks
“disjoint”, so TX will permit no communication
between them
Coalition Network 1
National
network
Coalition Network 2
Coalition Network 3
49. Web-publishing
• In the same environment the customer wants to be
able to publish documents to web-servers on the
coalition networks
C1
C2
NATIONAL NETWORK
C3
TX
50. Web-publishing
• Scripted (and thus easily updated)
> Document retrieval
> Document validation
> Document publishing
• Coded (but generic, so reusable)
> The communication code in the global zone daemon
> The relabeling and application invocation is scripted, so
easily extended (but only by an admin, as it exists in the
global zone which is inaccessible to “regular” users)
• Work in progress (but will be built this fiscal year)
51. Desktop sessions
> Users start an X server (e.g. Exceed) on their PC,
> They use Secure Shell to log-in on the TX system
> Once authenticated they get access to a text-based
menu that allows them to select a “destination” host
C1
C2
NATIONAL NETWORK
C3
TX
54. Architecture Level 1
Browser
CIPSO
Port 80
Port 80
PUBLIC
Port 80
Browser
CIPSO
INTERNAL
Browser
CIPSO
NEEDTOKNOW
Browser
RESTRICTED
CIPSO
Proxy Server Port
8080
(Reverse)
App Server
Port 80
Proxy Filter gets
client label from TX
and adds to http
header
Servlets get label
from http header
using
getHeader()
RESTRICTED Zone
Proxy Server listening
on an MLP
55. Architecture Level 2 - HTML
Client
http
JClientLabelFilter
JFileLabelFilter
Obtains remote connection label
(direct or from http header)
Obtains HTML file label
WSDL
JfilePEPFilter
(XACML)
JAX-RPC (Soap)
PDPservice
(XACML)
JLabelhtml
Static
HTML
File
(NEEDTOKNOW)
policy.xml
56. Architecture Level 2 - Tearline
Client
http
JClientLabelFilter
Obtains remote connection label
XML File
Apply XSLT to
XML file,
generates HTML
JLabelxml
(JAXP)
XALAN
XSLT File
XSD File
PEP Function
(XCML)
JAX-RPC
PDPservice
(XACML)
WSDL
61. SIMA – Secure Delivery of
eGovernment Services
Mobile
users
SSL over
IPSEC
Wireless
SSL over
IPSEC
Mobile
phone
SSL + VoIP
over IPSEC
Internet
SSL
SSL
Personal
Computer
SSL over
IPSEC
SUN Rays
Portal Server
Sun eGov
Applications
Applications
63. Recap
• Solaris with Trusted Extensions is
> Just another configuration of Solaris 10
> But one which has some extra policy enforcement
capabilities (and courtesy of these is being evaluated
against stricter Common Criteria protection profiles)
> Traditionally used as a desktop system, with Trusted
CDE or Trusted JDS as a desktop environment
> Equally usable for a “suspenders-and-a-belt” approach to
servers in any environment
> Where you can make a nice web proxy server, an
application-access-controlling gateway, or a controlled
publishing system (and much more) out of it...
64. Other References
• Other articles, url's:
> Desktop System Streamlines Analysis Work,
SIGNAL, Henry S. Kenyon
http://www.afcea.org/signal/articles/anmviewer.asp?a=427&z=39
> USS Mt. Whitney exercise
http://www.jfcom.mil/newslink/storyarchive/2004/pa062104.htm
> JEDI page describing DoDIIS Trusted Workstation
(DTW) https://extranet.if.afrl.af.mil/jedi/
> Super-Secure Systems Gain in Private Sector,
Investor's Business Daily, 10/12/04; Donna Howell
http://www.investors.com/editorial/tech01.asp?v=10/12
65. References
• Desktop System Streamlines Analysis Work,
SIGNAL, Henry S. Kenyon
http://www.afcea.org/signal/articles/anmviewer.asp?a=427&z=39
• USS Mt. Whitney exercise
http://www.jfcom.mil/newslink/storyarchive/2004/pa062104.htm
• JEDI page describing DoDIIS Trusted Workstation
(DTW)
> https://extranet.if.afrl.af.mil/jedi/
> http://www.rl/tech/programs/afdi
• Super-Secure Systems Gain in Private Sector, Investor's
Business Daily, 10/12/04; Donna Howell
http://www.investors.com/editorial/tech01.asp?v=10/12
66. Related Information
• Sun Security Home Page
–
http://www.sun.com/security
• Solaris Patches & Finger Print Database
–
http://sunsolve.sun.com/
• Sun Security Coordination Team
–
http://sunsolve.sun.com/security
• Sun BluePrints for Security
–
http://www.sun.com/blueprints
● Developing a Security Policy
● Trust Modelling for Security Arch. Development
● Building Secure n-Tier Environments
● How Hackers Do It: Tricks, Tips and Techniques
67. Related Service Information
• Sun Consulting Security Services
–
http://www.sun.com/service/sunps/security
• Sun Education Security Services
–
http://suned.sun.com/US/catalog
• Sun Support Services
> http://www.sun.com/service/support
• Network and Security Products
–
http://www.humanfirewall.org