Oct. 27, 2010 BROADNETS 2010@Athens, Greece 1

Hi-sap: Secure and ScalableWeb Server System

for Shared Hosting Services

Daisuke Hara, Ryohei Fukuda, Kazuki Hyoudou, Ryota Ozaki, and Yasuichi Nakayama

The University of Electro-Communications, Tokyo, Japan

2

Outline

Introduction Background

– Increase in end users’ Web contents– Problems of sharing a Web server– Existing approaches about runtime privilege

Proposal - Hi-sap: Secure and ScalableWeb Server System for Shared Hosting Services– Design– Implementation

Evaluation Conclusions

3

Introduction

Problem of sharing a Web server– Malicious users that share the server can potentially

steal, delete, or tamper with other user’s files. Proposal: a Web server system that solves the

problem and that achieves high site-number scalability with little performance degradation

Contributions:1. We have clarified security problems and requiremen

ts of shared hosting services. 2. We have clarified that existing approaches and their

limitations.3. We have designed a secure and scalable Web serv

er system for shared hosting services, and implemented it on a Linux OS with SELinux.

4

Background

More people are creating their own content and publishing it on the Web as the Internet grows in popularity.– End users create weblogs, wikis, CMSs.

Shared hosting services are widely used.– Many customers share a server.

100s - 1000s sites/server

– low price & flexible custom CGI, etc.

5

Hosting service

Shared hosting service vs. Dedicated hosting service

Shared hosting service Dedicated hosting service

Analogy of houses apartment / condominium single-family house

the number ofWeb sites : Web serverprograms : machines

N:1:1*N = 100s - 1000s

1:1:1

available machine resource(e.g. CPU, memory, disk)

limited (share) all (dedicate)

fee low (a few $/month) expensive

•Suitable for end users•Target of our study

…Web site

machine

Web server program

…

6

Problem of sharing a Web server

Processes of a Web server program (e.g. Apache)– A parent process run under the privilege of a root user.

binding port 80

– Many server (child) processes run under the privilege of a dedicated user (e.g. apache, www-data, www).

processing requests

Read, write, execution permission on these content files must be granted to an other.– UNIX permission model: owner/group/other

7

Problem of sharing a Web server (cont.) Malicious users that share the server can illegally

steal, delete, or tamper with other user’s files.– (i-1) command attack, (i-2) HTTP attack

Server process

www

www

www

www

・・

・

User account

・・

・ ・・

・

User’s file

Webserver Web client

(i-1)

(i-2)

(0) File permission• rw-/---/r-- (static contents (e.g., HTML and image files))• rw-/---/rw- (e.g., log files, wiki’s data files)• rwx/---/r-x (CGI scripts)

HTTP

Command-line tools

Malicioususer

A

B

C

(1) receive HTTP request

(2) process request

(3) send response

www: runtime privilege

8

Existing approaches about runtime privilege

Securityin Server

Basic Performance(Throughput/Latency

)

Site-numberScalability

Generality

Container/VM

excellent excellentpoor

(overhead ofvirtualization)

poor(modifications

of kernel)

PHPsafe mode

good excellent excellentpoor

(PHP-specific)

POSIX ACL(with suEXEC)

goodpoor

(twice fork&exec)excellent good

(vanillaApache)

poor excellent excellent good

Existing approaches solve a portion of the security problem, but they either lack performance,site-number scalability, or generality.

9

Design

The privilege of server processes is changed in advance to reuse them.

=> It can avoid performance degradation. A “dispatcher” distributes requests to

“workers” that are server processes and run under the privilege of an individual user.

A

forwardDispatcher

B Cworkers

A,B,C – privilege of server processes (an individual user)reusable

10

Partition

Hi-sap protects customer files by isolating them in separate security domains, called “partition”.– A unit of protection by using a secure OS facility

Customer file

Domain A

Type A

Domain B

AType B

B

Domain C

worker (C)

Type CC

mod_ruby

Content Y1 (Partition B)

Content Y2 (Partition C)

Site YSite X (Partition A)

File access

Type enforcementof a secure OS

(a) (b)

(a)An attacker cannot access files in other partition,(b)even if the files are on the same site.

Server processworker (B)

mod_perlworker (A)mod_python

A,B,C – privilege/owner (an individual user)

File permissionrw-/---/-—

11

Content access scheduler

A Web-server-level scheduler that enhances the scalability of the number of partitions in a server.

