Oracle Cross Domain Security Express

On January 27 Oracle announced that it had finalized its acquisition of Sun. This week I accepted an offer of employment from Oracle so I will be continuing in my role as one of the leaders of the Solaris security development team. Trusted Extensions remains a key part of that strategy, and is specifically highlighted in John Fowler's  Webcast. There is about a minute devoted to Solaris security, starting a 4:38 and a slide at 5:30 showing Trusted Extensions and RBAC (two of my favorites) as key Solaris features.

Oracle and Sun have a long history of cooperation in the area of multilevel security, and I have been personally involved in some interesting projects. My earliest involvement dates back to 1991 when Oracle and Sun demonstrated Trusted Oracle running on SunOS CMW at 14th annual National Computer Security Conference in Baltimore. I presented a white paper at the conference entitled Reconciling CMW Requirements with those of X11 Applications.

I had another opportunity to work with Oracle, starting in 2006, prototyping a cross-domain architecture using labeled zones to proxy SQL requests from separate application enclaves. Oracle was our first partner to use Trusted Extensions, even before it was integrated into Solaris 10 update 3.

The prototype was successful, and after significant  refinement has been released under the name Oracle Cross-Domain Security Express. It has been authorized to operate on US government networks and has been certified and accredited according to DCID 6/3 PL4 requirements. A brochure describing the solution is available on the Oracle Website. As you can see, it relies on labeled zones and trusted networking to provide isolation and to associate labels with client requests.

For an interactive description, I recommend the YouTube video that one of my new Oracle colleagues, Jonathan Bakke, has posted.  Jon is the Senior Director of the Cross-Domain Systems group. We first met back in 2006, about the time I started this blog.

Comments:

Nice post and useful information here.Many thanks.
Hope to see more fresh thing here.

Posted by ed hardy clothing on March 09, 2010 at 03:50 PM PST #

It looks like the Oracle Cross-Domain Security Express link is no longer valid. I would also like to know if this is on track for Unified Cross Domain Management Office (UCDMO) Baseline approval.

Posted by Randy Wynn on August 12, 2010 at 12:04 AM PDT #

This fits in with a number of things I'm looking to do, in terms of producing solutions to address requirements in CONTEST; SNAP and other MLS front-ends only go so far.

Who do I need to talk to, about acquiring copy of CDSX for evaluation and development? Is it exportable to the UK, or subject to ITAR?

Posted by Dave Walker on August 29, 2011 at 11:52 PM PDT #

Glenn

Was wondering if there are any performance limitations when you are dealing with over 1000 compartments

Posted by Dan Teijido on February 26, 2013 at 07:56 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks