In Web hosting services, hosting systems use access controls like suEXEC on apache Web servers to separate privilege by each virtual host. However, existing access control architectures on Web servers have a problem in their low performance and are not appropriate for dynamic contents like Web API since these architectures require termination of the process after each HTTP session. The system developers are not easy to install existing access controls since these are provided by each interpreter and program execution methods conventionally. In this paper, we propose the access control architecture “mod_process_security”. In this architecture a server process creates a new thread on the server process when accepting a request. Then, the web server separates privilege by the thread and processes the contents on the thread. The server process installed “mod_process_security” executes programs faster. System developers can easily install it on web servers since we replace it with the complicated existing access controls. “mod_process_security” can be installed for Apache HTTP Server on Linux as Apache Module which is widely used.
1. Access Control Architecture
Separating Privilege by a Thread on a Web Server
- mod_process_security -
Ryosuke MATSUMOTO, Yasuo OKABE
Kyoto University
2012/7/18 SAINT2012 Izmir 1
2. Content
1. Introduction
2. Access Control on Web Servers
3. Proposed Access Control Architecture
4. Experiment and Evaluation
5. Conclusion
2012/7/18 SAINT2012 Izmir 2
3. Content
1. Introduction
2. Access Control on Web Servers
3. Proposed Access Control Architecture
4. Experiment and Evaluation
5. Conclusion
2012/7/18 SAINT2012 Izmir 3
4. Background
• Deployment of Cloud Computing
– Cost: Reducing the total cost off ownership (TCO), including hardware,
software and operation
– Security: Confidentiality, Integrity and Availability
• PaaS (Platform as a Service): Large-Scale Shared Web Hosting Service, or
so-called “Virtual Hosting”
– Many Web sites share a single Operating System as well as HW resource.
– Separation among sites is implemented using mechanism ether in OS or
in the Web server.
• Discretionary Access Control (DAC) : the access control model on UNIX
and Windows OS
"as a means of restricting access to objects based on the identity of subjects
and/or groups to which they belong. …” (wikipedia)
– There exist some issues both in security and performance.
• Ex) suEXEC for CGI on Apache HTTP Server
– CGI method: low performance
Executing dynamic contents securely and fast
on large-scale shared Web hosting service
2012/7/18 SAINT2012 Izmir 4
5. Dynamic Contents on Web Servers
• CGI is low-performance
• DSO (Dynamic Shared Object) is enough fast,
but…
CGI DSO
bottleneck
Server Process
Server Process
CGI Process
Program
Program
A built-in Interpreter
Engineers’ needs to use DSO on a shared web hosting.
2012/7/18 SAINT2012 Izmir 5
6. Problem in Dynamic Contents
Problem in access controls
– DSO
• Architecture separating privilege by a server process
• Serious performance degradation when securely executed
– CGI
• Architecture separating privilege by a CGI process each
• Intrinsically low performance in creating a child process
– Existing access controls are provided by the execution methods each.
• CGI , DSO, or other Interpreters
• Complicated and user-unfriendly settings
In executing dynamic contents on a shared Web hosting service,
– Use of CGI is almost mandatory for security
– If using DSO, separating privilege by a daemon process or VM
⇒ Too much overhead
2012/7/18 SAINT2012 Izmir 6
7. Our Research
“Secure and high-performance access control architecture
on large-scale shared Web virtual hosting”
• We propose a thread-based security mechanism, and
implement as a module “mod_process_security”
– Architecture separating privilege by thread
• Very little performance degradation using DSO
• Enough security
• Independent from the program execution method, either CGI
or DSO
– As an module for Apache HTTP Server on Linux
2012/7/18 SAINT2012 Izmir 7
8. Content
• Introduction
• Access Control on Web Server
• Proposed Access Control Architecture
• Experiment and Evaluation
• Conclusion
2012/7/18 SAINT2012 Izmir 8
9. Overview of Access Control on a Web Server
• Apache HTTP Server (not using access controls)
– Using VirtualHost for a huge number of hosts.
– Handling all requests by the privilege of server processes.
– Files can be read via programs of any other host areas.
• Basic architecture of access controls
– Executing dynamic contents with the privilege of the contents.
– Preventing access to other virtual host area.
– suEXEC, mod_suid2 or mod_ruid2 and so on…
Single server process
OS
Web Service A × Web Service B
× ×
Virtual Host A × Virtual Host B Setting the privilege of the
contents at each host area.
