Saint2012 mod process security

1. Access Control Architecture Separating Privilege by a Thread on a Web Server - mod_process_security - Ryosuke MATSUMOTO, Yasuo OKABE Kyoto University 2012/7/18 SAINT2012 Izmir 1

2. Content 1. Introduction 2. Access Control on Web Servers 3. Proposed Access Control Architecture 4. Experiment and Evaluation 5. Conclusion 2012/7/18 SAINT2012 Izmir 2

3. Content 1. Introduction 2. Access Control on Web Servers 3. Proposed Access Control Architecture 4. Experiment and Evaluation 5. Conclusion 2012/7/18 SAINT2012 Izmir 3

4. Background • Deployment of Cloud Computing – Cost: Reducing the total cost off ownership (TCO), including hardware, software and operation – Security: Confidentiality, Integrity and Availability • PaaS (Platform as a Service): Large-Scale Shared Web Hosting Service, or so-called “Virtual Hosting” – Many Web sites share a single Operating System as well as HW resource. – Separation among sites is implemented using mechanism ether in OS or in the Web server. • Discretionary Access Control (DAC) : the access control model on UNIX and Windows OS "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. …” (wikipedia) – There exist some issues both in security and performance. • Ex) suEXEC for CGI on Apache HTTP Server – CGI method: low performance Executing dynamic contents securely and fast on large-scale shared Web hosting service 2012/7/18 SAINT2012 Izmir 4

5. Dynamic Contents on Web Servers • CGI is low-performance • DSO (Dynamic Shared Object) is enough fast, but… CGI DSO bottleneck Server Process Server Process CGI Process Program Program A built-in Interpreter Engineers’ needs to use DSO on a shared web hosting. 2012/7/18 SAINT2012 Izmir 5

6. Problem in Dynamic Contents Problem in access controls – DSO • Architecture separating privilege by a server process • Serious performance degradation when securely executed – CGI • Architecture separating privilege by a CGI process each • Intrinsically low performance in creating a child process – Existing access controls are provided by the execution methods each. • CGI , DSO, or other Interpreters • Complicated and user-unfriendly settings In executing dynamic contents on a shared Web hosting service, – Use of CGI is almost mandatory for security – If using DSO, separating privilege by a daemon process or VM ⇒ Too much overhead 2012/7/18 SAINT2012 Izmir 6

7. Our Research “Secure and high-performance access control architecture on large-scale shared Web virtual hosting” • We propose a thread-based security mechanism, and implement as a module “mod_process_security” – Architecture separating privilege by thread • Very little performance degradation using DSO • Enough security • Independent from the program execution method, either CGI or DSO – As an module for Apache HTTP Server on Linux 2012/7/18 SAINT2012 Izmir 7

8. Content • Introduction • Access Control on Web Server • Proposed Access Control Architecture • Experiment and Evaluation • Conclusion 2012/7/18 SAINT2012 Izmir 8

9. Overview of Access Control on a Web Server • Apache HTTP Server (not using access controls) – Using VirtualHost for a huge number of hosts. – Handling all requests by the privilege of server processes. – Files can be read via programs of any other host areas. • Basic architecture of access controls – Executing dynamic contents with the privilege of the contents. – Preventing access to other virtual host area. – suEXEC, mod_suid2 or mod_ruid2 and so on… Single server process OS Web Service A × Web Service B × × Virtual Host A × Virtual Host B Setting the privilege of the contents at each host area. 2012/7/18 SAINT2012 Izmir 9

10. Parent Server Process CGI （owner : root） suEXEC Archtecture Child Server Process （owner : apache） fork() execve() suexec-program bottleneck CGI Process （owner : root） setuid(), setgid() execve() CGI Process （owner : user1） index.php terminate process (owner: user1) 2012/7/18 SAINT2012 Izmir 10

