Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea

1,052 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,052
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea

  1. 1. A Low-Cost Runtime-Privilege Changing System for Shared Servers D a isuke H a r a and Yasuichi Nakayama The University of Electro-Communications, Tokyo, Japan
  2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Background </li></ul><ul><ul><li>Increase in end users’ Web contents </li></ul></ul><ul><ul><li>Problems of sharing a Web server </li></ul></ul><ul><ul><li>Existing approaches about runtime privilege </li></ul></ul><ul><li>Proposal: A Low-Cost Runtime-Privilege Changing System for Shared Servers </li></ul><ul><li>Evaluation </li></ul><ul><li>Conclusions </li></ul>
  3. 3. Introduction <ul><li>Problem of sharing a Web server </li></ul><ul><ul><li>Malicious users that share the server can potentially steal, delete, or tamper with other user’s files. </li></ul></ul><ul><li>Proposal: A low-cost runtime-privilege changing system for shared servers </li></ul><ul><li>Contributions: </li></ul><ul><ul><li>We have clarified the security problems in a shared server. </li></ul></ul><ul><ul><li>We have clarified runtime privileges in UNIX-like OSes, existing approaches to the security problems, and their limitations. </li></ul></ul><ul><ul><li>We have described our design of a low-cost runtime-privilege changing system and our implementation of it for a Web server on a Linux OS. </li></ul></ul>
  4. 4. Background <ul><li>More people are creating their own content and publishing it on the Web as the Internet grows in popularity. </li></ul><ul><ul><li>End users create weblogs, wikis, CMSs. </li></ul></ul><ul><li>Shared hosting services are widely used. </li></ul><ul><ul><li>Many customers share a server. </li></ul></ul><ul><ul><ul><li>100s - 1000s sites/server </li></ul></ul></ul><ul><ul><li>low price & flexible </li></ul></ul><ul><ul><ul><li>custom CGI, etc. </li></ul></ul></ul>
  5. 5. Hosting Service <ul><li>Shared hosting service vs. Dedicated hosting service </li></ul><ul><li>Suitable for end users </li></ul><ul><li>Target of our study </li></ul>… Web site machine Web server program … low (a few $/month) limited (share) N:1:1 *N = 100s - 1000s apartment / condominium Shared hosting service Dedicated hosting service Analogy of houses single-family house the number of Web sites : Web server programs : machines 1:1:1 available machine resource (e.g. CPU, memory, disk) all (dedicate) fee expensive
  6. 6. Problem of sharing a Web server <ul><li>Processes of a Web server program (e.g. Apache) </li></ul><ul><ul><li>A parent process run under the privilege of a root user. </li></ul></ul><ul><ul><ul><li>binding port 80 </li></ul></ul></ul><ul><ul><li>Many server (child) processes run under the privilege of a dedicated user (e.g. apache, www-data, www ). </li></ul></ul><ul><ul><ul><li>processing requests </li></ul></ul></ul><ul><li>Read, write, execution permission on these content files must be granted to an other . </li></ul><ul><ul><li>UNIX permission model: owner/group/ other </li></ul></ul>
  7. 7. Problem of sharing a Web server (cont.) <ul><li>Malicious users that share the server can illegally steal , delete , or tamper with other user’s files. </li></ul><ul><ul><li>(i-1) command attack, (i-2) HTTP attack </li></ul></ul>Server process www www www www ・・・ User account ・・・ ・・・ User’s file Web server Web client (i-1) (i-2) <ul><li>(0) File permission </li></ul><ul><li>rw-/---/ r-- (static contents (e.g., HTML and image files)) </li></ul><ul><li>rw-/---/ rw- (e.g., log files, wiki’s data files) </li></ul><ul><li>rwx/---/ r-x (CGI scripts) </li></ul>HTTP Command-line tools Malicious user A B C (2) process request (3) send response www : runtime privilege (1) receive HTTP request
  8. 8. Existing Approaches about Runtime Privilege <ul><li>Existing approaches solve a portion of the security problem, but they either lack performance , site-number scalability , or generality . </li></ul>good excellent poor (twice fork&exec) good POSIX ACL (with suEXEC) Security in Server Basic Performance (Throughput/Latency) Site-number Scalability Generality Container /VM excellent excellent poor (overhead of virtualization) poor (modifications of kernel) PHP safe mode good excellent excellent poor (PHP-specific) (vanilla Apache) poor excellent excellent good
