Wednesday Apr 25, 2007

SLOTD: A Personal View On Web2.0 Security (video)

A bit of an experiment for you today - Last night I fired up iMovie and talked into my webcam about Web2.0 and the future challenges of security, and edited the results into a short video. The results are included below, and more context - including links to the referred-to paper from 1997 - is available in the original blog posting.

<script type="text/javascript" src=""> </script> <script type="text/javascript" src=""> </script>

I hope to do one of these videos - filming colleagues, asking questions - about every other week, and perhaps weekly once we get some experience.

- alec

ps: when we were setting up the security community blog, I made a point of saying that it "shouldn't and won't be filled with pictures of cats - the postings will stay on topic"; please note that the cat in the video therefore is an incidental cat, rather than the focus of the commentary. :-)

Tuesday Apr 24, 2007

SLOTD: SUDO versus RBAC - smackdown!

This is a really quick one - keep an eye on Darren's blog; he's posted the first installment in a series which will discuss the relative configurations and merits of "sudo" versus RBAC in Solaris, and is attracting the attentions of Powerbroker users, and perhaps others who are intrigued at the notion of delegating small parts of root privilege to ordinary users.

The number of times I've dealt with customer queries about that sort of thing, I feel that I'll soon be citing his blog like holy writ.


Friday Apr 20, 2007

SLOTD: Trusted Extensions: Ready for Commercial Prime Time

Historically, Trusted Solaris was a completely separate environment from "regular" Solaris. The Solaris 10 11/06 production release finally broke the mould, when Trusted Extensions integrated into the main Solaris release. Granted, the packages which need to be installed on the top of an unlabelled Solaris 10 install still need to be installed using an extra install tool, but you'll nonetheless find them on the regular distribution media under the Solaris_10/ExtraValue/CoBundled directory, right alongside the SunVTS hardware validation test suite.

Configuring everything once the packages are in place is a more interesting proposition, but there's a good recipe here (for laptops).

We make no bones about the fact that Trusted Solaris began life as an engineering project for the US Government, first went live 17 years ago, and has seen little use in the commercial world (with one or two notable exceptions) by its nature as a separate product with military heritage ever since - however, now that it's no longer a separate product, we believe that the time is right for commercial adoption.

To this effect, we've been looking at some of the areas in the commercial world where its capabilities have a natural fit. So far, the partial list looks like:

  • Grid segregation: Where a multi-tenant grid within an organisation or consortium is required, such that data associated with one set of users is very rigorously segregated from data associated with another set of users. Have a label per tenant organisation, and run Grid Engine within the zones associated with the labels. Academia may find this interesting, as may some areas of Financial Services (eg where Chinese walls have to be maintained).
  • Datacentre Base Services consolidation: Trusted Extensions makes the perfect multi-client-organisation NTP server (see - apply "labels" as "zones" :-). Given the way that both DNS and NTP work (in terms of "client fails gracefully to next nominated server if previous is unavailable"), clustering wouldn't be a concern - or DNS could be load-balanced in the network. Co-location service providers would find this interesting, especially where separation of services between customers is required to be rigorous.
  • Laptop security: Consider the well-known issues of open-access wireless for folk working "out in the world" who nonetheless need to communicate with the office. Walk into your nearest Starbucks, connect to the untrusted wireless at PUBLIC, establish a VPN over the top of that at CONFIDENTIAL (or whatever label you want your corporate intranet to be treated as), job done. I gather Glenn Faden already works this way; Darren also suggested the elegant further finessing of making the PUBLIC zone whole-root so that the VPN packages could be removed from it :-). Such a solution would likely find interest with "everybody who carries sensitive data on a laptop and uses third-party networks".
  • Segregation of CCTV server feeds and archives: We have a solution in trials for using our servers as an aggregation and analysis point for good-sized numbers of IP-based CCTV feeds. I think Trusted Extensions could have a valuable part to play in terms of segregating feeds associated with multiple businesses from eachother, and tightly controlling which users are allowed to see feeds from which cameras.
So, that's my short list as it stands today - Glenn Faden has prototypes already for safe web browsing (which is ideal for the laptop case above), and is working on multilevel mail.


If we extend this a little further, we have:

Any organisation where leakage of internal data is an issue could benefit from having a simple, two-label system of "Public" dominated by "Internal", where "Public" is the Internet connection and "Internal" is the Intranet. If all users are (as is the default) denied permission to downgrade data, then it becomes much more unlikely that internal data will leak. Giving users the ability to upgrade data by default still allows external data to be brought internal. This works well even when organisations do not differentiate between classifications of internal materials, and the Safe Browsing mechanism comes into its own, when web sites on the intranet need to make pointers to materials in the wider world.Press Officer and Auditor roles could also be created, which would potentially be the only roles allowed to downgrade data as part of the external release process.

In educational establishments, denying the ability to upgrade and downgrade data means that while a number of websites can readily be viewed (assuming filtering software is already in place on the Internet link), data can't readily be plagiarised using cut and paste from external sources into essays, etc. Also, if Public and Internal zones are installed as whole-root rather than sparse-root zones, such that careful use of pkgrm can subsequently be used to deny access to internal tools (such as IM) in an external context, so cyber-bullying could be more readily tracked; bullies wouldn't be able to create anonymous / pseudonymous external accounts "on the fly" from which to abuse their victims.

As well as co-location facilities, law firms may wish to extend their "duty of care" capability, in terms of ensuring segregation of client data, by having a compartmented label per client.

If you have some more ideas, please add them in a comment :-)


Wednesday Apr 18, 2007

2007-04-19 Security Link Of The Day

One of the great, obvious, simple ideas which went into Solaris 10 was the Reduced Networking Cluster; after fragmenting and massaging the core Solaris packages a bit, it became possible to offer a clean, minimal, even spartan installation of Solaris, a lightweight foundation upon which software could be added as and when only necessary, leading to a very tiny and yet supported machine configuration.

A colleague recently asked me for more information about the Reduced Networking Cluster, and frankly I was stumped, and then Glenn Brunette piped up that he'd written all about it back in 2004:-

The topic for this article is the Solaris 10 Reduced Networking Software Group (also commonly known as the Solaris 10 Reduced Networking Meta Cluster). This software group is new and joins the five existing software groups available in Solaris today: Core, End User, Developer, Entire and Entire + OEM software groups. The Reduced Networking Software Group is positioned as a subset of Core and represents the smallest amount of Solaris that can or should be installed and have a working and supported system. Note that for support reasons, it is not advised to remove packages installed by the Reduced Networking Software Group.

To install the Reduced Networking Software Group, simply select it from the list when doing a graphical installation. If you are using JumpStart, then you should use the cluster keyword with the new value SUNWCrnet. The following is a sample JumpStart profile that uses the Reduced Networking Software Group. This profile was also used to build the system used as an example in this article.


Yes, it's true - the size of this installation is just a little over 150-Mbytes. Note that this size is based on the build of Solaris 10 that I was using and will certainly change before Solaris 10 is finalized, but I did want to mention it as an example of how small a Solaris installation can be.

...etc; it's quite a long article but worthwhile, since it's one of the sadly few documents which look at this feature from an architectural perspective.

So, folks, if you are into Minimized Solaris Configurations, you want to start with "SUNWCrnet". Less really is more, and it costs you nothing. :-)


Tuesday Apr 17, 2007

2007-04-17 Security Link Of The Day

I asked Susan Landau about the new edition of Privacy On The Line which is just out, and she kindly answered in the third person:

Whitfield Diffie and Susan Landau have updated their book on crypto and wiretap policy, "Privacy on the Line: The Politics of Wiretapping and Encryption."

The revised book details the arguments between the U.S. government and industry and academic researchers over encryption and the right to use strong encryption in the public domain - a battle that was won in 2000, when the U.S. government agreed to the export of strong crypto in most high-tech products. But there remain other issues, including the U.S. government's effort to apply the Communications Assistance for Law Enforcement Act to VoIP, a "solution" for wiretapping that potentially creates major security holes.

Diffie and Landau's updated and expanded version of Privacy on the Line covers these and related issues (including the NSA warrantless wiretapping); Ron Rivest, the co-inventor of the RSA algorithm, says, "This revised edition of Diffie and Landau's classic work brings their treatment fully up to date. Essential for anyone interested in the technology, history, and politics of communications privacy."

