Sun earns certification for Trusted Solaris 8

A security-hardened version of the Sun Microsystems Solaris 8 operating system has achieved the international 'Common Criteria' certification after successfully passing a year of vigorous lab tests at Logica PLC, a U.K. lab.

Trusted Solaris 8 differs from the garden-variety version of Solaris 8 in that it makes use of software compartments, role-based access protection and controlled access to meet high-security requirements for running multiple applications or network access from a single machine.

The Common Criteria security-assurance evaluation program is backed by the U.S. and Canada, as well as several European and Asian nations that have been working together for several years to coordinate lab testing of a wide variety of software and, less often, hardware. The intent is to have mutual recognition of security evaluations on an international basis.

In the U.S., Common Criteria-approved products will soon become mandatory for security devices such as firewalls, biometrics and even operating systems that will be used in national security systems, said Ron Ross, director of the National Information Assurance Partnership.

NIAP is the joint effort between the National Institute of Standards and Technology (NIST) and the U.S. National Security Agency (NSA) to oversee U.S. involvement in the Common Criteria program. The NSA and the U.S. Department of Defense are strong proponents of the program, which replaced the older U.S.-centric "Orange Book" software evaluation program.

Strictly speaking, national security systems are those used by either defense or civilian agencies to process or transmit sensitive and otherwise restricted information. Commercial contractors supporting defense efforts may be asked to use Common Criteria-evaluated products too.

Ross, a NIST employee, said waivers to avoid using Common Criteria products could be granted through the NSA, but it's not expected to be easy to get one.

The government's push to Common Criteria is a big incentive to get vendors to dedicate time and money to be able to market to the federal agencies.

According to Mark Thacker, product line manager for Solaris security at Sun, it cost hundreds of thousands of dollars and took a year of work to ensure that Trusted Solaris 8 passed the testing at the Logica lab. Trusted Solaris 8 received "Evaluation Assurance Level 4" using a specific set of what's called "protection profiles."

To understand the Common Criteria test regimen, it's helpful to know that the garden-variety Solaris 8 also passed Common Criteria testing for EAL 4 last February using a different set of "protection profiles" that don't include RLE-based access control and other features predominant in Trusted Solaris 8.

Thacker said Sun's multilevel Trusted Solaris 8 uses "labels" that make it possible to delegate administration of compartments on the operating system in a way that can't be done on Sun Solaris 8.

"With a 'trusted' OS, you're creating a security cloud in the OS," Thacker says. It allows the system to run multiple applications that are completely separated from each other. Thacker notes that this kind of functionality is not only appealing for national security purposes but also for use in banking and among ISPs, which host multiple customers' Web applications on a single server.

Although Common Criteria EAL runs from a low of "1" to a high of "7," by many accounts, EAL 4 is a demanding test level to pass, based on the types of protection profiles vendors are willing to say their product can meet. In fact, out of the dozens of products on the Common Criteria evaluations list, none has achieved higher than EAL 4 to date. EAL 5 to 7 evaluations would involve reviews at the design stage that the highest security attributes have been built appropriately into the core product - and at a cost few companies could endure - say many close to the Common Criteria program.

But as hard as it is to pass the Common Criteria testing, this doesn't bequeath an aura of invulnerability on either operating system or security products. If new security problems are discovered, that may well mean patching Common Criteria-certified products as well.

Veridian Corp., a San Antonio, Texas software developer that works on sensitive Defense Department systems, said Sun has done a good job with Trusted Solaris 8 to make sure the 15,000 applications in the market will be able to run on Trusted Solaris 8. David Castillo, chief architect for trusted technologies at Veridian, noted it wouldn't be unusual to customize programs for Defense Department use.

Sun left it uncertain whether it will seek to obtain Common Criteria certification for the upcoming Solaris 9 operating system.

Microsoft Corp. may be just behind Sun. Microsoft has submitted its Windows 2000 software for EAL 4 evaluation at a lab run by SAIC, and the results from several months of testing are expected any day now, says NIAP director Ross.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?