Sun earns certification for Trusted Solaris 8

A security-hardened version of the Sun Microsystems Solaris 8 operating system has achieved the international 'Common Criteria' certification after successfully passing a year of vigorous lab tests at Logica PLC, a U.K. lab.

Trusted Solaris 8 differs from the garden-variety version of Solaris 8 in that it makes use of software compartments, role-based access protection and controlled access to meet high-security requirements for running multiple applications or network access from a single machine.

The Common Criteria security-assurance evaluation program is backed by the U.S. and Canada, as well as several European and Asian nations that have been working together for several years to coordinate lab testing of a wide variety of software and, less often, hardware. The intent is to have mutual recognition of security evaluations on an international basis.

In the U.S., Common Criteria-approved products will soon become mandatory for security devices such as firewalls, biometrics and even operating systems that will be used in national security systems, said Ron Ross, director of the National Information Assurance Partnership.

NIAP is the joint effort between the National Institute of Standards and Technology (NIST) and the U.S. National Security Agency (NSA) to oversee U.S. involvement in the Common Criteria program. The NSA and the U.S. Department of Defense are strong proponents of the program, which replaced the older U.S.-centric "Orange Book" software evaluation program.

Strictly speaking, national security systems are those used by either defense or civilian agencies to process or transmit sensitive and otherwise restricted information. Commercial contractors supporting defense efforts may be asked to use Common Criteria-evaluated products too.

Ross, a NIST employee, said waivers to avoid using Common Criteria products could be granted through the NSA, but it's not expected to be easy to get one.

The government's push to Common Criteria is a big incentive to get vendors to dedicate time and money to be able to market to the federal agencies.

According to Mark Thacker, product line manager for Solaris security at Sun, it cost hundreds of thousands of dollars and took a year of work to ensure that Trusted Solaris 8 passed the testing at the Logica lab. Trusted Solaris 8 received "Evaluation Assurance Level 4" using a specific set of what's called "protection profiles."

To understand the Common Criteria test regimen, it's helpful to know that the garden-variety Solaris 8 also passed Common Criteria testing for EAL 4 last February using a different set of "protection profiles" that don't include RLE-based access control and other features predominant in Trusted Solaris 8.

Thacker said Sun's multilevel Trusted Solaris 8 uses "labels" that make it possible to delegate administration of compartments on the operating system in a way that can't be done on Sun Solaris 8.

"With a 'trusted' OS, you're creating a security cloud in the OS," Thacker says. It allows the system to run multiple applications that are completely separated from each other. Thacker notes that this kind of functionality is not only appealing for national security purposes but also for use in banking and among ISPs, which host multiple customers' Web applications on a single server.

Although Common Criteria EAL runs from a low of "1" to a high of "7," by many accounts, EAL 4 is a demanding test level to pass, based on the types of protection profiles vendors are willing to say their product can meet. In fact, out of the dozens of products on the Common Criteria evaluations list, none has achieved higher than EAL 4 to date. EAL 5 to 7 evaluations would involve reviews at the design stage that the highest security attributes have been built appropriately into the core product - and at a cost few companies could endure - say many close to the Common Criteria program.

But as hard as it is to pass the Common Criteria testing, this doesn't bequeath an aura of invulnerability on either operating system or security products. If new security problems are discovered, that may well mean patching Common Criteria-certified products as well.

Veridian Corp., a San Antonio, Texas software developer that works on sensitive Defense Department systems, said Sun has done a good job with Trusted Solaris 8 to make sure the 15,000 applications in the market will be able to run on Trusted Solaris 8. David Castillo, chief architect for trusted technologies at Veridian, noted it wouldn't be unusual to customize programs for Defense Department use.

Sun left it uncertain whether it will seek to obtain Common Criteria certification for the upcoming Solaris 9 operating system.

Microsoft Corp. may be just behind Sun. Microsoft has submitted its Windows 2000 software for EAL 4 evaluation at a lab run by SAIC, and the results from several months of testing are expected any day now, says NIAP director Ross.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?