It controls the creation and termination of workers.

12

Implementation

We implemented Hi-sap on a Linux OS with SELinux.

The dispatcher was implemented as an Apache module, mod_hisap, on an Apache HTTP server (ver. 2.0.55).

One thousand Apache HTTP servers (ver. 2.0.55) were used as workers.– Each worker waited for requests at a unique port.

The content access scheduler and other management facilities of the workers were implemented as a daemon, hisapd.

13

Overview of request processing

Web client

worker B

workers

…

wwwwww

worker A

AA

BB

worker C

CC

C

hisapd

(3) ask to activate worker C

root

root

(i) select worker A, who has no

requests

(8) send response

(6) process requestreverseproxy

(4) activate worker C

(2) determine if worker C is active

dispatcher

(1) receive requestGET / HTTP/1.1Host: www.C.net

(5) forward request

(7) forward response

Server process A,B,C,www,root: privilege

UNIX domain socket HTTP

Hi-sap

heavy load(ii) terminate

worker A

14

Evaluation

Experimental environment

Network

Switching HubDELL PowerConnect 2724

1000 BASE-T x 24

Server

CPUAMD Opteron 240EE

1.4 GHz x 2

Memory 4 GB (swap 8 GB)

OSFedora Core 4

(kernel 2.6.14)

NICBroadcom BCM5704C

1 Gbps

Client

CPUIntel Pentium III Xeon

500 MHz x 4

Memory 256 MB (swap 512 MB)

OSFedora Core 4

(kernel 2.6.14)

NICIntel PRO/1000XT

PWLA8490XT 1 Gbps

Gigabit Ethernet Gigabit Ethernet

15

Basic performance evaluation - throughput -

The throughput with Hi-sap was, on average, 2.0% lower than with Apache and was a maximum of 6.9% lower.

The overhead of Hi-sap is very low.

0

5

10

15

20

25

30

35

40

45

50

10 20 30 40 50 60 70 80 90 100

Request frequency (N/s)

Thr

ough

put (

N/s

)

ApacheOne-to-oneHi-sapsuEXEC

Web application: tDiary 2.0.2 (written in Ruby)

Benchmark: httperf 0.8

One-to-one is similar to Hi-sap (mod_hisap and hisapd were not installed).

16

Basic performance evaluation - latency -

The latencies of Apache, one-to-one, and Hi-sap were small.

The latency of suEXEC was very large, so suEXEC is not suitable.

0

2

4

6

8

10

12

14

16

18

20

10 20 30 40 50 60 70 80 90 100

Request frequency (N/s)

Late

ncy

(s)

ApacheOne-to-oneHi-sapsuEXEC

17

Site-number scalability evaluation

Hi-sap’s scalability is high.– The reduction in throughput with Hi-sap as the number of partitions

increased was lower than with one-to-one. With one-to-one, the OS crashed due to a memory shortage

when the number of partitions reached about 600.

Web application: PHP script (It calls phpinfo(), which displays the system information of the PHP language processor.)

Benchmark: Apache Benchmark0

50

100

150

200250

300

350

400

450

500

100 200 300 400 500 600 700 800 900 1000

Number of partitions (N)

Thr

ough

put (

N/s

)

Hi-sap

One-to-one

18

Site-number scalability evaluation- memory utilization -

The swap utilization of one-to-one increased dramatically as the number of partitions increased.– This is the reason for the OS crash.

Hi-sap does not use swap space as much because of content access scheduler.

0102030405060708090

100

100 200 300 400 500 600 700 800 900 1000

Number of partitions (N)

Me

mo

ry u

tiliz

atio

n (

%)

One-to-one memoryHi-sap memoryOne-to-one swapHi-sap swap

19

Conclusions

Proposal:– A Web server system that solves the problem and that

achieves high site-number scalability with little performance degradation

Contributions:1. We have clarified security problems and requirements

of shared hosting services. 2. We have clarified existing approaches and their limitat

ions.3. We have designed a secure and scalable Web server

system for shared hosting services, and implemented it on a Linux OS with SELinux.

Our evaluation results demonstrate Hi-sap qualitatively and quantitatively satisfies the requirements.

20

Future work

Optimizing the content access scheduler algorithm to avoid swapping and to enable more than 1000 sites to be housed

Applying the concept of Hi-sap to other server programs that provide service to many users– e.g., mail servers and network file systems

21

Thank you.

Any questions/comments?