The slides and other supporting material from Scott Rotondo's CommunityOne talk on Secure Programming are now available from the OpenSolaris security community library pages. The talk includes how OpenSolaris uses lint extensions to detect problems using static analysis at build time as well as a new tool from Sun Labs called Parfait.

- Darren

tags: communityone opensolaris programming security

Permalink |

The Sun Security Toolkit (SST), also known as JASS: "Jumpstart Architecture and Security Scripts", is now open source under the CCDL license. It is being hosted on OpenSolaris under the project name sst

.

- Darren

tags: jass opensolaris sst

Permalink |

An apparent Denial of Service (DoS) issue relating to Sun M-class servers
was reported by three OpenBSD developers to the Full-Disclosure mailing
list:

http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064312.html

The issue as described relates that the OpenBSD/sparc64 kernel can trigger
a fault which causes the dynamic domain of a Sun M-class server to power
down. Sun has investigated this issue and would like to provide the
following details to help clarify the impact as well as the contributing
factors.

• This issue applies to Sun SPARC Enterprise M4000 Servers and Sun
  SPARC Enterprise M5000 Servers only.
  
• This issue does not apply to the above systems when Solaris is
  installed.
  
• This issue is seen with OpenBSD/sparc64 due to a device driver and
  thus can not be triggered by an unprivileged user.
  
• The OpenBSD/sparc64 device driver causes a hardware fault to occur
  and since the dynamic domains in Sun SPARC Enterprise M4000 and
  M5000 servers share major hardware components the hardware fault
  causes the M-class server processor to shut down the entire platform.
  
• The Sun SPARC Enterprise M4000 and M5000 servers are cold service
  systems and thus to clear a hardware fault the system must be powered
  off.
  

tags: dos m4000 m5000 openbsd vulnerability

Permalink |

Sun is aware of a Denial of Service (DoS) issue in the Sun SPARC Enterprise M4000 server running OpenBSD. This issue could
lead to a hardware failure in one domain that may affect other running domains on the system, thereby requiring complete
power cycle of the hardware to recover from. Sun acknowledges Theo de Raadt of openbsd.org for bringing the issue to our
attention.

Sun has been in contact with the reporters of the issue and is currently investigating to fully understand the root cause,
its impact and to find a resolution. Sun will provide additional information as soon as it becomes available.

Security vulnerabilities or potential security issues in any Sun product may be reported via email to
security {dash} alert {at} sun.com. It is recommended to encrypt all sensitive emails with the Sun Security Coordination Team's PGP key.
More details can be found here

tags: dos m4000 openbsd sparc vulnerability

Permalink |

The Sun Java System Application Server versions 8.1, 9.0 and 9.1 bundle the Java SE Development Kit (JDK) 1.5.0. Sun has recently published JDK
1.5.0_16, which is an Update to JDK 1.5.0, addressing multiple security vulnerabilities as listed in the following Sun Alerts:

Sun Alert 238628 available here
Sun Alert 238905 available here
Sun Alert 238965 available here
Sun Alert 238966 available here
Sun Alert 238967 available here
Sun Alert 238968 available here

All users of Sun Java System Application Server should apply the patches listed in these Sun Alerts or upgrade the JDK to JDK 1.5.0_16 which is
available at

http://java.sun.com/javase/downloads/index_jdk5.jsp

tags: alert appserver jdk vulnerability

Permalink | Comments [1]

Solaris 10 11/06 now has a Common Criteria EAL4+ certification for CAPP/RBACPP/LSPP. For full details see the press release. Details of all Solaris Common Criteria certifications are available on the security certifications page.

- Darren

tags: capp common criteria lspp rbacpp solaris trusted

Permalink | Comments [0]

Sun UK is running a morning briefing on End to End to Security. The event is on Thursday 5th June in the London Customer Briefing Center (for LOSUG people this is the same place we meet). Details and registration information can be found here. Dave Walker and I are among the speakers.

-- Darren

tags: briefing security uk

Permalink | Comments [1]

The Sun Security Coordination Team has published a reference document for security Sun Alerts at:

http://sunsolve.sun.com/search/document.do?assetkey=1-9-91209-1

This document includes information on Preliminary and Workaround Sun Alerts, various sections in the body of a Sun Alert, definitions of frequently used vulnerability related terminology (such as 'local user', 'remote user', 'execution of arbitrary code' and so on) and a brief summary of Sun's response to security vulnerability reports.

tags: alert reference sun vulnerability

Permalink | Comments [0]

The removal of the Solaris Data Encryption Kit has been quite a difficult and long process for us, we are taking a different approach for Solaris 10 and for OpenSolaris. Valerie Bubb has info on how it has been done for Solaris 10 and is also currently running codereview for the OpenSolaris variant which is the full fix for this. - Darren

tags: crypto solaris

Permalink | Comments [1]

As just emailed to the fine folk on security-discuss@opensolaris.org:

Hi Everyone,

I will shortly have a working set of scripts to assist in the configuration and administration of Trusted Extensions (TX) systems as another element of the "TX-Ranger" initiative, which I've blogged about a little at http://blogs.sun.com/davew/entry/building_tx_ranger.

The idea driving TX-Ranger is to make TXs much easier to set up, play with, hack on, test software with and evaluate in a development environment than it currently is. TX is stunning technology, applicable to far more environments than those in which I see it currently being considered, and it would be a huge shame if its adoption was hampered by a lack of a few tools to make setting it up a straightforward exercise. I want to "make the world a more labelled place", so the easier it is for folk to flex TX's muscles for their purposes, the wider I'll grin :-).

