Thursday Feb 11, 2010

Oracle Cross Domain Security Express

On January 27 Oracle announced that it had finalized its acquisition of Sun. This week I accepted an offer of employment from Oracle so I will be continuing in my role as one of the leaders of the Solaris security development team. Trusted Extensions remains a key part of that strategy, and is specifically highlighted in John Fowler's  Webcast. There is about a minute devoted to Solaris security, starting a 4:38 and a slide at 5:30 showing Trusted Extensions and RBAC (two of my favorites) as key Solaris features.

Oracle and Sun have a long history of cooperation in the area of multilevel security, and I have been personally involved in some interesting projects. My earliest involvement dates back to 1991 when Oracle and Sun demonstrated Trusted Oracle running on SunOS CMW at 14th annual National Computer Security Conference in Baltimore. I presented a white paper at the conference entitled Reconciling CMW Requirements with those of X11 Applications.

I had another opportunity to work with Oracle, starting in 2006, prototyping a cross-domain architecture using labeled zones to proxy SQL requests from separate application enclaves. Oracle was our first partner to use Trusted Extensions, even before it was integrated into Solaris 10 update 3.

The prototype was successful, and after significant  refinement has been released under the name Oracle Cross-Domain Security Express. It has been authorized to operate on US government networks and has been certified and accredited according to DCID 6/3 PL4 requirements. A brochure describing the solution is available on the Oracle Website. As you can see, it relies on labeled zones and trusted networking to provide isolation and to associate labels with client requests.

For an interactive description, I recommend the YouTube video that one of my new Oracle colleagues, Jonathan Bakke, has posted.  Jon is the Senior Director of the Cross-Domain Systems group. We first met back in 2006, about the time I started this blog.

Saturday Oct 17, 2009

Labeled Zone Manager 2.0

There is a new and improved version of txzonemgr, called Labeled Zone Manager 2.0  in the latest version of the OpenSolaris developer repository. There are about a dozen new features which should make it easier for both beginners and experienced users to configure their Trusted Extensions systems. I've updated the beginner's instructions to take advantage of some of the automation. For example, if you have not previously created any zones, you will be asked if you want to create the public zone automatically. If you click OK, the zone is configured, labeled, installed, and booted without any user intervention. The command layout is now more efficient to simplify the navigation of the menu hierarchy.

The old interface to select a zone's label has been replaced; we now use the same label builder dialog that is integrated into the Trusted Path menus. So any label_encodings file will work without any performance issues. Among the other new features are:

  • Adding or removing network access to/from specified hosts or networks for each zone
  • Adding or removing specified hosts or networks to/from the list of trusted hosts and networks
  • Configuring multilevel ports and label ranges for each zone
  • Support for the exclusive IP stacks and VNICs with labeled zones (Crossbow)
  • Preliminary code to support Encrypted ZFS datasets for each zone

Collectively the new features are a replacement for the functionality that was previously provided by the Computers and Networks tool in the Solaris Management Console. For a step-by-step walk through of the new features refer to the test plan.

Sunday Aug 30, 2009

An Update on Using Xvnc for Remote MLS Sessions

About a year and half ago I posted instructions about using Xvnc with Trusted Extensions. Those instructions apply to systems using dtlogin, the CDE Display Manager, such as Nevada releases and Solaris 10 update 7. However, OpenSolaris uses gdm, the GNOME Display Manager and requires a different set of configuration procedures.

There is an excellent blog by Abhimanyu on this topic that describes the configuration steps for OpenSolaris 2009.06. In general, it also applies to Trusted Extensions, so you should begin by following those instructions. However, there are a few more issues and procedures required to get this to work properly in a labeled environment. 

The first problem is that the Xvnc server that is started by the xvnc-inetd SMF service is assigned to the user and group noaccess. While this is generally a good idea, it prevents Xvnc from binding to one of the multilevel ports (6000-6003 by default). You may notice that the DISPLAY variable starts with hostname:4 because that is the first unprivileged TCP port available. There are two workarounds for this problem:

  1. Use UNIX Domain sockets instead
  2. Grant Xnvc sufficient privilege

 One way to tell the X clients to use UNIX domain sockets is to set the hostname component of the DISPLAY variable to unix, e.g. unix:1. However, the next question is where to specify this setting. I couldn't find a supported way to do this, so I modified the script /etc/X11/gdm/Xsession. The first non-comment line sets the DISPLAY. I changed it as follows:

export DISPLAY=`echo $DISPLAY | sed -e "s/"`  

This assumes that the normal DISPLAY is already set to the IP address of localhost, which is the default for OpenSolaris TX. If yours is different, make the appropriate change. A major advantage of using UNIX domain sockets it the the labeled zones don't require a route to the global zone's X server.

The other approach is to add the privilege, net_bindmlp, which is required to bind to a multilevel port. This can be done by editing the xvnc-inetd service. Start by running these commands:

# svccfg -s xvnc-inetd
svc:/application/x11/xvnc-inetd> editprop 

A gedit window will pop up. Look for the following line specifying the inetd_start/privileges property,  remove the comment character and add the net_bindmlp privilege:

setprop inetd _start/privileges = astring: basic,net_bindmlp

Save the file, quit gedit, and exit svccfg. Then refresh the service, as follows:

# svcadm refresh xvnc-inetd 

Once you've got this working, you'll probably want to replace the default GNOME login window with the OpenSolaris dialog. To do this,  edit the file /etc/X11/gdm/custom.conf, as follows:


You may need to restart the gdm service for this to take effect:

# svcadm restart gdm 

Saturday Aug 29, 2009

Using the Dev Repository with Trusted Extensions

Now that OpenSolaris 2009.06 has been released, the next major release is planned for 2010.02. You can get early access to it by pointing the Package Manager at the Development repository. Since the 2009.06 release, based on build 111, there have already been some major changes. The latest OpenSolaris build number in the Dev repository is 121, and updates occur about every two weeks. This release includes some changes to the labeled zone brand. A new meta-package called trusted-nonglobal specifies the minimal set of packages needed to run the Trusted Desktop in a labeled zone. This is now installed automatically via the txzonemgr. While this is referred to as a whole-root zone, it should not be confused with the way that term is used in Solaris 10. Previously, a whole-root zone contained a copy of all the packages that have been installed in the global zone. But a whole-root labeled zone is a minimized install. The list of packages in the labeled zone brand is enumerated in this manifest. Other differences in the configuration of labeled brand zones have been factored out of the template file and made part of the brand specification. This makes it easier to make future changes transparent to the administrator.

The latest version of GNOME is 2.26.2. This fixes some previous problems like the Trusted Stripe occasionally crashing. But there are still a few required workarounds. These should be fixed in the next major GNOME version, 2.28, which is scheduled for OpenSolaris build 124.

I've added a link to the Trusted Extensions page on OpenSolaris which describes how to install and configure Trusted Extensions using the latest version from the development repository.

Wednesday Jun 10, 2009

An Update on Sensitivity Labels as ZFS Attributes


Last December I posted an entry entitled Maintaining Zone Labels as ZFS Attributes in which I described a prototype for persistent labeling of ZFS datasets. This has become a real project, Security Labels for ZFS and has been assigned case number PSARC/2009/348 . Here is a link to the one-pager.

You can follow along with the review process or contribute to the discussion of the case here.

Saturday Jun 06, 2009

Trusted Extensions in OpenSolaris 2009.06

Last week I attended Community One at which the latest release of OpenSolaris was announced. As in previous versions, running Trusted Extensions requires a few workarounds to deal with changes in zone behavior such as cloning and the use of IPS packages. The steps are described here

One outstanding issue is the support of sparse-root zones. This is the feature in which the non-global zones share read-only mounts of the global zone's filesystems, such as /usr, /lib, /platform, /sbin, and /opt. While this feature is currently being used in the Trusted Extensions labeled zone configuration, it is not supportable by the underlying IPS packaging system. There is a more complete discussion on this issue in Dan Price's blog entry A field guide to Zones in OpenSolaris 2008.05.

While we are evaluating alternatives to the sparse-root zone configuration, we plan to provide an updated installation procedure based on whole-root zones. These labeled zones will contain only the packages which are necessary and sufficient to run the multilevel desktop. Since all the zones are based on ZFS datasets, cloning will be used to minimize disk space and installation time. These updates will be made available in the Development Release Packaging Repository. I'll make another posting when they are available for download.


Safe Browsing Revisited

Almost three years ago I posted an entry entitled Safe Browsing and URL Forwarding in which I described how labeled web browsers could be launched at the label corresponding to the web site. Now BlueSpace has extended that concept in a new product called BlueSpace Multilevel Search and Share (S2). Using their Trusted Service Bus, Trusted Extensions, and Google's enterprise search appliance, they are able to aggregate the search results from multiple labeled networks, without upgrading the data. Search results are labeled according to the network on which they were found. Clicking on a link opens up a browser in a labeled zone corresponding to the label of the data. Using this approach, avoids the problems associated with moving or elevating data between classified networks using guards or proxies.

