Sunday Mar 20, 2011

News from the trenches

A lot has happened in the year since my last posting. The former Sun Solaris team has been integrated into Oracle, and released it's first product based on OpenSolaris, called Oracle Solaris 11 Express. The Express release is an interim step on the path to the next major release, Oracle Solaris 11.  Some of the new features in the area of security are described here , along with some more extensive documentation.

I was one of the speakers who gave an overview of Oracle Solaris 11 Express last November, at the LISA conference. Slides and a video of my presentation are posted on the Oracle Media website. One of the new features of interest to users of Trusted Extensions, is the automatic labeling of ZFS datasets, when they are first mounted by labeled zones. I previously wrote about this in a posting entitled An Update on Sensitivity Labels as ZFS Attributes. This ensures that labeled datasets are not accidentally mounted into zones with unequal labels. It also provides a mechanism to determine the label of a dataset that is not currently mounted. This is a natural extension to the original design of labeled filesystems that was introduced in Solaris 10, back in 2006. I recently was awarded two US patents for this technology, with the formal titles Mechanism for implementing file access control using labeled containers and  Mechanism for implementing file access control across a network using labeled containers.There are further enhancements in this area that are planned for a future release.

Thursday Feb 11, 2010

Oracle Cross Domain Security Express

On January 27 Oracle announced that it had finalized its acquisition of Sun. This week I accepted an offer of employment from Oracle so I will be continuing in my role as one of the leaders of the Solaris security development team. Trusted Extensions remains a key part of that strategy, and is specifically highlighted in John Fowler's  Webcast. There is about a minute devoted to Solaris security, starting a 4:38 and a slide at 5:30 showing Trusted Extensions and RBAC (two of my favorites) as key Solaris features.

Oracle and Sun have a long history of cooperation in the area of multilevel security, and I have been personally involved in some interesting projects. My earliest involvement dates back to 1991 when Oracle and Sun demonstrated Trusted Oracle running on SunOS CMW at 14th annual National Computer Security Conference in Baltimore. I presented a white paper at the conference entitled Reconciling CMW Requirements with those of X11 Applications.

I had another opportunity to work with Oracle, starting in 2006, prototyping a cross-domain architecture using labeled zones to proxy SQL requests from separate application enclaves. Oracle was our first partner to use Trusted Extensions, even before it was integrated into Solaris 10 update 3.

The prototype was successful, and after significant  refinement has been released under the name Oracle Cross-Domain Security Express. It has been authorized to operate on US government networks and has been certified and accredited according to DCID 6/3 PL4 requirements. A brochure describing the solution is available on the Oracle Website. As you can see, it relies on labeled zones and trusted networking to provide isolation and to associate labels with client requests.

For an interactive description, I recommend the YouTube video that one of my new Oracle colleagues, Jonathan Bakke, has posted.  Jon is the Senior Director of the Cross-Domain Systems group. We first met back in 2006, about the time I started this blog.

Sunday Aug 30, 2009

An Update on Using Xvnc for Remote MLS Sessions

About a year and half ago I posted instructions about using Xvnc with Trusted Extensions. Those instructions apply to systems using dtlogin, the CDE Display Manager, such as Nevada releases and Solaris 10 update 7. However, OpenSolaris uses gdm, the GNOME Display Manager and requires a different set of configuration procedures.

There is an excellent blog by Abhimanyu on this topic that describes the configuration steps for OpenSolaris 2009.06. In general, it also applies to Trusted Extensions, so you should begin by following those instructions. However, there are a few more issues and procedures required to get this to work properly in a labeled environment. 

The first problem is that the Xvnc server that is started by the xvnc-inetd SMF service is assigned to the user and group noaccess. While this is generally a good idea, it prevents Xvnc from binding to one of the multilevel ports (6000-6003 by default). You may notice that the DISPLAY variable starts with hostname:4 because that is the first unprivileged TCP port available. There are two workarounds for this problem:

  1. Use UNIX Domain sockets instead
  2. Grant Xnvc sufficient privilege

 One way to tell the X clients to use UNIX domain sockets is to set the hostname component of the DISPLAY variable to unix, e.g. unix:1. However, the next question is where to specify this setting. I couldn't find a supported way to do this, so I modified the script /etc/X11/gdm/Xsession. The first non-comment line sets the DISPLAY. I changed it as follows:

export DISPLAY=`echo $DISPLAY | sed -e "s/"`  

This assumes that the normal DISPLAY is already set to the IP address of localhost, which is the default for OpenSolaris TX. If yours is different, make the appropriate change. A major advantage of using UNIX domain sockets it the the labeled zones don't require a route to the global zone's X server.