Whitfield Diffie is Chief Security Officer of Sun, and co-inventor of public-key crypto, which amongst other achievements is what enables ecommerce.

Susan Landau is a Sun Distinguished Engineer focusing on the intersection of security, crypto, and public policy, and currently working on issues of digital-rights management and surveillance issues.

Now all I need to do is get Susan blogging. :-)

- Alec

Sunday Apr 15, 2007

2007-04-16 Security Link Of The Day

First, some news: we have a new look and feel / theme for the blog and in response to a comment from one reader (Hi William!) the "categories" - General, Alerts, News - have all been broken-out in the page header, along with links to the relevant RSS feeds for each.

So if you prefer to separate the Sun Security Alerts from the Security postings, all you need do is bookmark or subscribe to the relevant page / feed. I'd like to thank Chandan for his as-ever superb graphic tastes... Er.. yes, something like that. You know what I mean.

Second: an observation that I should really have followed-up some time ago; I run almost exclusively Solaris upon my laptops, and having developed the habit early-on for some time now I've been faffing with WiFi configuration at a fairly raw level. - I eschew the GUI convenience of inetMenu and the automation of NWAM in favour of handhacked shellscripts.

In these circumstances I have thus become more intimate than most with the output of Solaris's wifi-administration tools.

For ages I've been plagued by offers of Free Public WiFi - for that is the name of the network, one sees it everywhere - whenever I've been scanning for network access, and it finally struck me to actually look the damned things up. There were too many of these networks for them to be a legitimate enterprise.

Instantly I found a blog posting which not merely explained the phenomenon, but also outlined my extant fears and my eventual conclusion too; in short the phenomenon is not a computer-borne virus but a human-borne viral meme which is caused (enabled?) by a XP misfeature:


So what are these things? In doing a search, I found some references in security-related discussion groups to the phenomenon, and lots of instances of people spotting these, even on airplanes. But didn't see what I was afraid I'd find -- that this is some kind of virus or spyware that sets up an ad hoc network as a trap.

It appears to be a manifestation of a feature of Windows that I wrote about earlier this year. When Windows connects to a network, it retains that network's name, or SSID, then broadcasts its as an ad hoc network, essentially inviting a connection. You can find more details here. Microsoft has said it will fix this in the next XP service pack; it's unclear if Windows Vista behaves this way.

So why do you see so many of these? My theory: It's viral, but not a virus!

What's the thing almost everyone wants to find when they open a WiFi-enabled notebook and search for a connection? Why, free public WiFi! If you see that -- and you don't know any better -- you connect to it.

Your notebook then retains that SSID, broadcasting it as an ad hoc network. Others see you, connect to you, pick up the name, and later pass it on. And on and on it goes. Since people travel with their notebooks, it's easy for this to have moved quickly, across the country -- like a cold spreading in the closed confines of an airplane cabin. (continues...)

See also this and this.

As a student of IT security taxonomy, to me this is clearly different from all of the typical viruses, worms and trojans; I feel that 'meme' is the only remaining accurate description, although I'd welcome alternative suggestions.

- alec

Thursday Apr 12, 2007

2007-13--04 Security Link Of The Day

Dave Walker is on of Sun's clearest thinkers on matters related to identity and access to data; about a year ago he posted this observation which didn't really get the attention it deserved.

The issue of identity has been bothering me for a while. While identity can clearly be applied to human consumers of services - and expressed as a subset of information held about them in various places - I've started wondering how the concept of identity could be used for various other entities, and indeed how the properties of identity as applied to humans could potentially be mapped onto them.

Hence the table below, which is my rather crude first shot at this mapping for files, running processes, OS instances, zones, hardware domains and services. Cells with question marks in them are areas where I currently don't see a mapping - this could mean that a mapping is not appropriate, or that an appropriate technology does not exist today, and could point the way for a bit of fundamental research.

I suspect I'm heading down a path which has been well-trodden already, but you might find some parts of this amusing. I'd be happy to bounce ideas around, or become clueful on what current thinking in this area actually is.


