The slides and other supporting material from Scott Rotondo's CommunityOne talk on Secure Programming are now available from the OpenSolaris security community library pages. The talk includes how OpenSolaris uses lint extensions to detect problems using static analysis at build time as well as a new tool from Sun Labs called Parfait.

- Darren

tags: communityone opensolaris programming security

Permalink |

The Sun Security Toolkit (SST), also known as JASS: "Jumpstart Architecture and Security Scripts", is now open source under the CCDL license. It is being hosted on OpenSolaris under the project name sst

.

- Darren

tags: jass opensolaris sst

Permalink |

Trusted Extensions binaries have been part of Solaris since the 3rd update release of Solaris 10. Over the weekend Trusted Extensions entered a new and very exciting era. Not only is it now part of the Solaris 10 binary product but there were two signficant changes.

• First the packages are no longer extra and are always installed. Turning on Trusted Extensions is now just a matter of starting the labeling service: 'svcadm enable labeld'. This architecture change is discussed in PSARC/2006/254.
• Secondly the source code to what was previously called the "TLC" gate migrated into the ON gate. Most of this is in usr/src - ie it is open and under the CDDL license. However there is one part that ended up in usr/closed and that is labeld. The information on how to call labeld is open so in theory other distros could create their own replacement daemon.

This is just the first part, the corresponding changes need to happen for the TX supplementary code for the other consolidations including JDS.

- Darren

tags: opensolaris security solaris trusted

Permalink | Comments [0]

I found out today that I can use Nautilus, the GNOME filemanager, to browse file systems accessible over sftp (the IETF secsh filexfer protocol). I was surprised this worked already since I wasn't expecting it to be available until we had FUSE on (Open)Solaris. It turns out that the gnome-vfs layer does this on its own. So while I can't 'cd /net/myhomemachine.com/home/darren/Documents' I can do it graphically. There are also gnome-vfs plugins for SMB (using Samba), Webdav and Webdav over SSL/TLS.

As far as I know this something we got in Solaris Express by virtue of keeping up with the GNOME community, it isn't an OpenSolaris or Solaris invention or even needed to be changed to work.

This all works without any privilege even though it looks like the user is mounting filesystems. Since it happens in the users Nautilus process it doesn't cause any problems with Trusted Extensions labeling. I need to investigate how copy/move of files between a local file system and one using one of these gnome-vfs plugins will work though. There can't be a security violation because of how nautilus works in Trusted Exensions but it might not allow the copy/move.

- Darren

tags: gnome opensolaris sftp

Permalink |

This was a great weekend for WiFi on OpenSolaris (and thus future releases of Solaris and Solaris Express) [build 64]. Not only did we get a driver for the Intel Centrino 3945 chipset but more importantly (well at least in the eyes of a security geek like me) we got support for WPA-PSK. I've been working with the project team, not as a core developer - mostly design advice and codereview, on this for quite some time now and I'm really glad to see it integrated I'm really pleased with the architecture and the implementation.

Yeah I know lots of other operating systems had this already and now we do to! This combined with NWAM which integrated its first deliverables into build 62 and we are really going somewhere with usability and security for Solaris on laptops.

Now I can put WPA-PSK on my home router again instead of relying on WEP, not brodcasting my ssid and MAC address restrictions. Meanwhile the project team are now off developing WPA Enterprise support, I expect to work with them a little as they design and implement that support.

- Darren

tags: opensolaris slotd wifi wpa

Permalink | Comments [2]

Bonus Link Tuesday :-) instead of just one link of the day I'm going to highlight a few recent security relevant ARC cases. For information on what an "ARC Case" is see the ARC community on OpenSolaris.org, at a high level it is how we do reviews of things users/admins/developers can see and use in (Open)Solaris and document the interfaces and their interactions.

The first two are proposals that are currently still in review so they functionality they describe doesn't yet appear in any OpenSolaris distribution.

First one is a proposal (PSARC/2007/200) to change the way that IPsec is started up by making better use of SMF, this gives better fault recovery - something really important when securing your system. Plus I logged the bug for this and provided a first suggestion at the new SMF services, and I'm really glad to see the project getting implemented now. The proposal is much more complete than my original suggestion and provides a very nice set of new SMF services that shows much better how IPsec works instead of it being "hidden" as part of general networking services.

The second one (PSARC/2007/198) is related to how IPfilter and IPMP work together. I find this one quite interesting because it focuses on how statefull packet filtering works in a high availability networking configuration. It is also interesting because this proposal is actually a short term solution that is to be provided until the Clearview networking project is ready.

My third and final link for today is a really geeky and quite low level/internal feature of the Cryptographic Framework. It (PSARC/2007/093) is about sharing the context (state) of in progress multi-part crypto operations between hardware and software providers.The real end user benefit of this better performance. This is because sometimes it is actually faster to run the software version of an algorithm than to send small data sizes out to dedicated crypto hardware. I'm not aware of any other operating system with a crypto framework that goes to these extents to get the best crypto performance out of the system as a whole; I'd be very interested in learning about others (particularly open source ones) that do similar things. I've long said to my team mates in the crypto group that there is a PhD thesis to be written about crypto job scheduling for best single throughput versus best system load with different mixes of hardware and software crypto engines.

That's it for day, - Darren.

tags: arc opensolaris psarc slotd

Permalink | Comments [0]

As our first Security Link Of The Day we'd really like to mention OpenSolaris and specifically the security communities and projects within it; there are over a score of projects including (but not limited to!) the following categories:

• Cryptographic Framework (abstract access to accelerated cryptography)
• IPsec (secure TCP/IP networking)
• Kerberos (single sign-on solution)
• SASL (simple authentication security layer, framework for authentication / authorization in internet protocols)
• SSH (secure shell, encrypted interactive access with tunneling)
• RBAC (role-based access control, constraining privileged user access)
• Solaris Auditing (audit trail of user activity)
• Trusted Extensions (compartmentalisation and labelling of user data and processes)

The best jumping-off points to investigate all the security possibilities are probably the Security Community Wiki and the main OpenSolaris Projects List.

Do take a look. There's a lot of nifty stuff there.

- alec

tags: opensolaris security slotd solaris

Permalink | Comments [0]