View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Oct. 27, 2010 BROADNETS 2010@Athens, Greece 1
Hi-sap: Secure and ScalableWeb Server System
for Shared Hosting Services
Daisuke Hara, Ryohei Fukuda, Kazuki Hyoudou, Ryota Ozaki, and Yasuichi Nakayama
The University of Electro-Communications, Tokyo, Japan
2
Outline
Introduction Background
– Increase in end users’ Web contents– Problems of sharing a Web server– Existing approaches about runtime privilege
Proposal - Hi-sap: Secure and ScalableWeb Server System for Shared Hosting Services– Design– Implementation
Evaluation Conclusions
3
Introduction
Problem of sharing a Web server– Malicious users that share the server can potentially
steal, delete, or tamper with other user’s files. Proposal: a Web server system that solves the
problem and that achieves high site-number scalability with little performance degradation
Contributions:1. We have clarified security problems and requiremen
ts of shared hosting services. 2. We have clarified that existing approaches and their
limitations.3. We have designed a secure and scalable Web serv
er system for shared hosting services, and implemented it on a Linux OS with SELinux.
4
Background
More people are creating their own content and publishing it on the Web as the Internet grows in popularity.– End users create weblogs, wikis, CMSs.
Shared hosting services are widely used.– Many customers share a server.
100s - 1000s sites/server
– low price & flexible custom CGI, etc.
5
Hosting service
Shared hosting service vs. Dedicated hosting service
Shared hosting service Dedicated hosting service
Analogy of houses apartment / condominium single-family house
the number ofWeb sites : Web serverprograms : machines
N:1:1*N = 100s - 1000s
1:1:1
available machine resource(e.g. CPU, memory, disk)
limited (share) all (dedicate)
fee low (a few $/month) expensive
•Suitable for end users•Target of our study
…Web site
machine
Web server program
…
6
Problem of sharing a Web server
Processes of a Web server program (e.g. Apache)– A parent process run under the privilege of a root user.
binding port 80
– Many server (child) processes run under the privilege of a dedicated user (e.g. apache, www-data, www).
processing requests
Read, write, execution permission on these content files must be granted to an other.– UNIX permission model: owner/group/other
7
Problem of sharing a Web server (cont.) Malicious users that share the server can illegally
steal, delete, or tamper with other user’s files.– (i-1) command attack, (i-2) HTTP attack
Server process
www
www
www
www
・・
・
User account
・・
・ ・・
・
User’s file
Webserver Web client
(i-1)
(i-2)
(0) File permission• rw-/---/r-- (static contents (e.g., HTML and image files))• rw-/---/rw- (e.g., log files, wiki’s data files)• rwx/---/r-x (CGI scripts)
HTTP
Command-line tools
Malicioususer
A
B
C
(1) receive HTTP request
(2) process request
(3) send response
www: runtime privilege
8
Existing approaches about runtime privilege
Securityin Server
Basic Performance(Throughput/Latency
)
Site-numberScalability
Generality
Container/VM
excellent excellentpoor
(overhead ofvirtualization)
poor(modifications
of kernel)
PHPsafe mode
good excellent excellentpoor
(PHP-specific)
POSIX ACL(with suEXEC)
goodpoor
(twice fork&exec)excellent good
(vanillaApache)
poor excellent excellent good
Existing approaches solve a portion of the security problem, but they either lack performance,site-number scalability, or generality.
9
Design
The privilege of server processes is changed in advance to reuse them.
=> It can avoid performance degradation. A “dispatcher” distributes requests to
“workers” that are server processes and run under the privilege of an individual user.
A
forwardDispatcher
B Cworkers
A,B,C – privilege of server processes (an individual user)reusable
10
Partition
Hi-sap protects customer files by isolating them in separate security domains, called “partition”.– A unit of protection by using a secure OS facility
Customer file
Domain A
Type A
Domain B
AType B
B
Domain C
worker (C)
Type CC
mod_ruby
Content Y1 (Partition B)
Content Y2 (Partition C)
Site YSite X (Partition A)
File access
Type enforcementof a secure OS
(a) (b)
(a)An attacker cannot access files in other partition,(b)even if the files are on the same site.
Server processworker (B)
mod_perlworker (A)mod_python
A,B,C – privilege/owner (an individual user)
File permissionrw-/---/-—
11
Content access scheduler
A Web-server-level scheduler that enhances the scalability of the number of partitions in a server.