I'm hoping to get Dave blogging here more directly, soon, so keep an eye open.

Treating processes (ie: computer programs, live and running on a CPU) as if they were people, is not necessarily as easy as you might think - but then given how easily some people can be socially engineered maybe it's not so bad an analogy after all.

2007-04-12 Security Link of The Day:

At the London OpenSolaris User Group meeting after the recent London Sun Tech Days event there were a few people asking questions about Solaris and Microsoft Windows interoperability. I stepped up to the plate to answer these since mostly they were around Active Directory interoperability and in a former job at I Sun I did my fair share of name services related work; also a lot of the integration work that is being done is based on lining up the security/authentication protocols between Solaris and Active Directory so even though I'm not actively working on it I have been in regular contact with the developers who are.

One of the biggest favours I personally think Microsoft did the security community was choosing to use Kerberos as a core part of the security layers in Active Directory, particularly now that the PAC data format is documented. The Solaris Kerberos development team did a lot of work getting the base Kerberos functionality in Solaris to work better with Windows, by ensuring that cipher suites lined up, password change works and like Windows we could look in DNS to find the KDC and REALM information.

Just having working Kerberos is not enough for most people, in many cases what they really need is for their Solaris machine to "appear" to Active Directory "just like a Windows XP" machine would. That means that Solaris has to use LDAP as the name service. Well thats easy you say Solaris 8 supported that, not so fast! Its all about the schema and how it is used.

There are a few OpenSolaris projects that are working specifically on the name service client side of Solaris to make it a better Active Directory client. Those projects are: Sparks, Reno, Duckwater and Winchester. The Sparks project page has a good technical overview diagram of how it all fits together. Some of these have delivered all or part of their functionality to OpenSolaris already but the full picture is still in development. I look forward to the day when I can post here "It just works", in the mean time hold on in there, "we" are working on it!

- Darren

Tuesday Apr 10, 2007

2007-04-10 Security Link Of The Day

We like ZFS.

Lots of people like ZFS.

Even Linux people are experimenting with ZFS, albeit as a user-space filesystem.

ZFS is good.

But ZFS will be even better when you can have encrypted filesystems.

So maybe check out and see if you'ld like to help-out with the project ?

- alec

Monday Apr 09, 2007

2007-04-10 Security Link of the Day: A few security relevant ARC cases

Bonus Link Tuesday :-) instead of just one link of the day I'm going to highlight a few recent security relevant ARC cases. For information on what an "ARC Case" is see the ARC community on, at a high level it is how we do reviews of things users/admins/developers can see and use in (Open)Solaris and document the interfaces and their interactions.

The first two are proposals that are currently still in review so they functionality they describe doesn't yet appear in any OpenSolaris distribution.

First one is a proposal (PSARC/2007/200) to change the way that IPsec is started up by making better use of SMF, this gives better fault recovery - something really important when securing your system. Plus I logged the bug for this and provided a first suggestion at the new SMF services, and I'm really glad to see the project getting implemented now. The proposal is much more complete than my original suggestion and provides a very nice set of new SMF services that shows much better how IPsec works instead of it being "hidden" as part of general networking services.

The second one (PSARC/2007/198) is related to how IPfilter and IPMP work together. I find this one quite interesting because it focuses on how statefull packet filtering works in a high availability networking configuration. It is also interesting because this proposal is actually a short term solution that is to be provided until the Clearview networking project is ready.

My third and final link for today is a really geeky and quite low level/internal feature of the Cryptographic Framework. It (PSARC/2007/093) is about sharing the context (state) of in progress multi-part crypto operations between hardware and software providers.The real end user benefit of this better performance. This is because sometimes it is actually faster to run the software version of an algorithm than to send small data sizes out to dedicated crypto hardware. I'm not aware of any other operating system with a crypto framework that goes to these extents to get the best crypto performance out of the system as a whole; I'd be very interested in learning about others (particularly open source ones) that do similar things. I've long said to my team mates in the crypto group that there is a PhD thesis to be written about crypto job scheduling for best single throughput versus best system load with different mixes of hardware and software crypto engines.

That's it for day, - Darren.

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« July 2016