The other approach is to add the privilege, net_bindmlp, which is required to bind to a multilevel port. This can be done by editing the xvnc-inetd service. Start by running these commands:

# svccfg -s xvnc-inetd
svc:/application/x11/xvnc-inetd> editprop 

A gedit window will pop up. Look for the following line specifying the inetd_start/privileges property,  remove the comment character and add the net_bindmlp privilege:

setprop inetd _start/privileges = astring: basic,net_bindmlp

Save the file, quit gedit, and exit svccfg. Then refresh the service, as follows:

# svcadm refresh xvnc-inetd 

Once you've got this working, you'll probably want to replace the default GNOME login window with the OpenSolaris dialog. To do this,  edit the file /etc/X11/gdm/custom.conf, as follows:


You may need to restart the gdm service for this to take effect:

# svcadm restart gdm 

Wednesday Jun 10, 2009

An Update on Sensitivity Labels as ZFS Attributes


Last December I posted an entry entitled Maintaining Zone Labels as ZFS Attributes in which I described a prototype for persistent labeling of ZFS datasets. This has become a real project, Security Labels for ZFS and has been assigned case number PSARC/2009/348 . Here is a link to the one-pager.

You can follow along with the review process or contribute to the discussion of the case here.

Saturday Jun 06, 2009

Trusted Extensions in OpenSolaris 2009.06

Last week I attended Community One at which the latest release of OpenSolaris was announced. As in previous versions, running Trusted Extensions requires a few workarounds to deal with changes in zone behavior such as cloning and the use of IPS packages. The steps are described here

One outstanding issue is the support of sparse-root zones. This is the feature in which the non-global zones share read-only mounts of the global zone's filesystems, such as /usr, /lib, /platform, /sbin, and /opt. While this feature is currently being used in the Trusted Extensions labeled zone configuration, it is not supportable by the underlying IPS packaging system. There is a more complete discussion on this issue in Dan Price's blog entry A field guide to Zones in OpenSolaris 2008.05.

While we are evaluating alternatives to the sparse-root zone configuration, we plan to provide an updated installation procedure based on whole-root zones. These labeled zones will contain only the packages which are necessary and sufficient to run the multilevel desktop. Since all the zones are based on ZFS datasets, cloning will be used to minimize disk space and installation time. These updates will be made available in the Development Release Packaging Repository. I'll make another posting when they are available for download.


Safe Browsing Revisited

Almost three years ago I posted an entry entitled Safe Browsing and URL Forwarding in which I described how labeled web browsers could be launched at the label corresponding to the web site. Now BlueSpace has extended that concept in a new product called BlueSpace Multilevel Search and Share (S2). Using their Trusted Service Bus, Trusted Extensions, and Google's enterprise search appliance, they are able to aggregate the search results from multiple labeled networks, without upgrading the data. Search results are labeled according to the network on which they were found. Clicking on a link opens up a browser in a labeled zone corresponding to the label of the data. Using this approach, avoids the problems associated with moving or elevating data between classified networks using guards or proxies.

Here is a link to their press release describing the work in progress

Sunday Mar 22, 2009

Cool Demo of a Command and Control Mashup

BlueSpace has provided a cool demonstration video of a multilevel Command and Control System (C2S) based on Solaris 10 Trusted Extensions. As they've done in their TransMail Trusted Edition product, the C2S demo relies on their Multilevel Messaging and Middleware. The Trusted Service Bus synchronizes multiple views from uniquely labeled sources so they can be aggregated into a mashup, while maintaining data separation. Note that the labeleled windows associated with the individual coalition partners are each running in their own zones, with their own isolated networks. This is great example of the kinds of solutions that can be built using this platform.

Monday Apr 07, 2008

Virtualized Instances of Vista in Labeled Zones

You may have read Sun's announcement about acquiring innotek, and the VirtualBox software. VirtualBox runs on a variety of operating systems including OpenSolaris, and supports a variety of guest operating systems, such as Microsoft Vista. Since VirtualBox is a user application, it can also be run in Solaris zones. Getting Vista to run in labeled zone requires a few extra configuration steps, which are described below.

VirtualBox can be downloaded from the Sun Download Center and installed in the global zone. When VirtualBox is started in the global zone a device driver is loaded which is accessed through the pathname /dev/vboxdrv. To access this device from a zone, modify the zone's configuration using the following zonecfg commands:

add device

set match="/dev/vboxdrv"


Since zones cannot load kernel modules directly, you must have an instance of VirtualBox running in the global zone to load the driver. I suppose you could alternatively load the driver via modload, but I haven't tried that yet.

In addition, the zone needs to be running the OpenGL service. To enable this service, run the following command in the zone:

 svcadm enable ogl-select

VirtualBox acts as a network proxy between the host and guest operating systems. This works fine in the global zone, but presents a few issues when running in a labeled zone. The DNS service that VirtualBox provides to the guest OS does not go through the name service switch. Therefore each zone must have its own DNS configuration, and a remote DNS server whose label matches that of the zone. To set this up you should halt your zones and select Configure per-zone name services from the top level menu of txzonemgr. Since your labeled zones will no longer be able to access any of your global zone databases, you should copy the /etc/hosts, /etc/passwd, /etc/shadow and /etc/user_attr files from the global zone into the corresponding /etc directory for each of your zones. You will also need a customized /etc/resolv.conf file for each zone to specify the appropriate DNS server for each label.

If you are using DHCP, you will be limited to name resolution in a single zone. You can rely on the nwam service (which is enabled by default) to set up your networking in the global zone. To make the network available to a labeled zone, you should share the configured network with all-zones (via txzonemgr or ifconfig) and assign the approriate single-level remote host template to the DNS server specified in /etc/resolv.conf. Then copy the resolv.conf file into the appropriate zone.

Once you have set up your zones and networking, you can install Vista, or your another OS as the guest OS. After the guest OS is installed, you should verify that the guest OS can access the Internet. If so, you should download and install the guest additions ISO image. This will allow you to cut and paste between Vista and Solaris applications in the same zone. It also provides dynamic resizing of the guest OS window, and smooth mouse transitions between the host and guest windows.

Sunday Jan 06, 2008

Using Xvnc for Remote MLS Sessions

This is an update to my posting Remote Multilevel Desktop Sessions from last August. At that time I suggested using a combination of Xvfb(1) and vino-session (x86) or x0vncserver (SPARC) to get both the features of vnc and the Trusted Extensions X protocol extension to work together. However, starting in SXDE 1/08 and the upcoming Solaris 10 update 5 beta, we now deliver a version of Xvnc which supports both protocols in a single binary based on the current version of Xorg. Since it uses a virtual framebuffer, it should work with either architecture.

 The easiest way to take advantage of this on a headless server running Trusted Extensions is customize the file /etc/dt/config/Xservers. Simply comment out the default line and add this new one:

#   :0  Local local_uid@console root /usr/X11/bin/Xserver :0 -nobanner
  :0   Local local_uid@none root /usr/X11/bin/Xvnc :0 -nobanner -AlwaysShared -SecurityTypes None -geometry 1024x768x24 -depth 24

Note that I have disabled password authentication because I am using this machine for software development. If you need more restrictive access, remove the -SecurityTypes option.

To make a remote connection (using a vnc client) your client machine should be assigned the admin_low template in server's tnrhdb file.

Monday Dec 31, 2007

Multilevel Mail Revisited

In my posting last February, Prototyping Multilevel Mail, I discussed some techniques for  implementing an email service to support labeled zones. It turns out that a company called BlueSpace Software has done just that. They have a very cool demo showing their label-aware email client running under Trusted Extensions using the Trusted Java Desktop System. The product is called BlueSpaced TransMail Trusted Edition. Here is a quote from their web page:

TransMail Trusted Edition tightly integrates with Solaris 10 Trusted Extentions to ensure appropriate content management between the different security zones, including data labelling so that the interface operates mutliple network sessions simultanteously. 

