1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba**...
-
Upload
tracy-kelley -
Category
Documents
-
view
212 -
download
0
Transcript of 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba**...
![Page 1: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/1.jpg)
1
A Secure Access Control Mechanism against Internet
Crackers
Kenichi Kourai* Shigeru Chiba**
*University of Tokyo
**University of Tsukuba
![Page 2: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/2.jpg)
2
Server Hijacks by Crackers
Internet servers are often “hijacked.”e.g. buffer overflow attacks
• A cracker sends malicious code into a server as the input and then can take the full control of the server.
Preventing all types of attacks is difficult.• Most attacks are caused by programming or design errors.
These errors are left in many programs.• Only a part of attacks are detected by StackGuard, safe langua
ges, etc.
InternetInternetserver
firewallmalicious code
hijack!
![Page 3: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/3.jpg)
3
The Compacto Operating System
Access restrictions can protect servers from attacks.We have developed the Compacto operating system (OS), which provides:
• Fine-grained access control at the system call level Issues of system calls are limited by the type or arguments.
• Access control with user/group ID (setuid/setgid)• Limited access to directories (chroot)
Compacto can impose access restrictions on a various range.
• Application (some processes)• Process• Code fragment in a process
![Page 4: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/4.jpg)
4
Danger of RemovingAccess Restrictions
Servers need different access restrictions for each request.
It is necessary to impose/remove access restrictions.
Removing access restrictions is dangerous.Crackers can gain higher privileges after removing access restrictions from hijacked servers.
But, detecting whether a server is hijacked or not is difficult.
serverInternet
Internet
User A
User B
request
request
![Page 5: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/5.jpg)
5
Traditional Approach: “Spawn”
Spawns a new child process for every request and gives it different access restrictions.
The child process just terminates after handling a request.
• Removing access restrictions is not necessary.
DrawbacksSlow
• Too many processes are spawned.
Not compatible with the process pool technique• Today’s servers often use a process pool for efficiency.
![Page 6: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/6.jpg)
6
Our Approach: Process Cleaning
Allows a process to remove access restrictions.But, the process image is cleaned up back to the image stored by checkpointing.
• Process cleaning achieves the same security as the “Spawn” approach.
BenefitsFaster than the “Spawn” approachCompatible with the process pool technique
currentprocess image
stored image(snapshot)
overwrite
new process image
![Page 7: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/7.jpg)
7
Save_state System Call
Save_state takes a snapshot of a process at a safe point.
Where is considered as a safe point?• Before a server communicates with any clients.
The snapshot includes the whole state of a process.• registers, a memory image, signal handlers, open/close status
of files/sockets, etc.
The snapshot cannot be compromised.• Because it is saved in the kernel address space.
pc, sp,…stack, heap…
process image snapshot image
pc, sp,…stack, heap…save
![Page 8: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/8.jpg)
8
Restore_state System Call
Restore_state restores a safe state of a process saved by save_state.
Restoring an instruction pointer• Recovers the thread of control
Restoring the whole memory image• Eliminates malicious code from the memory
After restoration, Compacto removes access restrictions from the process.
pc’, sp’,…stack’, heap’…
process imagesnapshot image
pc, sp,…stack, heap… restore
![Page 9: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/9.jpg)
9
How to Use Process Cleaning
Request-handling code in typical servers on Compacto looks like the following:
save_state();
accept();
if (source == Internet) impose strong access restrictions else if (source == Intranet) impose weak access restrictions
handle a request
restore_state();
save_state();
accept();
if (source == Internet) impose strong access restrictions else if (source == Intranet) impose weak access restrictions
handle a request
restore_state();
processcleaning & removingaccessrestrictions
![Page 10: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/10.jpg)
10
Implementation
Saving/restoring a memory image become a performance bottleneck.
Naïve implementation is slow.
Our implementation techniquesEfficient save of a memory image
• Compacto saves only modified pages by copy-on-write.
Selectable strategy for restoring memory• Compacto allows users to select the restoration strategy
according to the behavior of a server.
![Page 11: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/11.jpg)
11
Page Save by Copy-on-Write
Compacto allocates a shadow page at a page fault.All writable pages are write-protected in the save_state system call.
The contents of an original page are copied to the shadow page.
• The shadow page is modified and the original page is left unmodified.
kernel
moveshadow page
original page
address spacepage fault
map
![Page 12: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/12.jpg)
12
Remap/copy Strategies
Remap strategyDiscards a shadow page and moves the original page back
Restores memory fast but may cause extra page faults
Copy strategyCopies the contents of an original page back to the shadow page
May reduce page faults but may cause extra page copies
move
original page
discard
shadow page
copy
original page
shadow page
![Page 13: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/13.jpg)
13
Experiment
We measured the performance of the Apache web server for 4 types of server constructs.
EnvironmentsServer: PentiumIII 933MHz, Compacto OSClients: Celeron 300MHz, FreeBSD 3.4WebStone benchmark
Spawning a child processInsecure
Remap strategy Copy strategyREMAP COPY
Using a process poolProcess cleaning
POOLSPAWN
Spawning a child processInsecure
Remap strategy Copy strategyREMAP COPY
Using a process poolProcess cleaning
POOLSPAWN
![Page 14: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/14.jpg)
14
Experimental Results
Process cleaning is 40% faster than the “Spawn” approach.
The overhead of process cleaning is low - 40%.
The copy strategy is 8% faster than the remap strategy.
Acceptable request number
0
400
800
1200
1600
0 4 8 12 16
# of client machines
requ
ests
/sec
POOL COPY REMAP SPAWN
Acceptable request number
0
400
800
1200
1600
0 4 8 12 16
# of client machines
requ
ests
/sec
POOL COPY REMAP SPAWN
![Page 15: 1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.](https://reader036.fdocuments.us/reader036/viewer/2022072006/56649f585503460f94c7d06c/html5/thumbnails/15.jpg)
15
Concluding Remarks
We proposed process cleaning.It prevents hijacked servers from illegally removing access restrictions.
It achieves the same security as the traditional “Spawn” approach.
Process cleaning achieves great performance improvement against the “Spawn” approach.
40% faster