It controls the creation and termination of workers.
12
Implementation
We implemented Hi-sap on a Linux OS with SELinux.
The dispatcher was implemented as an Apache module, mod_hisap, on an Apache HTTP server (ver. 2.0.55).
One thousand Apache HTTP servers (ver. 2.0.55) were used as workers.– Each worker waited for requests at a unique port.
The content access scheduler and other management facilities of the workers were implemented as a daemon, hisapd.
13
Overview of request processing
Web client
worker B
workers
…
wwwwww
worker A
AA
BB
worker C
CC
C
hisapd
(3) ask to activate worker C
root
root
(i) select worker A, who has no
requests
(8) send response
(6) process requestreverseproxy
(4) activate worker C
(2) determine if worker C is active
dispatcher
(1) receive requestGET / HTTP/1.1Host: www.C.net
(5) forward request
(7) forward response
Server process A,B,C,www,root: privilege
UNIX domain socket HTTP
Hi-sap
heavy load(ii) terminate
worker A
14
Evaluation
Experimental environment
Network
Switching HubDELL PowerConnect 2724
1000 BASE-T x 24
Server
CPUAMD Opteron 240EE
1.4 GHz x 2
Memory 4 GB (swap 8 GB)
OSFedora Core 4
(kernel 2.6.14)
NICBroadcom BCM5704C
1 Gbps
Client
CPUIntel Pentium III Xeon
500 MHz x 4
Memory 256 MB (swap 512 MB)
OSFedora Core 4
(kernel 2.6.14)
NICIntel PRO/1000XT
PWLA8490XT 1 Gbps
Gigabit Ethernet Gigabit Ethernet
15
Basic performance evaluation - throughput -
The throughput with Hi-sap was, on average, 2.0% lower than with Apache and was a maximum of 6.9% lower.
The overhead of Hi-sap is very low.
0
5
10
15
20
25
30
35
40
45
50
10 20 30 40 50 60 70 80 90 100
Request frequency (N/s)
Thr
ough
put (
N/s
)
ApacheOne-to-oneHi-sapsuEXEC
Web application: tDiary 2.0.2 (written in Ruby)
Benchmark: httperf 0.8
One-to-one is similar to Hi-sap (mod_hisap and hisapd were not installed).
16
Basic performance evaluation - latency -
The latencies of Apache, one-to-one, and Hi-sap were small.
The latency of suEXEC was very large, so suEXEC is not suitable.
0
2
4
6
8
10
12
14
16
18
20
10 20 30 40 50 60 70 80 90 100
Request frequency (N/s)
Late
ncy
(s)
ApacheOne-to-oneHi-sapsuEXEC
17
Site-number scalability evaluation
Hi-sap’s scalability is high.– The reduction in throughput with Hi-sap as the number of partitions
increased was lower than with one-to-one. With one-to-one, the OS crashed due to a memory shortage
when the number of partitions reached about 600.
Web application: PHP script (It calls phpinfo(), which displays the system information of the PHP language processor.)
Benchmark: Apache Benchmark0
50
100
150
200250
300
350
400
450
500
100 200 300 400 500 600 700 800 900 1000
Number of partitions (N)
Thr
ough
put (
N/s
)
Hi-sap
One-to-one
18
Site-number scalability evaluation- memory utilization -
The swap utilization of one-to-one increased dramatically as the number of partitions increased.– This is the reason for the OS crash.
Hi-sap does not use swap space as much because of content access scheduler.
0102030405060708090
100
100 200 300 400 500 600 700 800 900 1000
Number of partitions (N)
Me
mo
ry u
tiliz
atio
n (
%)
One-to-one memoryHi-sap memoryOne-to-one swapHi-sap swap
19
Conclusions
Proposal:– A Web server system that solves the problem and that
achieves high site-number scalability with little performance degradation
Contributions:1. We have clarified security problems and requirements
of shared hosting services. 2. We have clarified existing approaches and their limitat
ions.3. We have designed a secure and scalable Web server
system for shared hosting services, and implemented it on a Linux OS with SELinux.
Our evaluation results demonstrate Hi-sap qualitatively and quantitatively satisfies the requirements.
20
Future work
Optimizing the content access scheduler algorithm to avoid swapping and to enable more than 1000 sites to be housed
Applying the concept of Hi-sap to other server programs that provide service to many users– e.g., mail servers and network file systems
21
Thank you.
Any questions/comments?