I haven't had a chance to try it out, but I'm looking forward to doing so when it is available. 

Tuesday Oct 09, 2007

Automatic Installation of Trusted Extensions

If you have recently installed Trusted Extensions on OpenSolaris (since build 71), you may have noticed that the number of packages listed in the Install Wizard is shrinking. This is a feature, not a bug.

We are currently migrating all of the Trusted Extensions packages into standard Solaris metaclusters, and expect to complete this process by OpenSolaris build 76. At that time there will be no separate installation step for Trusted Extensions.

Starting with OpenSolaris build 71, you specify the labeling behavior of the system via the SMF service,  labeld. To enable labeling,  you should run this command:

svcadm enable labeld

This setting will take effect on the next system boot.

It is now also possible to disable the multilevel behavior by disabling the service, and rebooting. However, you won't be permitted to do so unless you have removed your labeled zones. We will contiunue to enforce the MLS policy as long as there is labeled data on the system.

We plan to backport these changes into a future update of Solaris 10.


Saturday Jul 21, 2007

Regressions Shouldn't Happen

Unfortunately, they do. Before new features may be added to Solaris they must go through architectural review and exhaustive testing. Nevertheless, stuff happens. In Solaris 10 Update 4, and Nevada there are several new features that have had unexpected impact on Trusted Extensions functionality. Most of these get discovered and fixed quickly, but a few weren't understood and couldn't be fixed properly in time for the Update 4 release. So we have a few workarounds that will be required. I've been involved in the analysis of each of the these issues and thought it would be interesting to show why they were hard to find. In each case, the affected Trusted Extensions component had not changed since Update 3, so we weren't expecting breakage.

The first issue showed up in Trusted JDS authentication interfaces like role assumption. The Sparks Project enhanced the name service cache daemon (nscd), but changed the policy for accessing encrypted passwords. Previously, a process with all privileges but with a normal user ID, could call the PAM account management service which provides password aging and account locking. But the new architecture for nscd had the side-effect that root was now required. Although nscd has been fixed in Nevada to restore the previous behavior, there was insufficient time to backport this fix to Update 4. Therefore we integrated a workaround in the PAM stack for Trusted JDS to skip the failing check. A proper fix will be delivered in Update 5.

The next problem affected Trusted JDS workspace labeling. When a new label is applied to a workspace, the Trusted Stripe application uses the zone_enter() system call to initiate a session in the corresponding zone. Another project Duckhorn enhanced the resource management features of zones. One of these features, the capped-memory resource, imposed a new restriction on the zone_enter() syscall that prevented a process with a System V shared memory object from transitioning to a non-global zone. Meanwhile the GNOME toolkit was changed to use the X11 shared pixmap feature which affected the behavior of the Trusted Stripe process. As a result, the process was unable to initiate new sessions in labeled zones. Again, the root cause was discovered too late for a proper fix to be included in Update 4. Meanwhile, the workaround is to customize the TrustedExtensionsPolicy(4) file to disable the MIT-SHM X11 extension.

The third problem affects Trusted CDE in the specific laptop configuration that is described in the OpenSolaris Laptop Instructions. A change was made in Nevada to remove the installation question about enabling IPv6. Instead, the loopback interface is now plumbed with an IPv6 address, and services like the portmapper now support both IPv4 and IPv6 addresses. This configuration is partially incompatible with the use of the Virtual Network Interface, vni(7), as described in the laptop instructions. The Tooltalk RPC service which is used in Trusted CDE to initiate the Trusted Path does not get registered correctly with the portmapper when there are no physical interface plumbed. As a result the Trusted CDE session hangs. There are a variety of workarounds for this problem, and most people will never see it. In Update 4, don't enable IPv6 when asked, or don't use Trusted CDE until a physical interface has been plumbed. For Nevada, the workaround is described in step 4a of the revised laptop configuration procedures.

I'm frustrated by the above regressions, but I'm optimistic that things are getting better. The entire Trusted Extensions test suite has now been integrated into the Solaris Pre-Integration Test Suite (PIT).


This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.


« July 2016