Both Sun and the NSA will work to integrate an additional form of mandatory access control (MAC), based on the Flux Advanced Security Kernel (Flask) architecture. The joint research project is intended to complement the security benefits provided by the Solaris Trusted Extensions feature.
Flask, which was originally developed by the NSA, is the basis of Security Enhanced Linux (SELinux).
The project aims to enhance and complement existing OpenSolaris security mechanisms with Flask and Type Enforcement (TE) technologies. One of the goals will be to preserve existing user-level APIs and only add new APIs to support additional functionality, which will ensure compatibility with existing OpenSolaris executables.
In making the announcement, Jonathan Schwartz, Sun’s chief executive, said the joint project is an opportunity to improve the security of an already robust OpenSolaris environment in a manner that may benefit government and commercial customers alike.
The Flask architecture provides flexible support for a wide range of security policies at two levels.
A company can plug and play different security servers (policy engines) behind a well-defined abstract security interface without needing to modify the rest of the system at all or a company can configure the example security server, included in the reference implementation of Flask, to achieve a wide range of security goals by way of its flexible TE (type enforcement) and constraint-based models.
The specific policy enforced by the kernel is dictated by the security server and the example security server is driven by security policy configuration files which can include a diverse set of policy rules, such as role-based access control and multi-level security, Sun said.
The NSA’s Flask controls have been made available to Sun as a Public Domain license and Sun will re-license the technology inside of OpenSolaris under the open source CDDL license (Common Development and Distribution License).
Bill Vass, president and chief operating officer at Sun Microsystems Federal, said in a blog posting that the partnership would reap major benefits for OpenSolaris developers.
“This represents another milestone in bringing flexible MAC to mainstream operating systems and will broaden the set of platforms that support this technology,” Vass said. “We look forward to working closely with the NSA and the Flask community of developers to extend this advanced security technology into OpenSolaris.”