Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea

A Low-Cost Runtime-Privilege Changing System for Shared Servers D a isuke H a r a and Yasuichi Nakayama The University of Electro-Communications, Tokyo, Japan

Outline ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Background ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Hosting Service ,[object Object],[object Object],[object Object],… Web site machine Web server program … low (a few $/month) limited (share) N:1:1 *N = 100s - 1000s apartment / condominium Shared hosting service Dedicated hosting service Analogy of houses single-family house the number of Web sites : Web server programs : machines 1:1:1 available machine resource (e.g. CPU, memory, disk) all (dedicate) fee expensive

Problem of sharing a Web server ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Problem of sharing a Web server (cont.) ,[object Object],[object Object],Server process www www www www ・・・ User account ・・・・・・ User’s file Web server Web client (i-1) (i-2) ,[object Object],[object Object],[object Object],[object Object],HTTP Command-line tools Malicious user A B C (2) process request (3) send response www : runtime privilege (1) receive HTTP request

Existing Approaches about Runtime Privilege ,[object Object],good excellent poor (twice fork&exec) good POSIX ACL (with suEXEC) Security in Server Basic Performance (Throughput/Latency) Site-number Scalability Generality Container /VM excellent excellent poor (overhead of virtualization) poor (modifications of kernel) PHP safe mode good excellent excellent poor (PHP-specific) (vanilla Apache) poor excellent excellent good

Design - Change in Runtime Privilege - ,[object Object],[object Object],[object Object],[object Object],[object Object]

Design - Change in Runtime Privilege - (cont.) ,[object Object],root Server process root root root C ・・・ User account ・・・・・・ User’s file Our system Web client A B C (2) seteuid(C) & setegid(C) (3) process request (5) seteuid(0) & setegid(0) (4) send response www : runtime privilege similar to Samba ,[object Object],[object Object],[object Object],[object Object],(1) receive HTTP request

Design - Change in Runtime Privilege - (cont.) ,[object Object],Server process root root root C ・・・ User account ・・・・・・ User’s file Web client (i-1) (i-2) HTTP Command-line tools Malicious user A B C (1) receive HTTP request (2) seteuid(C) & setegid(C) (3) process request (5) seteuid(0) & setegid(0) (4) send response www : runtime privilege ,[object Object],[object Object],[object Object],[object Object],Our system

Design - Limitation with Changing Runtime Privilege by User Scripts - ,[object Object],[object Object],[object Object],[object Object]

Implementation ,[object Object],[object Object],[object Object]

Evaluation ,[object Object],Broadcom BCM5704C (1 Gbps) NIC Cent OS 5.3 (Linux 2.6.18) OS 4 GB Memory AMD Opteron 240EE 1.4 GHz x 2 CPU Client & Server

Basic performance evaluation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Basic performance evaluation (cont.) - throughput - ,[object Object],[object Object]

Basic performance evaluation (cont.) - latency - ,[object Object],[object Object],[object Object]

Conclusions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Our evaluation results demonstrate that our system solves the security problems in a shared server with little performance degradation.

Future Work ,[object Object],[object Object],[object Object]

[object Object],[object Object]

Existing Approaches about Runtime Privilege - POSIX ACL - ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],www A To be terminated fork(), execve() root ⇒ A setuid(), setgid() fork(), execve()

Existing Approaches about Runtime Privilege - Secure OS - ,[object Object],[object Object],[object Object],[object Object],[object Object]

Existing Approaches about Runtime Privilege - Container and Virtual Machine - ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Existing Approaches about Runtime Privilege - Harache/Hi-sap - ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],root A To be terminated setuid(), setgid() A Reusable forward Dispatcher B C workers

Existing Approaches about Runtime Privilege - POSIX capabilities - ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Applying POSIX capabilities and a secure OS ,[object Object],scope of filesystem where server processes can access scope of server processes’ privilege applying a secure OS CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER ・・・ CAP_MAC_OVERRIDE CAP_MAC_ADMIN applying POSIX capabilities whole filesystem working area ofApache Limiting the scope of the effect of appropriated server processes

Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea

Similar to Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea (20)

More from webhostingguy

More from webhostingguy (20)

Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea