Friday April 18, 2008

Security Ambassadors

I'm sitting here in one of the last sessions of the Sun Security Ambassadors conference, and thinking how lucky I was to be able to attend - getting the opportunity to learn what we are doing wrt to security in all our different GEOs, get in depth information into emerging security technologies, and I got to hear from some excellent luminaries in this field: Matt Bishop, Radia Perlman, Susan Landau & Michelle Dennedy.  We've had a great agenda and I feel like my team and I will have a lot to take away from this.

With Sun Security Ambassadors this week, and RSA last week (more on that later), I've been away from my email and "day job". That means a lot of catchup for next week!  

Monday March 03, 2008

Strong crypto in base Nevada!

My Friday night integration of 6498066 PSARC/2006/610 Data Encryption Kit (SUNWcry) Removal now means that strong crypto is available in a base Nevada system, starting with build 85 and forward.  What does this mean for you? Mostly it means that you no longer have to get special packages to get longer key lengths for arcfour, aes or blowfish and that things like OpenSSL will work out of the box.

Earlier posts to this blog explained how I took a different approach with strong crypto with Solaris 10 Update 4.  This work I just completed in Nevada, which was originally started by darrenm, is not appropriate for an update release since it removes packages and modules from the system.

Also, earlier this project was tied in with libsoftcrypto.  I worked closely with the crypto team on this, and we decided that the removal of the Data Encryption Kit was more important and needed to be integrated as soon as possible, so libsoftcrypto was pulled out of this project gate in order to speed up delivery of PSARC/2006/610.

One really cool thing about this integration? It removes tons of now pointless Sun specific modifications from the OpenSSL source. Hurray!

This should make it easier for folks to use Nevada and OpenSolaris builds, as well as make it easier to do development in the affected areas. Let me know if you have any questions!
 

Friday February 01, 2008

Sun Headlines debut! I just made my debut as an anchor for Sun Headlines. In this latest edition of the program, I'm talking about how cool Project Blackbox is. It's weird watching a video of myself, but it was such a cool experience making it and I love talking about Sun technology. I hope I get another opportunity to film one again! Check out my segment and let me know what you think! (2008-02-01 13:43:36.0) Permalink Comments [1]

Tuesday November 27, 2007

libsoftcrypto gate building again! I'm so excited - I'm finally back on the libsoftcrypto/removal of SUNWcry/SUNWcryr project, after being mired in other tasks for the most recent past, and the best news is I have the gate building again.  Some of my recent code review comments I accepted caused build failures when a full clobber nightly was done (gotta love makefile magic ;-) and I also hit a flag day with librcyptoutil and its new version string.  Good news, last night's full clobber build on sparc completed successfully.  Now to see if it still passes tests, while I work on integrating the rest of my code review comments. (2007-11-27 13:29:40.0) Permalink

Thursday September 06, 2007

Strong encryption included with Solaris 10 09/07!

Yay! The day is finally here!  A base version of the Solaris operating system now includes full strength crypto! The packages contained in the Encryption Kit are now included in Solaris 10 09/07 (aka Update 4) by default.  This includes: SUNWcry, SUNWcryr and SUNWcryman.  Now things like IPsec and OpenSSL will have access to full strength keys at installation time, and you'll no longer see weird errors coming from OpenSSL.

This was a simpler, and hackier, approach than what is being undertaken for Nevada/OpenSolaris.  For Solaris 10 09/07, I "simply" got advice from legal that this is okay to include now, filed a package RTI requesting that the FCS versions of the Encryption Kit packages get included in the WOS (Wad of Stuff), and requested those packages to be freshbitted like everything else.   These packages had problems with zones, and the like, that were never noticed by internal testers before - since they weren't included by default. Mary D. & Tony S. worked with the patch gatekeepers to get script patches integrated that would do the class action scripts required to fix those packaging errors.

Everything should be in tip top shape now! Enjoy!

Friday August 31, 2007

SUNWcry/SUNWcryr removal webrev posted!

Darren Moffat & Dina Nimeh did a lot a work several months ago to remove SUNWcry and SUNWcryr packages from existence (rolling the stronger crypto into the base operating system packages) and factoring out libsoftcrypto.  The work got put on a back burner as the ZFS crypto project started getting really hot.  I took over the gate for them & have been working on resyncing it to the latest ONNV bits, fixing build issues, and getting it ready for integration.  It's not 100% there yet (still need to get rid of merge turds, clean up multiple deltas, etc), but I've sent out the code review.  Please take a look & provide comments by 7 Sept 2007.  Thanks!

Thursday August 23, 2007

FIPS 140-2 rough draft design posted!

I've finally gotten a rough draft design for the FIPS 140-2 work I'm doing for getting the Solaris Cryptographic Framework certified.  It turns out we have to do some coding work, first, before we'll even be certifiable.  I've tried to capture it all in the rough design, but I am new to the FIPS 140 world, so would love feedback from more experienced folks.

Another engineer will be joining me on the enhancements soon - yay!

If you're interested, design discussion is going on on the crypto-discuss at opensolaris . org alias.

 

Tuesday February 13, 2007

Telnet vulnerability FUD is making me crazy!

Sun did a pretty awesome thing this weekend. A vulnerability was reported on an OpenSolaris alias, not even the correct place to report a security vulnerability, an engineer who happened to be reading his email on the weekend saw the post, reproduced the bug in house, fixed the code, got code review, tested and integrated a fix into Nevada (aka OpenSolaris) within HOURS.  On a weekend.  We have folks that are on pager call for handling this type of stuff, but since this was not sent to that alias, we were so lucky that several other engineers were watching an open alias for this & responded & fixed it on their day off.

The next day, Monday, the fix was integrated into the Solaris 10 patch gate, with official T-Patches on their way, yet I'm still seeing articles like this  from News.com which make it sound like we're still trying to figure it out. And gets the facts wrong (I believe the Sun rep was misquoted, but I don't know that for a fact).  The article mentions that only as of last month did we start shipping with SSH enabled by default.  *UGH*  We've been shipping with SSH enabled by default since Solaris 9 - for YEARS now.  I think what they meant was that as of last month, Solaris 10 Update 3 started shipping with ONLY SSH enabled by default.  That is, telnet, rlogin, etc are all disabled by default.  It was part of our huge security initiative, Secure By Default.

There are several workarounds to this problem:

• Disable telnet on your S10, S10U1 or S10U2 system
• make root a role
• Disable telnet to root for non CONSOLE logins (default, btw, since the initial release of Solaris)

Solaris 9 and earlier are not affected. This was unintentionally introduced into the Solaris 10 & Nevada code base when a major project integrated into Solaris 10.

I am mystified as to why we didn't immediately release a SunAlert with the workaround, but I know those folks were waiting for the IDRs to be available - and they are now.  Official patches will be available Real Soon Now.  I'll keep poking a sharp stick at folks to try to convince them to do better OFFICIAL communication, but what we've got going with OpenSolaris on the discussion aliases is very cool.

Tuesday January 16, 2007

Ten years later....

Walking into the building today after yoga, I caught the strong odor of burnt toast. This reminded me of an... incident I had when I started here ten years ago while trying to get a bagel *extra* toasty.   I started here in January 1997, just as the Internet boom was starting to ramp up.  At Sun, we still got free bagels and donuts once a week - heck, I can't remember if it was on Tuesday or Wednesday anymore!  These donuts and bagels  were a BIG incentive to get into the office early, otherwise you'd miss out on the deep fried delicious snacks.

 Fresh out of school, I would arrive here at the office, dressed business casual, at about 8:30AM.  One morning (a Tuesday or Wednesday), I was toasting my bagel & decided to toast it twice (as the first time it came out a bit underdone).  The smell of burning bread alerted me to trouble, and I reached into the toaster oven to try to retrieve my bagel. After burning my hand trying to grab the incredibly hot doughy delight, I tried reaching in again with a paper towel... Even though the element was off, it was still hot enough to catch that paper towel on fire.  Oops! Quickly, I dropped the paper towel in the sink & turned on the water. Waited a minute, then retrieved my now overdone bagel and sulked back to my office. Embarrassed by my rookie bagel move, I was still relieved that Sun engineering is a late rising bunch, so nobody else witnessed my bagel flambe.

Looking back on the last ten years, I've been all of the following:

• Novice
• Solaris Test Collection Gatekeeper
• JavaVM, GreenThreads & Javadoc tester
  
• Firewall novice
• Sustaining Engineer
• Patch creator
• Chief complainer about SunScreen's NAT facility
• Architect and developer of new NAT in SunScreen EFS 3.0
• SNMP expert
• Tweaker of all things stateful in SunScreen
• Documentation reviewer & sometimes writer
  
• Bug princess
  
• IPQoS Novice
• CIM/Wbem novice
• ON novice
  
• IPsec novice
• Userland cryptoframework component designer & implementor
• Test developer for PKCS#11 components
• Bug queen
• BoF organizer
  