2012/7/18 SAINT2012 Izmir 9
10. Parent Server Process CGI
(owner : root) suEXEC Archtecture
Child Server Process
(owner : apache) fork()
execve() suexec-program
bottleneck CGI Process
(owner : root)
setuid(), setgid()
execve() CGI Process
(owner : user1)
index.php
terminate process
(owner: user1)
2012/7/18 SAINT2012 Izmir 10
11. Parent Server Process DSO
(owner : root) mod_ruid2 Architechture
Set cap(Linux capability)
Child Server Process
(owner : apache) bottleneck
Set capability
setuid(), setgid() Unset cap
× Child Server Process execve()
(owner : user1)
Set capability
index.php
setuid(), setgid() terminate process (owner: user1)
2012/7/18 SAINT2012 Izmir ×
Changing the privilege
of Server Process 11
12. Contents
• Introduction
• Exsiting Access Control on Web Server
• Proposed Access Control Architecture
• Experiment and Evaluation
• Conclusion
2012/7/18 SAINT2012 Izmir 12
13. Proposed Access Control Architecture
- mod_process_security -
1. Reducing the bottleneck using a thread
• separating privilege by a controlling thread
• Need not to terminate server processes
• Creating a thread instead of forking a process
2. Independent of executing methods
• Need not to install a software individually for CGI or DSO
3. Installation and setting are easy
• Apache module
• User-friendly specification
2012/7/18 SAINT2012 Izmir 13
14. Parent Server Process
(owner : root)
CGI
mod_process_security
Child Server Process
(owner : apache)
Create thread, set cap
Control Thread
(owner : apache)
setuid・setgid, unset cap
CGI Specification
Control Thread
(owner : user1)
execve() CGI Process
(owner : user1)
index.php
terminate process destroy thread
(owner: user1)
2012/7/18 SAINT2012 Izmir 14
15. Parent Server Process
(owner : root)
DSO
mod_process_security
Child Server Process
(owner : apache)
Create thread, set cap
Control Thread
(owner : apache)
DSO Specification setuid・setgid, unset cap
execve() Control Thread
(owner : user1)
index.php
(owner: user1)
destroy thread
2012/7/18 SAINT2012 Izmir 15
16. Contents
• Introduction
• Exsiting Access Control on Web Server
• Proposed Access Control Architecture
• Experiment and Evaluation
• Conclusion
2012/7/18 SAINT2012 Izmir 16
17. Experiment
• Measuring response per second from a Web server
• Generating requests per second from a client to a Web server
• Evaluation of throughput by changing the number of requests
• Evaluation of throughput by using each access controls
• Printing phpinfo program(54KB), Benchmark software(httperf 0.9.0)
Clinent Machine
CPU Intel Core2Duo E8400 3.00GHz
Memory 4GB
NIC Realtek RTL8111/8168B 1Gbps
OS CentOS 5.6
Web Server Machine
CPU Intel Xeon X5355 2.66GHz
Memory 8GB
NIC Broadcom BCM5708 1Gbps
OS CentOS 5.6
Middle
2012/7/18 Ware Apache
SAINT2012 Izmir 2.2 17
18. Throughput
3000 DSO(mod_process_security ):
Low throughput degradation
2500
DSO
Responses/sec
2000
Access control for CGI
1500 Low performance
degradation
1000
CGI DSO(mod_ruid2): about 4.5 responses
500 (Magnified in the next slide) for all requests
0
Requests/sec
DSO(mod_process_security) DSO(not using access control)
DSO(mod_ruid2) CGI(not using access control)
CGI(suEXEC)
2012/7/18 SAINT2012 Izmir CGI(mod_process_security) 18
19. Throughput for CGI
200
180
Responses/sec
160
140
Not using access control、
mod_process_secuiry、
120 suEXEC
100
100 200 300 400 500 600 700 800 900 1000
Requests/sec
CGI(not using access control)
2012/7/18 CGI(suexec)
SAINT2012 Izmir CGI(mod_process_security)
19
20. Contents
• Introduction
• Exsiting Access Control on Web Server
• Proposed Access Control Architecture
• Experiment and Evaluation
• Conclusion
2012/7/18 SAINT2012 Izmir 20
21. Conclusion
1. High performance and secure access control on
multitenant apprications
– High performance access control architecture for DSO
– Use computing resource efficiently ⇒ Low cost
2. Independent of executing methods like CGI or DSO
– Easy to install
– user-friendly setting
⇒ In this architecture, you can withstand the
advancement of Web services considering multitenant
applications and low cost hosting services
2012/7/18 SAINT2012 Izmir 21
22. Future Research Plans
• Encourage using mod_process_scurity
– Now relesing in https://modules.apache.org/
• We plan to design new virtual host architecture
by combining mod_process_security with the
module that can manage resources more
flexibility on each virtual host.
2012/7/18 SAINT2012 Izmir 22