While Trusted Solaris 8 found an almost exclusive home in Defence and Intelligence environments, changes in legislation and configuration mean that Trusted Extensions is far more applicable to today's academic and commercial world. Although the default set of labels (in /etc/security/tsol/label_encodings) reflects this, many organisations (and users) which don't traditionally do data classification could still benefit enormously from it simply by having two labels of "Internet" and "Internal", and allowing data to be written up from "Internet" but not down to it, thus preventing most types of data leak.

Glenn Faden already has some nifty tools for his "safe browsing" environment posted at http://blogs.sun.com/gfaden/entry/ want_to_try_safe_browsing, but this still requires having the base TX system configured correctly.

The TX-Ranger scripts automate much of the current manual effort required to configure a TX environment. While I've been made aware that some prototype Jumpstart tools exist for TX configuration, I have been careful not to examine them as their Open status is not currently guaranteed. The author of the TX-Ranger scripts being offered, Jeff Turner of Context-Switch, has kindly agreed that they can be released to opensolaris.org under a CDDL licence.

Among other things, these scripts (and attendant TX configuration files) will reduce the administrative work needed to set up a new label compartment element, to:

enumerate-unused-compartments
assign-compartment <name> <name presented in list by previous command>

...which is rather more straightforward than the current need to manually modify label_encodings and either put hex-containing strings into tnrhtp or do much mouse-shuffling around the Solaris Management console.

Also, once a label exists, actually making it function currently involves assigning it to a zone, potentially assigning it its own physical interface with zonecfg, cloning the zone, tweaking the zone's config to give it an appropriate IP address, etc. While the elegant little txzonemgr GUI tool makes some of this easier than it sounds, it's still not as easy as:

activate-label <label> <physical interface> <IP addr>

...which is how one of the TX-Ranger scripts is driven :-).

I'd love to hear about how I can best share this material with the OpenSolaris security community.

"The future's bright, the future's labelled" :-).

Cheers,

--
Dave Walker
Client Solutions, Sun Microsystems UK
Tel: +44 780 3079264
http://blogs.sun.com/davew/

Permalink | Comments [0]

Trusted Extensions binaries have been part of Solaris since the 3rd update release of Solaris 10. Over the weekend Trusted Extensions entered a new and very exciting era. Not only is it now part of the Solaris 10 binary product but there were two signficant changes.

• First the packages are no longer extra and are always installed. Turning on Trusted Extensions is now just a matter of starting the labeling service: 'svcadm enable labeld'. This architecture change is discussed in PSARC/2006/254.
• Secondly the source code to what was previously called the "TLC" gate migrated into the ON gate. Most of this is in usr/src - ie it is open and under the CDDL license. However there is one part that ended up in usr/closed and that is labeld. The information on how to call labeld is open so in theory other distros could create their own replacement daemon.

This is just the first part, the corresponding changes need to happen for the TX supplementary code for the other consolidations including JDS.

- Darren

tags: opensolaris security solaris trusted

Permalink | Comments [0]

A few months ago, blogs.sun.com/security started off in a new direction. The goal was to provide a large and highly visible stage for anyone within Sun who wanted to share their thoughts about security. Per the announcement:

If you are member of the Sun security community, and if you have something to say, where do you go to talk about the whole panoply of security? To where should you direct your voice? The answer, now, is here, blogs.sun.com/security.

The goal of this effort was simple. It enabled Sun's security community to:

provide a point of consolidation, where people can find postings and feeds pertinent to their preferred topics - Security Alerts, Tips, New Products, Announcements of "Pertinent Stuff" internal and external to Sun - where you can find personally written content with a high signal-to-noise ratio, and where you can have conversations through comments, cross-linking, providing the immediacy which is a cornerstone of the modern web.

A lot of great content has been shared in this forum and across blogs.sun.com since that posting. In addition, the announcement said that:

Over the coming weeks there will be evolution and change, and you'll be hearing from real Sun people with real interest in security.

Well, it was more than just a few weeks, but it is certainly in this spirit that I am happy to announce the newly updated security landing page at www.sun.com/security. This page has been revamped by real Sun people with real interest in security and this is just the beginning. We will be bringing you fresh news and content on a regular basis, will be working to update the rest of the security pages in the very near future, and will be working towards even closer integration with blogs.sun.com/security.

For Sun employees, if you want your security postings to be visible on www.sun.com/security, you need only to tag your blog posting with the keyword security.

Check it out and let us know what you think!

tags: security sun

Permalink | Comments [0]

The design review for phase one of the OpenSolaris ZFS Crypto Project starts now, details on how to participate are here. - Darren Permalink | Comments [0]

Jan Pechanec gives us a nice worked example on setting up the above, here. Yet another good feature in Solaris 10 11/06 :-).

Permalink | Comments [1]

As mentioned I was visiting the USA last week, and stopped-in on my former colleague and friend Keith Watson, who introduced me to the delights of MCPlus+ ("EmCeePlusPlus") - a nerdcore / geek-rap act who sing about cryptography and maths.

Cryppies will want to listen to track 4 off the album 'Algorhythms', viz Alice and Bo b.

w00t.

tags: mcplus+ mcplusplus nerdcore security slotd solaris

Permalink | Comments [2]