  9. 9. Design - Change in Runtime Privilege - <ul><li>Server processes are launched under the privilege of a root user. </li></ul><ul><li>(1) When a request is received, (2) the server process changes its runtime privilege (effective user ID/group ID) to an ordinary user/group. </li></ul><ul><ul><li>by using seteuid()/setegid() system calls </li></ul></ul><ul><li>(3) It processes the request and (4) sends the response. </li></ul><ul><li>(5) It changes its runtime privilege back to 0 (root). </li></ul>
  10. 10. Design - Change in Runtime Privilege - (cont.) <ul><li>File permissions are granted to only an owner for any content. => Secure </li></ul>root Server process root root root C ・・・ User account ・・・ ・・・ User’s file Our system Web client A B C (2) seteuid(C) & setegid(C) (3) process request (5) seteuid(0) & setegid(0) (4) send response www : runtime privilege similar to Samba <ul><li>(0) File permission </li></ul><ul><li>rw-/---/ --- (static contents (e.g., HTML and image files)) </li></ul><ul><li>rw-/---/ --- (e.g., log files, wiki’s data files) </li></ul><ul><li>rwx/---/ --- (CGI scripts) </li></ul>(1) receive HTTP request
  11. 11. Design - Change in Runtime Privilege - (cont.) <ul><li>Malicious users cannot illegally steal, delete, or tamper with other user’s files. </li></ul>Server process root root root C ・・・ User account ・・・ ・・・ User’s file Web client (i-1) (i-2) HTTP Command-line tools Malicious user A B C (1) receive HTTP request (2) seteuid(C) & setegid(C) (3) process request (5) seteuid(0) & setegid(0) (4) send response www : runtime privilege <ul><li>(0) File permission </li></ul><ul><li>rw-/---/ --- (static contents (e.g., HTML and image files)) </li></ul><ul><li>rw-/---/ --- (e.g., log files, wiki’s data files) </li></ul><ul><li>rwx/---/ --- (CGI scripts) </li></ul>Our system
  12. 12. Design - Limitation with Changing Runtime Privilege by User Scripts - <ul><li>Challenge: User scripts (e.g. CGI) usually can invoke setuid()/setgid() as well as our system can. </li></ul><ul><ul><li>=> Malicious users potentially can appropriate a root privilege. </li></ul></ul><ul><li>Solution: Our system hooks calls for a series of setuid()/setgid() and disables them. </li></ul><ul><ul><li>=> Our system can only change the runtime privilege. </li></ul></ul>
  13. 13. Implementation <ul><li>We implemented our system for an Apache HTTP server 2.2.10 on a Linux OS. </li></ul><ul><li>The function for changing the runtime privilege was implemented as a module, mod_seteuid.so, on an Apache. </li></ul><ul><li>The function that limits user scripts when their runtime privilege is changed was implemented as a shared object, setuid_hooks.so, outside of an Apache. </li></ul>
  14. 14. Evaluation <ul><li>Experimental environment </li></ul>Broadcom BCM5704C (1 Gbps) NIC Cent OS 5.3 (Linux 2.6.18) OS 4 GB Memory AMD Opteron 240EE 1.4 GHz x 2 CPU Client & Server
  15. 15. Basic performance evaluation <ul><li>Aim: </li></ul><ul><ul><li>to determine useful performance of our system </li></ul></ul><ul><li>Systems for comparison: </li></ul><ul><ul><li>vanilla Apache </li></ul></ul><ul><li>Benchmark: </li></ul><ul><ul><li>httperf benchmark ver. 0.9.0 </li></ul></ul><ul><ul><li>We sent requests to the PHP script (just calls a phpinfo() ) and measured the response throughput. </li></ul></ul>
  16. 16. Basic performance evaluation (cont.) - throughput - <ul><li>The throughput with our system was, on average, 0.5% lower than that with Apache and was a maximum of 4.7% lower. </li></ul><ul><li>The overhead of our system is very low. </li></ul>
  17. 17. Basic performance evaluation (cont.) - latency - <ul><li>The latency with our system was, on average, 31.6% higher than that with Apache and was a maximum of 59.9% higher. </li></ul><ul><ul><li>These were due to the overhead of the hook operations. </li></ul></ul><ul><li>Because the maximum latency with our system was 1.1 seconds, it should be used for practical Web servers. </li></ul>
  18. 18. Conclusions <ul><li>Proposal: </li></ul><ul><ul><li>A low-cost runtime-privilege changing system for shared servers </li></ul></ul><ul><li>Contribution: </li></ul><ul><ul><li>We have clarified the security problems in a shared server. </li></ul></ul><ul><ul><li>We have clarified runtime privileges in UNIX-like OSes, existing approaches to the security problems, and their limitations. </li></ul></ul><ul><ul><li>We have described our design of a low-cost runtime-privilege changing system and our implementation of it for a Web server on a Linux OS. </li></ul></ul>Our evaluation results demonstrate that our system solves the security problems in a shared server with little performance degradation.
  19. 19. Future Work <ul><li>Applying a secure OS and POSIX capabilities to our system </li></ul><ul><li>Evaluation with real applications </li></ul><ul><li>Applying the concept of our design to other server programs that provide service to many users </li></ul>
  20. 20. <ul><li>Thank you. </li></ul><ul><li>Any questions/comments? </li></ul>
  21. 21. Existing Approaches about Runtime Privilege - POSIX ACL - <ul><li>Providing access control for each user </li></ul><ul><ul><li>enhancement of UNIX permission model, owner/group/other </li></ul></ul><ul><li>Command & HTTP attack => prevented </li></ul><ul><ul><li>with suEXEC </li></ul></ul><ul><li>Problem: Low throughput (dynamic contents) </li></ul><ul><ul><li>suEXEC cannot achieve the speed of server-embedded interpreters (e.g. PHP, mod_ruby) because it needs process creation and terminations twice after each request. </li></ul></ul>www A To be terminated fork(), execve() root ⇒ A setuid(), setgid() fork(), execve()
  22. 22. Existing Approaches about Runtime Privilege - Secure OS - <ul><li>Secure OSes can restrict root user’s operations by minimizing scope of filesystem where it can access. </li></ul><ul><ul><li>Mandatory access control (MAC) enforces access control for all users and processes without exception. </li></ul></ul><ul><ul><li>In the least privilege security model , a higher-than-needed privilege level is not granted to users and processes. </li></ul></ul><ul><li>Command attack => prevented </li></ul><ul><li>HTTP attack => cannot be prevented </li></ul>
  23. 23. Existing Approaches about Runtime Privilege - Container and Virtual Machine - <ul><li>Container: OS-level virtualization methods </li></ul><ul><ul><li>Multiple containers with server software programs can run concurrently in an OS. => Secure </li></ul></ul><ul><li>Virtual Machine (VM) </li></ul><ul><ul><li>Multiple OSes with server software programs can run concurrently on the same server machine. => Secure </li></ul></ul><ul><li>Problem: </li></ul><ul><ul><li>Overhead of virtualization => low scalability of the number of sites in a server </li></ul></ul><ul><ul><li>modification of kernel => low generality </li></ul></ul>
  24. 24. Existing Approaches about Runtime Privilege - Harache/Hi-sap - <ul><li>Our previously proposed Web server systems </li></ul><ul><ul><li>solve the security problems in a shared server </li></ul></ul><ul><li>Harache </li></ul><ul><ul><li>Pros: It has up to 1.7 times the performance of suEXEC. </li></ul></ul><ul><ul><li>Cons: it cannot achieve the speed of server-embedded interpreters because it needs a process termination after each HTTP session. </li></ul></ul><ul><li>Hi-sap </li></ul><ul><ul><li>Pros: It speeds up server-embedded interpreters. </li></ul></ul><ul><ul><ul><li>up to 14.3 times the throughput of suEXEC </li></ul></ul></ul><ul><ul><li>Cons: Maintenance and operation cost of many server software programs is high. </li></ul></ul>root A To be terminated setuid(), setgid() A Reusable forward Dispatcher B C workers
  25. 25. Existing Approaches about Runtime Privilege - POSIX capabilities - <ul><li>a separation of root privilege into a set of capabilities </li></ul><ul><ul><li>=> It can minimize privilege of server processes. </li></ul></ul><ul><li>Linux kernel 2.6.30 defines 34 capabilities. </li></ul><ul><ul><li>CAP SETUID/CAP SETGID </li></ul></ul><ul><ul><ul><li>invoking a series of setuid()/setgid() </li></ul></ul></ul><ul><ul><li>CAP NET BIND SERVICE </li></ul></ul><ul><ul><ul><li>binding well-known ports </li></ul></ul></ul><ul><li>command & HTTP attack => cannot be prevented </li></ul>
  26. 26. Applying POSIX capabilities and a secure OS <ul><li>Minimizing scope of server processes’ privilege ( POSIX capabilities ) and scope of filesystem where server processes can access ( secure OS ) </li></ul>scope of filesystem where server processes can access scope of server processes’ privilege applying a secure OS CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER ・ ・ ・ CAP_MAC_OVERRIDE CAP_MAC_ADMIN applying POSIX capabilities whole filesystem working area ofApache Limiting the scope of the effect of appropriated server processes

×