Solaris 9 to beef up OS, application security

In your shell-like

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

ComputerWire: IT Industry Intelligence

With Sun getting ready to launch Solaris 9, the next generation of its Unix operating system, sometime between now and the end of June, everyone is scrambling to try to figure out what will make Solaris 9 different from the existing Solaris 8,

Timothy Prickett Morgan writes


One of the big differences, it turns out, will be substantially enhanced security mechanisms for both the operating system and its applications.

Sun has already divulged some of the threading library changes in Solaris 9 and its intent to make it easier for companies to deploy and manage Solaris servers using its future iChange systems management programs.

Solaris 9 will contain features that will eventually be developed in full form in the iChange program, which will probably take another year to year and a half to come fully to market. Solaris 9 is also expected to include a host of new management tools and be built using a much more modular approach, allowing Sun to streamline the installation process for Solaris for particular workloads, much as Microsoft Corp does with its various Windows versions.

In the meantime, everyone is concerned with security these days, and Sun's software engineers are doing what they can to try to improve the security of the Solaris environment. Sun has a slew of enhancements coming in Solaris 9 aimed right at these concerns.

First, Solaris 9 will include a Secure Shell feature that implements the Secure Shell version 1 and version 2 protocols and allows for strongly authenticated, encrypted remote access to and from Solaris machines in multi-platform environments. The Secure Shell implementation in Solaris 9 supports DEC, 3DES, AES, and Blowfish encryption algorithms. Secure Shell support will work with the existing IPv4 or new IPv6 Internet protocols. The Secure Shell implementation is fully integrated with Solaris and uses its logging mechanisms and is intended to replace less secure remote access methods such as rcp, rsh, telnet, and X11. Incidentally, Ravi Iyer, one of the product line managers for Solaris, says that Sun is using the OpenSSH code for the BSD implementation of Unix with Solaris 9 and has made auditing and logging enhancements to OpenSSH for Solaris that it is giving back to the open source community.

Perhaps more significantly, Solaris 9 will include barriers that limit the ability of hackers to exploit buffer overflows in the Solaris software stack to gain root access to Solaris and thereby take over a machine. Buffer overflows are one of the dominant means hackers use to gain access to machines. Simplifying somewhat, a buffer overflow hack is caused by an executable file, such as a virus, entering a machine and cramming so much garbage into a buffer that it vomits all over itself; when it vomits, hackers can see root permissions that systems and application programs may have, and thereby gain those much-valued root permissions for themselves.

Sun cannot stop buffer overflows any more than any other operating system vendor could, but whatever trick Sun has up its sleeve for Solaris 9 apparently prevents a buffer overflow from allowing root access, even if it doesn't stop buffer overflows cold. Whatever this trick is, it happens at application compile time and is done way down near the hardware layer; customers will have the option of invoking this security feature at compile time or not. Stopping all buffer overflows, says Bill Moffitt, another of the program line managers for Solaris, would be very, very difficult in that the operating system would have to check to see if a buffer was full as each bit of data came into that buffer.

Solaris 9 will also implement a Kerberos V5 environment, with coverage for server and client applications that access Solaris servers. Kerberos is a single sign-on systems program created by the nerds at the Massachusetts Institute of Technology that allows users to move around a network of computers (typically incompatible ones like Unix and Windows servers) supporting Kerberos without actually passing around the passwords that allow users to jump from machine to machine and application to application. Sun says that it has improved Kerberos support to allow password changing against Microsoft's Active Directory or MIT Key Distribution Centers.

The forthcoming OS will also sport a number of other security-related features. Solaris 9 will support the IPSec encryption for IPv6 and IPSec/IKE for IPv4. All cryptographic modules within Solaris 9 will support 128-bit keys as standard, including non-US releases of Solaris. Solaris 9 will also have an integrated firewall called SunScreen, at the 3.2 release, bundled in.

SunScreen is a dynamic packet filtering firewall that includes VPN support and proxy support for Web servers, FTP servers, Telnet sessions, and SNMP servers. It will run on the 32-bit and 64-bit Sparc and Intel Solaris kernels. Finally, Solaris 9 will have a built-in random number generator for both the
Solaris kernel and for applications.

This random number generator has been abstracted above the UltraSparc-III processor so it will work with future UltraSparc-IV and "Millennium" (UltraSparc-V) processors. Cryptography depends to a large extent on randomly generated numbers, and having a random number generator that is abstracted from the hardware and available for all applications is useful for vendors who want to create firewalls and other security products for Solaris servers. timpm@computerwire.com

ComputerWire. All rights reserved.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.