11. Parent Server Process DSO （owner : root） mod_ruid2 Architechture Set cap(Linux capability) Child Server Process （owner : apache） bottleneck Set capability setuid(), setgid() Unset cap × Child Server Process execve() （owner : user1） Set capability index.php setuid(), setgid() terminate process (owner: user1) 2012/7/18 SAINT2012 Izmir × Changing the privilege of Server Process 11

12. Contents • Introduction • Exsiting Access Control on Web Server • Proposed Access Control Architecture • Experiment and Evaluation • Conclusion 2012/7/18 SAINT2012 Izmir 12

13. Proposed Access Control Architecture - mod_process_security - 1. Reducing the bottleneck using a thread • separating privilege by a controlling thread • Need not to terminate server processes • Creating a thread instead of forking a process 2. Independent of executing methods • Need not to install a software individually for CGI or DSO 3. Installation and setting are easy • Apache module • User-friendly specification 2012/7/18 SAINT2012 Izmir 13

14. Parent Server Process （owner : root） CGI mod_process_security Child Server Process （owner : apache） Create thread, set cap Control Thread （owner : apache） setuid・setgid, unset cap CGI Specification Control Thread （owner : user1） execve() CGI Process （owner : user1） index.php terminate process destroy thread (owner: user1) 2012/7/18 SAINT2012 Izmir 14

15. Parent Server Process （owner : root） DSO mod_process_security Child Server Process （owner : apache） Create thread, set cap Control Thread （owner : apache） DSO Specification setuid・setgid, unset cap execve() Control Thread （owner : user1） index.php (owner: user1) destroy thread 2012/7/18 SAINT2012 Izmir 15

17. Experiment • Measuring response per second from a Web server • Generating requests per second from a client to a Web server • Evaluation of throughput by changing the number of requests • Evaluation of throughput by using each access controls • Printing phpinfo program（54KB）, Benchmark software（httperf 0.9.0） Clinent Machine CPU Intel Core2Duo E8400 3.00GHz Memory 4GB NIC Realtek RTL8111/8168B 1Gbps OS CentOS 5.6 Web Server Machine CPU Intel Xeon X5355 2.66GHz Memory 8GB NIC Broadcom BCM5708 1Gbps OS CentOS 5.6 Middle 2012/7/18 Ware Apache SAINT2012 Izmir 2.2 17

18. Throughput 3000 DSO(mod_process_security ): Low throughput degradation 2500 DSO Responses/sec 2000 Access control for CGI 1500 Low performance degradation 1000 CGI DSO(mod_ruid2）: about 4.5 responses 500 (Magnified in the next slide) for all requests 0 Requests/sec DSO(mod_process_security) DSO(not using access control） DSO（mod_ruid2) CGI(not using access control） CGI（suEXEC) 2012/7/18 SAINT2012 Izmir CGI（mod_process_security) 18

19. Throughput for CGI 200 180 Responses/sec 160 140 Not using access control、 mod_process_secuiry、 120 suEXEC 100 100 200 300 400 500 600 700 800 900 1000 Requests/sec CGI(not using access control) 2012/7/18 CGI(suexec) SAINT2012 Izmir CGI(mod_process_security) 19

21. Conclusion 1. High performance and secure access control on multitenant apprications – High performance access control architecture for DSO – Use computing resource efficiently ⇒ Low cost 2. Independent of executing methods like CGI or DSO – Easy to install – user-friendly setting ⇒ In this architecture, you can withstand the advancement of Web services considering multitenant applications and low cost hosting services 2012/7/18 SAINT2012 Izmir 21

22. Future Research Plans • Encourage using mod_process_scurity – Now relesing in https://modules.apache.org/ • We plan to design new virtual host architecture by combining mod_process_security with the module that can manage resources more flexibility on each virtual host. 2012/7/18 SAINT2012 Izmir 22

Saint2012 mod process security

You are reading a preview.

Check these out next

Saint2012 mod process security

More Related Content

Slideshows for you (20)

Viewers also liked (8)

Similar to Saint2012 mod process security (20)

Recently uploaded (20)