• Solaris update release tech lead
• ON CRT
  
• Chief receiver of complaints about update releases & patches
• Open Solaris sponsor
• Open Solaris sponsor.. sponsor
• Smartcard novice
  
• Crypto export rule enforcer
• Fixing code I wrote many moons ago... geez, why didn't I comment that code?!?! Who wrote these lousy man pages?!? I did?!? Oh, well, then... I guess they aren't that bad. ;-)
  

Here's to a great ten years at an incredible company where I've had many different jobs (only one job change actually involved an interview), and even more roles.  I've learned you can't be just one thing here at Sun, you must take multiple roles, do multiple tasks, and keep learning.  There's always more room on your plate - there has to be.  It's how we grow, both as a company and as individuals.

Here's hoping for a few more good years here!  Who knows what jobs or roles I'll be doing next year?

Tuesday March 07, 2006

Life Cycle of a Patch - the basics I know I promised a follow on about Solaris Updates and exceptions back in October, but, well, I've been busy. Update 1 (S10 01/06) shipped in January and has been making people happy ever since :-)  My last blog entry on the subject of how updates are built has generated a lot of questions internally about the lifecycle of a patch. In my last entry, I talked about patches being cut at the end of the build, this is where things get interesting.

Whenever a patch is created, it is placed in an internal database where we can all track the status and progress of the patch. Additionally, all interested parties, like patch requestors and test, will have an automatic hold on the patch preventing its release to SunSolve.  The patch requestor, as officially defined by the tools, is whomever the engineer specified as the requestor in their patch RTI (Request to Integrate).  This should be whomever is asking them to backport their fix to Solaris 10, and at this point it must be an internal person.  Many engineers will use themselves as the requestor since they are doing the backport on behalf of a customer.

All Solaris patches are delivered to an internal group called Patch System Test (PST) where they do basic regression testing of the patch and test applying patches on systems with popular enterprise applications.  PST has a one week test schedule, so if the patches are delivered *just* after a cycle has started, they will have to wait until the next cycle begins so it may take a patch up to two weeks just to get through testing.  If PST is satisfied by the patch, they will release their hold on it.

Each developer & patch requestor is then responsible to do unit testing with each patch, to make sure the bugs it is supposed to be fixing are actually fixed, that all dependencies of the patch are actually correct, and that the README content is accurate.  This is where things sometimes slow down in the cycle if engineers are on vacation or don't understand that it is indeed their responsibility to do this.  Fortunately, that does not happen often, and is normally quickly caught by an engineer covering an escalation for a customer or someone else desperate for the patch.

As soon as all of the holds are released, the patch is pushed out to SunSolve within 24 hours by an automated system.  If there is an urgent need, the patchmanager, with the proper escalation, can override individual holds during special circumstances to get a patch out even faster.

Thursday December 22, 2005

Solaris 10 1/06 (aka Update 1) is out!! It's here at last!  After nearly a year of hardwork, all of the teams pulled together an excellent update for Solaris 10.  It feels great to finally get the release out to the masses. In addition to many bug fixes, there are loads of performance enhancements and new features.  Solaris 10 1/06 supports all of the new hardware platforms released over the last year, including the Niagra Cool Threads machines and the galaxy boxes.

This release contains the metaslot support for the Solaris Cryptographic Framework which makes programming to the framework easier than ever before, new GLD interface and updated network drivers to take advantage of the performance gains, and GRUB for x64 boot architecture.  There's so much more, too.  Check it out - let me know what you think!  Visit the downloads section of Sun.com.

Now I should finally be able to get some sleep :-)

Friday October 28, 2005

What are Solaris Updates made of: Patches and scripts and packages, too. There seems to be some confusion about what a Solaris Update release is, both in and outside of the company, so I'd like to take an opportunity to explain how we are currently generating Solaris update releases.

First of all, a reminder, I am the technical lead for just the ON Consolidation for Solaris 10 Update 1.  All of Solaris, aka the WOS, is made up of various consolidations.  ON, the Operating System and Networking Consolidation, is just one of them.  I can speak about how we handle things in ON land, but cannot promise that the same things apply across all consolidations. Most of ON is now available in OpenSolaris, to give you an idea of what code base I'm talking about.  Mike Kupfer gives a good background on the ON consolidation.

The other caveat: there are exceptions.  I will lay out first the basic structures of an update.  Later entries will talk more about the exceptions and more fancy things, like features.

My mantra throughout this release has been "the patch gate is the update gate is the patch gate is the update gate...".  I even included that in the gate's README file.

Put another way, update releases are made up almost entirely of patches, most of which are released early on SunSolve to provide binary relief to customers. 

The most basic things that an update release contains are bug fixes, which I'll cover in this entry. These bugs may have been found internally or may have been reported by an external customer who escalated the issue.  When a bug is fixed, it is first integrated in the release under development, in this case Nevada, where it undergoes significant testing and gains exposure on our internal servers and desktops.  We call that "soaking".

After soak has completed, the fix comes back to the sustaining gate, on10-patch, where we do milestone builds every two weeks.   At the end of a build, we will cut at least one patch for each integration we took for each applicable architecture and deliver those for further testing.  The final patches will typically end up on SunSolve and are also used to create what is known as a Freshbit image of Solaris.  Essentially, we start with an GA version of Solaris 10 and install patches on top of that image, to create an update build.  That is, if the fix was not included in a patch, it will not be part of the update release.

Patches are cumulative so if patch A-01 contains a fix for bug X, patch A-02 will also contain a fix for bug X + some other bug fixes.  Therefor, update builds are also cumulative. If something was fixed in a patch applied to the freshbit image of s10u1_01 it will still be fixed in s10u1_02 and so on.

In theory, you can take a base Solaris 10 03/05 system and patch up to an update release.  In fact, you may remember when Sun used to release MUs (Maintenance Updates) which would basicly install the base OS then spend a couple of hours automaticly patching it.  Those where the bad ol' days - now we do the patching for you, and you can just upgrade or do a fresh install, getting essentially Solaris 10 03/05 and all relevant patches for your hardware.

Of course, there are exceptions, but most of those are not relevant for existing install base for Solaris 10 03/05.

I hope this helps to explain things a bit.  I will have more entries, soon, to explain how features and new packages are handled and tested.  let me know if any of this does not make sense, or if you have any specific questions on the interaction of patches and updates.
(2005-10-28 00:15:22.0) Permalink Comments [5]

Tuesday May 10, 2005

Chairman's Award winner! Yipee!!! Every year, Scott McNeally and the executive staff give out a handfull of awards for outstanding contributions and innovations.  This year, the Solaris Cryptographic Framework for Solaris 10 was awarded one of the prizes!  This is an amazing recognition for all of our efforts and the great benefits the crypto framework can bring to developers and ISVs!

Our team got to spend the entire morning with the executive staff, in attendance at the virtual leadership conference, and we all got  to shake Scott's hand and get our pictures taken with the award.

Afterwards, the executive staff provided a boxed lunch with an executive at every table.  I was fortunate enough to get to sit with Jonathan Schwartz and Anil Gadre.  Both of these men were very open to listening to feedback from the "normal" employees at the table and actually seemed interested.

Now I'm just waiting for people in the field to really start playing with the Solaris Cryptographic Framework and giving us feedback. C'mon - we're waiting!
(2005-05-10 14:12:12.0) Permalink Comments [3]

Monday April 11, 2005

Solaris Cryptographic Framework - Demo providers The news just gets better & better!

We've just released the source code for some sample providers for the userland cryptographic framework.  If you're interested in developing libraries to plug into uCF in Solaris 10, this is a great starting place.  The demo provider has source code for a lot of the basic PKCS#11 stuff, like session management, and skeletons for the rest of the crypto stuff. 

You can get the providers from the Sun download center.

Other sample code is available from the development guide (click on Solaris Security Examples).

many thanks to our intern, Susan, for all her hard work making these demo providers a reality. We hope they'll save Solaris developers lots of time getting started making providers for the Solaris Cryptographic Framework.  Let me know what you think!

Friday April 01, 2005

Solaris Cryptographic Framework Whitepaper published! Ok, this took entirely too long, but I've finally gotten the whitepaper I wrote on the Solaris Cryptographic Framework published externally!   Finally, in Solaris 10, access to optimized cryptographic algorithms are brought to the general user.  Now you can read all about it on BigAdmin: Solaris Cryptographic Framework

Let me know what you think, or if you have any questions.  There is also a Kernel API/SPI that is touched on briefly in the paper.  We're working on stabilizing the kernel interfaces so we can publish those as well.

This paper also contains my first piece of externally published source code that I've written for Sun.  It is a combination of Sun's strict c-style and RSA's PCKS#11 style.  Certainly not the most challenging work I've done for Sun (that would be SunScreen's NAT or libpkcs11.so.1 itself). Go ahead and try it out on your s10 box now.
(2005-04-01 13:51:54.0) Permalink Comments [4]