Here is a link to their press release describing the work in progress

Sunday Mar 22, 2009

Cool Demo of a Command and Control Mashup

BlueSpace has provided a cool demonstration video of a multilevel Command and Control System (C2S) based on Solaris 10 Trusted Extensions. As they've done in their TransMail Trusted Edition product, the C2S demo relies on their Multilevel Messaging and Middleware. The Trusted Service Bus synchronizes multiple views from uniquely labeled sources so they can be aggregated into a mashup, while maintaining data separation. Note that the labeleled windows associated with the individual coalition partners are each running in their own zones, with their own isolated networks. This is great example of the kinds of solutions that can be built using this platform.

Friday Jan 30, 2009

SuperHappyDevHouse Event at Sun

Sun is hosting an Open House at its Executive Briefing Center on Saturday, January 31, for a local technical community called SuperHappyDevHouse. I have set up a demonstration system with 50 zones which is wide open for exploitation. The root password is posted, and remote access via vncviewer or telnet is unrestricted. This is a great opportunity to own your own zone, do whatever you want to it, and not get in trouble. All of the zones are cloned from a ZFS snapshot, so I can quickly restore them if they are destroyed. They are using the new Virtual NIC (vnic) support that I discussed in my previous blog entry. So each zone gets its IP addresss from the same  WiFi access point as our visitors. The ssid is ZONES.

This is all running on a single UltraSPARC T2 processor, with 8 cores and 64 hardware threads. It is running Solaris Nevada build 105. A corresponding x86/x64 version of OpenSolaris is available here.

Here is a very brief overview of the zone configuration, access instructions, and a list of activities to try. Have fun!

Monday Jan 26, 2009

Using IP Instances and Virtual NICs with Trusted Extensions

The OpenSolaris 2008.11 IPS packages are now organized in four respositories:

  • /release
  • /dev
  • /contrib
  • /pending

giving you the option to be a software pioneer. I used the /dev repository to update my Trusted Extensions laptop from the /release repository (running build 101) to build 105. In the Package Manager I selected Settings->Manage Repositories->Modify and changed the URL to Then I selected Package->Update All, waited and rebooted. The new system came up running Trusted Extensions with only one hiccup: the Device Manager crashes when filling in its available device list; we're working on a fix.

My main reason for upgrading to this new build is that it includes new Virtual NIC (vnic) support  from the Crossbow project. This makes is easier to bring up both the wirelesss and wired NICs on my laptop, with the former  connected the public Internet, and the latter connected to Sun's Wide Area Network (SWAN). Naturally, I am using the trusted network features of Trusted Extensions to isolate these two networks. The wireless network is being used in my public zone and the wired network is used in the internal zone. Both networks are using DHCP, but each is independent. The public network is using NWAM, and is configured essentially the same way I have described in a previously entry.

The internal zone configuration is new. It takes advantage of the ability to create a vnic from the wired interface. Before doing so, I used the NWAM configuration menu in the GNOME panel to disable the wired interface. I first selected Always Use Wireless Network Interface (iwk0), and then selected the Edit Network Interface Priorities to ensure that Wireless (iwk0) was used. Since I wasn't sure that the NWAM GUI settings were persistent across reboots, I also edited the file /etc/nwam/llp, removing the entry for the wired interface.

Then I created a virtual instance of the wired interface.

# dladm create-vnic -l e1000g0 vpn0

for exclusive use within the internal zone. To change the zone's network configuration, I ran the following as root within the internal zone:

# sys-unconfig

which halted the zone. I used the zonecfg command to add the following to zone's existing configuration:

# zonecfg -z internal

zonecfg:internal> set ip-type=exclusive

zonecfg:internal> add net

zonecfg:internal:net> set physical=vpn0

zonecfg:internal:net > end

zonecfg:internal> exit

Since this zone will not be using the same DNS service as the global zone, it must have its own instance of the Name Service Cache Daemon, nscd. There is a global zone switch to run an instance of nscd in each zone. Although this can be set using the txzonemgr script, I wanted to continue sharing /etc/passwd and /etc/shadow, so I set the switch by hand as follows:

# touch /zone/internal/root/var/tsol/doors/nscd_per_label

This would normally be sufficient, except that I previously enabled another workaround which runs nscd with the privilege to communicate with lower-level DNS servers. So, it is also necessary to add the privilege net_mac_aware to the zone's default privilege set. This is done by adding the following line to /usr/lib/brand/labeled/config.xml:

<privilege set="default" name="net_mac_aware" />

The internal zone needs to be reconfigured as a DCHP client. This is done by copying the following into the file /zone/internal/root/etc/sysidcfg:

network_interface=PRIMARY {

All the zones must now explicitly use DNS, so I copied /etc/nswitch.dns to /etc/nwswitch.conf in each zone.

Since the internal zone runs its own network, it needs an eventhook script to setup /etc/resolv.conf and (optionally) the nis service. The one included in Darren Moffat's blog worked nicely. I copied it to /etc/dhcp, making sure it was executable. The final step was to assign the internal network template to the set of SWAN IP adresses. As a simple approximation, I just added the following to /etc/security/tsol/tnrhdb:

although the actual list of SWAN subnets is more restrictive (I'll fix this later). Then I crossed my fingers and rebooted the laptop. The two networks came up correctly. I brought up a Terminal in the internal zone, and verified that it was connected to SWAN. The only error I saw was that the nis client service in the internal zone was in the maintenace state. The log file complained that there was no binding directory for the nis service. I fixed that by typing:

# mkdir /var/yp/binding/

# svcadm clear svc:/network/nis/client:default

Now I have two network infrastructures running on my laptop: an all-zones wireless interface for the public Internet, and a wired vnic interface for SWAN in the internal zone using nis. The only remaining problem is that the internal zone's network doesn't respond to ethernet hot-plug events. My workaround for this last minor problem is to restart the service in the internal zone by hand:

# svcadm restart svc:/network/physical:default

So now, I have a true mobile multilevel laptop which works anywhere on the Sun campus, that can be suspended and resumed, and automatically reconnects to both the Internet and SWAN networks.

Sunday Jan 25, 2009

Improving X11 Performance and Security

The X11 server in OpenSolaris is configured using the limited_net service profile (Secure by Default) so that it does not listen for TCP connections. Instead, it relies on the local transport, UNIX domain sockets. When Trusted Extensions is enabled via the SMF labeld service, this restriction is relaxed to allow some TCP connections. This was necessary because UNIX domain sockets could not be used for the cross-zone access required by X11 clients running in labeled zones. To minimize the risk, the X11 server rejects connection from untrusted X11 clients. However, this solution was not ideal because TCP connections are slower than UNIX domain and require network connectivity between labeled zone clients and the global zone X11 server.

Starting with OpenSolaris 2008.11, UNIX domain socket can now be used by labeled zone X11 clients, but the configuration does not yet work be default. The workaround is fairly simple, and actually reverses a previous workaround that I described last July. Here are the steps:

# mkdir -p /etc/dt/config

# cp /usr/dt/config/Xinitrc.tjds /etc/dt/config

In the new Xinitrc.tjds file, change the setting for the DISPLAY variable and add the following mount command

# Workaround Xconnecion problem
export DISPLAY=unix:0
mount -F lofs /tmp/.X11-unix /var/tsol/doors/.X11-unix

Then you can disable the TCP listener in the X11 server as follows:

# svccfg -s x11-server setprop options/tcp_listen=false

These changes will take effect on the next login. This configuration makes it easier to use exclusive IP stack instances, since the X11 clients no longer need any access to the global zone's network. I'll explore that more fully in my next blog entry.

Saturday Jan 17, 2009

3D Accelerated Virtualized World Tours

The latest VirtualBox 2.1 release includes a new experimental\* high performance XGL driver for Windows guests. This makes it possible to run 3D applications like Google Earth in virtualized environments with excellent performance. I've previously blogged about running VirtualBox guests in labeled zones. But the new 3D capability is so amazing that you have to see it to believe it. Now I've made my first YouTube video, showing the system performance on my Toshiba M9 with 4GB of RAM. An instance of VirtualBox is running in each labeled zone, and an instance of Microsoft Vista is running in each VirtualBox. Each Vista instance is running Google Earth, at high speed using the virtual XGL driver included in the VirtualBox Guest Additions. 

I also uploaded a QuickTime version of this video to Sun's MediaCast web site which provides higher resolution than YouTube.

Since this is a security blog, it is important to mention that the network isolation provided by Trusted Extensions extends only as far as the Vista guests. The PUBLIC instance is connected to the public Internet, and the CONFIDENTIAL : INTERNAL USE ONLY instance in connected to Sun's Wide Area Network (SWAN) via the Cisco 3000 VPN. Although the remote VPN endpoint has been labeled CONFIDENTIAL : INTERNAL USE ONLY, neither the Cisco VPN server nor SWAN are label-aware, so the network isolation enforced by Trusted Extensions doesn't extend outside of SWAN. That's why the internal zone instance of Google Earth can connect to the PUBLIC  Google servers. The Windows VPN hides this traffic from the Solaris kernel.  In a classified environment, this would not be permitted.

For those trying this at home, I pulled out all the stops the get the best performance. I used UNIX domain sockets instead of TCP for X11, and I ran the demo several times to get the images into the cache. Otherwise this ran on the official releases of OpenSolaris 2008.11 and VirtualBox 2.1.

\* see user manual, chapter 4.8, Hardware 3D acceleration (OpenGL), page 66)

Friday Dec 26, 2008

Trusted Extensions Chapters in Two New Books

I've recently co-authored two chapters about Trusted Extensions. The first is a Case Study: Solaris Trusted Extensions in Trent Jaeger's new book Operating System Security. This book will be used in university classes, and addresses some of the trade offs made by security designers.

The second book Solaris Security Essentials, will soon be published by Sun Microsystems. It describes how to configure a Trusted Extensions system in Solaris 10. Various chapters in the book are currently available for review via the Safari Rough Cuts web site. Your feedback is welcome.

Obviously I'm pleased to have another opportunity to help new users get started with Trusted Extensions.

Device Allocation in OpenSolaris 2008.11

I've been having problems mounting removable media when Trusted Extensions is enabled in the latest OpenSolaris release, so I took a closer look at the shell script /etc/security/lib/disk_clean. This file handles mounting and unmounting of cdrom and rmdisk devices. There have been some subtle changes in the hal(5) framework which affect the script. Here is a copy of an updated version that works much better.

There are still a few other issues which I don't completely understand. The script invokes zenity(1) to pop up a few dialogs. With the latest version of GNOME (2.24) these dialogs are going behind the Device Manager, so you probably won't be aware of them unless you notice something flashing in the GNOME panel. The Device Manager will appear to hang until you respond to these dialogs (which you can't see). So move the Device Manager to one of the corners of your desktop before allocating a device, and look for these dialog windows when the program appears to hang. I tried fixing this with the System->Preferences->Windows menu, but that doesn't work for me.

Another problem is that all of the devices come up in the maintenance state when the system is booted, and must be reset via the Administration->Revoke item in the Device Manager. Devices are supposed to be reset to Available when the system is booted.

 I'm also seeing an occasional problem with cdrom0 being assigned to the wrong controller number in /etc/security/device_maps. If cdrom0 allocation isn't working for you, try this:

# eject cdrom

This comand will emit the full pathname for the cdrom device. It should match one of the devices in the Device Map, which you can view by picking the Administration->Properties item when cdrom0 is selected. If the controller number is wrong, either fix it in this dialog (which is tedious) or edit the underlying device_maps file.

One final issue is that the icons for the devices are missing from the repository, so the GUI has little blobs where the icons should appear. As a workaround, you can get the missing icons for this tar file, and extract it into /usr/share.

Saturday Dec 20, 2008

Suspend and Resume in OpenSolaris 2008.11

One of the significant new features in OpenSolaris 2008.11 is support for Suspend and Resume. Unfortunately, this feature doesn't show up in the GUIs when Trusted Extensions is enabled. This is similar to the problem with the nwam-manager discussed in the previous blog entry, but the workaround is a bit different.

The HAL daemon is responsible for granting permission to the user to suspend the system, and the daemon isn't be started properly when the TX user logs in. I worked around this be creating an executable shell script,


with the following two lines:


svcadm restart hal

The next time you login you should see the Suspend option in the Shut Down dialog and Power Management Preferences. Now you can suspend by closing the lid on your laptop. However, I found another issue with NWAM, so I have yet another workaround. When resuming after being suspended, NWAM doesn't automatically detect the your network status. I added the following line to the end of the shell script


(before the exit):

svcadm restart nwam

Now, I get connected to the new network when I resume my system.


This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.


« July 2016