210 likes | 315 Vues
Hi-sap: Secure and Scalable Web Server System for Shared Hosting Services. Daisuke Hara , Ryohei Fukuda, Kazuki Hyoudou, Ryota Ozaki, and Yasuichi Nakayama The University of Electro-Communications, Tokyo, Japan. Outline. Introduction Background Increase in end users’ Web contents
E N D
Hi-sap: Secure and ScalableWeb Server Systemfor Shared Hosting Services Daisuke Hara, Ryohei Fukuda, Kazuki Hyoudou, Ryota Ozaki, and Yasuichi Nakayama The University of Electro-Communications, Tokyo, Japan BROADNETS 2010@Athens, Greece
Outline • Introduction • Background • Increase in end users’ Web contents • Problems of sharing a Web server • Existing approaches about runtime privilege • Proposal - Hi-sap: Secure and ScalableWeb Server System for Shared Hosting Services • Design • Implementation • Evaluation • Conclusions
Introduction • Problem of sharing a Web server • Malicious users that share the server can potentially steal, delete, or tamper with other user’s files. • Proposal: a Web server system that solves the problem and that achieves high site-number scalability with little performance degradation • Contributions: • We have clarified security problems and requirements of shared hosting services. • We have clarified that existing approaches and their limitations. • We have designed a secure and scalable Web server system for shared hosting services, and implemented it on a Linux OS with SELinux.
Background • More people are creating their own content and publishing it on the Web as the Internet grows in popularity. • End users create weblogs, wikis, CMSs. • Shared hosting services are widely used. • Many customers share a server. • 100s - 1000s sites/server • low price & flexible • custom CGI, etc.
Hosting service • Shared hosting service vs. Dedicated hosting service Web server program Web site … … machine • Suitable for end users • Target of our study
Problem of sharing a Web server • Processes of a Web server program (e.g. Apache) • A parent process run under the privilege of a root user. • binding port 80 • Many server (child) processes run under the privilege of a dedicated user (e.g. apache, www-data, www). • processing requests • Read, write, execution permission on these content files must be granted to an other. • UNIX permission model: owner/group/other
(1) receive HTTP request Problem of sharing a Web server (cont.) • Malicious users that share the server can illegally steal, delete, or tamper with other user’s files. • (i-1) command attack, (i-2) HTTP attack • (0) File permission • rw-/---/r-- (static contents (e.g., HTML and image files)) • rw-/---/rw- (e.g., log files, wiki’s data files) • rwx/---/r-x (CGI scripts) Web server Web client www A www (i-1) www Malicioususer B (3) send response (i-2) www C (2) process request ・・・ ・・・ ・・・ www: runtime privilege HTTP Server process User account User’s file Command-line tools
Existing approaches about runtime privilege • Existing approaches solve a portion of the security problem, but they either lack performance,site-number scalability, or generality.
Design • The privilege of server processes is changed in advance to reuse them. => It can avoid performance degradation. • A “dispatcher” distributes requests to “workers” that are server processes and run under the privilege of an individual user. Dispatcher forward A B C workers A,B,C – privilege of server processes (an individual user) reusable
Partition • Hi-sap protects customer files by isolating them in separate security domains, called “partition”. • A unit of protection by using a secure OS facility Site X (Partition A) Site Y Content Y1 (Partition B) Content Y2 (Partition C) Domain A Domain B Domain C Server process worker (C) worker (A) worker (B) Customer file mod_python mod_perl mod_ruby File access (b) (a) File permission rw-/---/-— Type enforcement of a secure OS Type A Type B Type C A,B,C – privilege/owner (an individual user) A B C • An attacker cannot access files in other partition, • even if the files are on the same site.
Content access scheduler • A Web-server-level scheduler that enhances the scalability of the number of partitions in a server. • It controls the creation and termination of workers.
Implementation • We implemented Hi-sap on a Linux OS with SELinux. • The dispatcher was implemented as an Apache module, mod_hisap, on an Apache HTTP server (ver. 2.0.55). • One thousand Apache HTTP servers (ver. 2.0.55) were used as workers. • Each worker waited for requests at a unique port. • The content access scheduler and other management facilities of the workers were implemented as a daemon, hisapd.
(1) receive request GET / HTTP/1.1 Host: www.C.net worker A worker C C A C A C Overview of request processing (3) ask to activate worker C (2) determine if worker C is active (i) select worker A, who has no requests Web client heavy load hisapd dispatcher root www www (8) send response root (4) activate worker C (ii) terminate worker A (7) forward response (5) forward request … worker B reverseproxy B (6) process request B Hi-sap workers UNIX domain socket HTTP A,B,C,www,root: privilege Server process
Evaluation • Experimental environment Gigabit Ethernet Gigabit Ethernet
Basic performance evaluation - throughput - • The throughput with Hi-sap was, on average, 2.0% lower than with Apache and was a maximum of 6.9% lower. • The overhead of Hi-sap is very low. • Web application: tDiary 2.0.2 (written in Ruby) • Benchmark: httperf 0.8 • One-to-one is similar to Hi-sap (mod_hisap and hisapd were not installed).
Basic performance evaluation - latency - • The latencies of Apache, one-to-one, and Hi-sap were small. • The latency of suEXEC was very large, so suEXEC is not suitable.
Site-number scalability evaluation • Hi-sap’s scalability is high. • The reduction in throughput with Hi-sap as the number of partitions increased was lower than with one-to-one. • With one-to-one, the OS crashed due to a memory shortage when the number of partitions reached about 600. • Web application: PHP script (It calls phpinfo(), which displays the system information of the PHP language processor.) • Benchmark: Apache Benchmark
Site-number scalability evaluation- memory utilization - • The swap utilization of one-to-one increased dramatically as the number of partitions increased. • This is the reason for the OS crash. • Hi-sap does not use swap space as much because of content access scheduler.
Conclusions • Proposal: • A Web server system that solves the problem and that achieves high site-number scalability with little performance degradation • Contributions: • We have clarified security problems and requirements of shared hosting services. • We have clarified existing approaches and their limitations. • We have designed a secure and scalable Web server system for shared hosting services, and implemented it on a Linux OS with SELinux. Our evaluation results demonstrate Hi-sap qualitatively and quantitatively satisfies the requirements.
Future work • Optimizing the content access scheduler algorithm to avoid swapping and to enable more than 1000 sites to be housed • Applying the concept of Hi-sap to other server programs that provide service to many users • e.g., mail servers and network file systems
Thank you. Any questions/comments?