Sun earns certification for Trusted Solaris 8

A security-hardened version of the Sun Microsystems Solaris 8 operating system has achieved the international 'Common Criteria' certification after successfully passing a year of vigorous lab tests at Logica PLC, a U.K. lab.

Trusted Solaris 8 differs from the garden-variety version of Solaris 8 in that it makes use of software compartments, role-based access protection and controlled access to meet high-security requirements for running multiple applications or network access from a single machine.

The Common Criteria security-assurance evaluation program is backed by the U.S. and Canada, as well as several European and Asian nations that have been working together for several years to coordinate lab testing of a wide variety of software and, less often, hardware. The intent is to have mutual recognition of security evaluations on an international basis.

In the U.S., Common Criteria-approved products will soon become mandatory for security devices such as firewalls, biometrics and even operating systems that will be used in national security systems, said Ron Ross, director of the National Information Assurance Partnership.

NIAP is the joint effort between the National Institute of Standards and Technology (NIST) and the U.S. National Security Agency (NSA) to oversee U.S. involvement in the Common Criteria program. The NSA and the U.S. Department of Defense are strong proponents of the program, which replaced the older U.S.-centric "Orange Book" software evaluation program.

Strictly speaking, national security systems are those used by either defense or civilian agencies to process or transmit sensitive and otherwise restricted information. Commercial contractors supporting defense efforts may be asked to use Common Criteria-evaluated products too.

Ross, a NIST employee, said waivers to avoid using Common Criteria products could be granted through the NSA, but it's not expected to be easy to get one.

The government's push to Common Criteria is a big incentive to get vendors to dedicate time and money to be able to market to the federal agencies.

According to Mark Thacker, product line manager for Solaris security at Sun, it cost hundreds of thousands of dollars and took a year of work to ensure that Trusted Solaris 8 passed the testing at the Logica lab. Trusted Solaris 8 received "Evaluation Assurance Level 4" using a specific set of what's called "protection profiles."

To understand the Common Criteria test regimen, it's helpful to know that the garden-variety Solaris 8 also passed Common Criteria testing for EAL 4 last February using a different set of "protection profiles" that don't include RLE-based access control and other features predominant in Trusted Solaris 8.

Thacker said Sun's multilevel Trusted Solaris 8 uses "labels" that make it possible to delegate administration of compartments on the operating system in a way that can't be done on Sun Solaris 8.

"With a 'trusted' OS, you're creating a security cloud in the OS," Thacker says. It allows the system to run multiple applications that are completely separated from each other. Thacker notes that this kind of functionality is not only appealing for national security purposes but also for use in banking and among ISPs, which host multiple customers' Web applications on a single server.

Although Common Criteria EAL runs from a low of "1" to a high of "7," by many accounts, EAL 4 is a demanding test level to pass, based on the types of protection profiles vendors are willing to say their product can meet. In fact, out of the dozens of products on the Common Criteria evaluations list, none has achieved higher than EAL 4 to date. EAL 5 to 7 evaluations would involve reviews at the design stage that the highest security attributes have been built appropriately into the core product - and at a cost few companies could endure - say many close to the Common Criteria program.

But as hard as it is to pass the Common Criteria testing, this doesn't bequeath an aura of invulnerability on either operating system or security products. If new security problems are discovered, that may well mean patching Common Criteria-certified products as well.

Veridian Corp., a San Antonio, Texas software developer that works on sensitive Defense Department systems, said Sun has done a good job with Trusted Solaris 8 to make sure the 15,000 applications in the market will be able to run on Trusted Solaris 8. David Castillo, chief architect for trusted technologies at Veridian, noted it wouldn't be unusual to customize programs for Defense Department use.

Sun left it uncertain whether it will seek to obtain Common Criteria certification for the upcoming Solaris 9 operating system.

Microsoft Corp. may be just behind Sun. Microsoft has submitted its Windows 2000 software for EAL 4 evaluation at a lab run by SAIC, and the results from several months of testing are expected any day now, says NIAP director Ross.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?