Feeds

Solaris 9 to beef up OS, application security

In your shell-like

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

ComputerWire: IT Industry Intelligence

With Sun getting ready to launch Solaris 9, the next generation of its Unix operating system, sometime between now and the end of June, everyone is scrambling to try to figure out what will make Solaris 9 different from the existing Solaris 8,

Timothy Prickett Morgan writes

.

One of the big differences, it turns out, will be substantially enhanced security mechanisms for both the operating system and its applications.

Sun has already divulged some of the threading library changes in Solaris 9 and its intent to make it easier for companies to deploy and manage Solaris servers using its future iChange systems management programs.

Solaris 9 will contain features that will eventually be developed in full form in the iChange program, which will probably take another year to year and a half to come fully to market. Solaris 9 is also expected to include a host of new management tools and be built using a much more modular approach, allowing Sun to streamline the installation process for Solaris for particular workloads, much as Microsoft Corp does with its various Windows versions.

In the meantime, everyone is concerned with security these days, and Sun's software engineers are doing what they can to try to improve the security of the Solaris environment. Sun has a slew of enhancements coming in Solaris 9 aimed right at these concerns.

First, Solaris 9 will include a Secure Shell feature that implements the Secure Shell version 1 and version 2 protocols and allows for strongly authenticated, encrypted remote access to and from Solaris machines in multi-platform environments. The Secure Shell implementation in Solaris 9 supports DEC, 3DES, AES, and Blowfish encryption algorithms. Secure Shell support will work with the existing IPv4 or new IPv6 Internet protocols. The Secure Shell implementation is fully integrated with Solaris and uses its logging mechanisms and is intended to replace less secure remote access methods such as rcp, rsh, telnet, and X11. Incidentally, Ravi Iyer, one of the product line managers for Solaris, says that Sun is using the OpenSSH code for the BSD implementation of Unix with Solaris 9 and has made auditing and logging enhancements to OpenSSH for Solaris that it is giving back to the open source community.

Perhaps more significantly, Solaris 9 will include barriers that limit the ability of hackers to exploit buffer overflows in the Solaris software stack to gain root access to Solaris and thereby take over a machine. Buffer overflows are one of the dominant means hackers use to gain access to machines. Simplifying somewhat, a buffer overflow hack is caused by an executable file, such as a virus, entering a machine and cramming so much garbage into a buffer that it vomits all over itself; when it vomits, hackers can see root permissions that systems and application programs may have, and thereby gain those much-valued root permissions for themselves.

Sun cannot stop buffer overflows any more than any other operating system vendor could, but whatever trick Sun has up its sleeve for Solaris 9 apparently prevents a buffer overflow from allowing root access, even if it doesn't stop buffer overflows cold. Whatever this trick is, it happens at application compile time and is done way down near the hardware layer; customers will have the option of invoking this security feature at compile time or not. Stopping all buffer overflows, says Bill Moffitt, another of the program line managers for Solaris, would be very, very difficult in that the operating system would have to check to see if a buffer was full as each bit of data came into that buffer.

Solaris 9 will also implement a Kerberos V5 environment, with coverage for server and client applications that access Solaris servers. Kerberos is a single sign-on systems program created by the nerds at the Massachusetts Institute of Technology that allows users to move around a network of computers (typically incompatible ones like Unix and Windows servers) supporting Kerberos without actually passing around the passwords that allow users to jump from machine to machine and application to application. Sun says that it has improved Kerberos support to allow password changing against Microsoft's Active Directory or MIT Key Distribution Centers.

The forthcoming OS will also sport a number of other security-related features. Solaris 9 will support the IPSec encryption for IPv6 and IPSec/IKE for IPv4. All cryptographic modules within Solaris 9 will support 128-bit keys as standard, including non-US releases of Solaris. Solaris 9 will also have an integrated firewall called SunScreen, at the 3.2 release, bundled in.

SunScreen is a dynamic packet filtering firewall that includes VPN support and proxy support for Web servers, FTP servers, Telnet sessions, and SNMP servers. It will run on the 32-bit and 64-bit Sparc and Intel Solaris kernels. Finally, Solaris 9 will have a built-in random number generator for both the
Solaris kernel and for applications.

This random number generator has been abstracted above the UltraSparc-III processor so it will work with future UltraSparc-IV and "Millennium" (UltraSparc-V) processors. Cryptography depends to a large extent on randomly generated numbers, and having a random number generator that is abstracted from the hardware and available for all applications is useful for vendors who want to create firewalls and other security products for Solaris servers. timpm@computerwire.com

ComputerWire. All rights reserved.

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Slap for SnapChat web app in SNAP mishap: '200,000' snaps sapped
This is what happens if you hand your username and password to a 3rd-party
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.