Languages
Pages
Legal
Access Control Architecture Separating Privilege by a Thread on a Web Server
- mod_process_security -
Ryosuke MATSUMOTO, Yasuo OKABE
Kyoto University
2012/7/18 SAINT2012 Izmir 1
Content
1. Introduction
2. Access Control on Web Servers
3. Proposed Access Control Architecture
4. Experiment and Evaluation
5. Conclusion
2012/7/18 SAINT2012 Izmir 2
Content
1. Introduction
2. Access Control on Web Servers
3. Proposed Access Control Architecture
4. Experiment and Evaluation
5. Conclusion
2012/7/18 SAINT2012 Izmir 3
Background
• Deployment of Cloud Computing – Cost: Reducing the total cost off ownership (TCO), including hardware,
software and operation – Security: Confidentiality, Integrity and Availability
• PaaS (Platform as a Service): Large-Scale Shared Web Hosting Service, or so-called “Virtual Hosting” – Many Web sites share a single Operating System as well as HW resource. – Separation among sites is implemented using mechanism ether in OS or
in the Web server.
• Discretionary Access Control (DAC) : the access control model on UNIX and Windows OS "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. …” (wikipedia) – There exist some issues both in security and performance.
• Ex) suEXEC for CGI on Apache HTTP Server
– CGI method: low performance
Executing dynamic contents securely and fast on large-scale shared Web hosting service
2012/7/18 SAINT2012 Izmir 4
Dynamic Contents on Web Servers
• CGI is low-performance
• DSO (Dynamic Shared Object) is enough fast, but…
Server Process
CGI Process
Program
Server Process
Program
CGI DSO
A built-in Interpreter
bottleneck
Engineers’ needs to use DSO on a shared web hosting.
2012/7/18 SAINT2012 Izmir 5
Problem in Dynamic Contents
Problem in access controls – DSO
• Architecture separating privilege by a server process
• Serious performance degradation when securely executed
– CGI • Architecture separating privilege by a CGI process each
• Intrinsically low performance in creating a child process
– Existing access controls are provided by the execution methods each. • CGI , DSO, or other Interpreters
• Complicated and user-unfriendly settings
In executing dynamic contents on a shared Web hosting service, – Use of CGI is almost mandatory for security
– If using DSO, separating privilege by a daemon process or VM
⇒ Too much overhead 2012/7/18 SAINT2012 Izmir 6
Our Research
“Secure and high-performance access control architecture on large-scale shared Web virtual hosting”
• We propose a thread-based security mechanism, and implement as a module “mod_process_security”
– Architecture separating privilege by thread
• Very little performance degradation using DSO
• Enough security
• Independent from the program execution method, either CGI or DSO
– As an module for Apache HTTP Server on Linux
2012/7/18 SAINT2012 Izmir 7
Content
• Introduction
• Access Control on Web Server
• Proposed Access Control Architecture
• Experiment and Evaluation
• Conclusion
2012/7/18 SAINT2012 Izmir 8
Overview of Access Control on a Web Server • Apache HTTP Server (not using access controls)
– Using VirtualHost for a huge number of hosts. – Handling all requests by the privilege of server processes. – Files can be read via programs of any other host areas.
• Basic architecture of access controls – Executing dynamic contents with the privilege of the contents. – Preventing access to other virtual host area. – suEXEC, mod_suid2 or mod_ruid2 and so on…
OS Web Service A Web Service B
Virtual Host B Virtual Host A
×
×
×
×
Single server process
Setting the privilege of the contents at each host area.
2012/7/18 SAINT2012 Izmir 9
execve()
Child Server Process (owner : apache)
CGI Process (owner : root)
index.php (owner: user1)
fork() execve() suexec-program
CGI Process (owner : user1)
setuid(), setgid()
terminate process
Parent Server Process (owner : root)
bottleneck
CGI suEXEC Archtecture
2012/7/18 SAINT2012 Izmir 10
execve()
Parent Server Process (owner : root)
Child Server Process (owner : apache)
Set capability
index.php (owner: user1)
Set cap(Linux capability)
Child Server Process (owner : user1) Set capability
setuid(), setgid()
setuid(), setgid() terminate process
×
DSO mod_ruid2 Architechture
bottleneck
Unset cap
Changing the privilege of Server Process × 2012/7/18 SAINT2012 Izmir 11
Contents
• Introduction
• Exsiting Access Control on Web Server
• Proposed Access Control Architecture
• Experiment and Evaluation
• Conclusion
2012/7/18 SAINT2012 Izmir 12
Proposed Access Control Architecture - mod_process_security -
1. Reducing the bottleneck using a thread
• separating privilege by a controlling thread
• Need not to terminate server processes
• Creating a thread instead of forking a process
2. Independent of executing methods
• Need not to install a software individually for CGI or DSO
3. Installation and setting are easy
• Apache module
• User-friendly specification
2012/7/18 SAINT2012 Izmir 13
execve()
Child Server Process (owner : apache)
Control Thread (owner : apache)
index.php (owner: user1)
Create thread, set cap
Control Thread (owner : user1)
setuid・setgid, unset cap
destroy thread
Parent Server Process (owner : root)
CGI mod_process_security
CGI Process (owner : user1)
terminate process
CGI Specification
2012/7/18 SAINT2012 Izmir 14
Child Server Process (owner : apache)
Control Thread (owner : apache)
Create thread, set cap
Control Thread (owner : user1)
setuid・setgid, unset cap
destroy thread
Parent Server Process (owner : root)
DSO mod_process_security
execve()
index.php (owner: user1)
DSO Specification
2012/7/18 SAINT2012 Izmir 15
Contents
• Introduction
• Exsiting Access Control on Web Server
• Proposed Access Control Architecture
• Experiment and Evaluation
• Conclusion
2012/7/18 SAINT2012 Izmir 16
Experiment
Clinent Machine
CPU Intel Core2Duo E8400 3.00GHz
Memory 4GB
NIC Realtek RTL8111/8168B 1Gbps
OS CentOS 5.6
Web Server Machine
CPU Intel Xeon X5355 2.66GHz
Memory 8GB
NIC Broadcom BCM5708 1Gbps
OS CentOS 5.6
Middle Ware Apache 2.2
• Measuring response per second from a Web server • Generating requests per second from a client to a Web server
• Evaluation of throughput by changing the number of requests • Evaluation of throughput by using each access controls
• Printing phpinfo program(54KB), Benchmark software(httperf 0.9.0)
2012/7/18 SAINT2012 Izmir 17
Throughput
0
500
1000
1500
2000
2500
3000
Re
spo
nse
s/se
c
Requests/sec
DSO(mod_process_security) DSO(not using access control)
DSO(mod_ruid2) CGI(not using access control)
CGI(suEXEC) CGI(mod_process_security)
DSO(mod_process_security ): Low throughput degradation
DSO(mod_ruid2): about 4.5 responses for all requests
Access control for CGI Low performance degradation
CGI (Magnified in the next slide)
DSO
2012/7/18 SAINT2012 Izmir 18
Throughput for CGI
100
120
140
160
180
200
100 200 300 400 500 600 700 800 900 1000
Re
spo
nse
s/se
c
Requests/sec
CGI(not using access control) CGI(suexec) CGI(mod_process_security)
Not using access control、mod_process_secuiry、suEXEC
2012/7/18 SAINT2012 Izmir 19
Contents
• Introduction
• Exsiting Access Control on Web Server
• Proposed Access Control Architecture
• Experiment and Evaluation
• Conclusion
2012/7/18 SAINT2012 Izmir 20
Conclusion
1. High performance and secure access control on multitenant apprications
– High performance access control architecture for DSO
– Use computing resource efficiently ⇒ Low cost
2. Independent of executing methods like CGI or DSO
– Easy to install
– user-friendly setting
⇒ In this architecture, you can withstand the advancement of Web services considering multitenant
applications and low cost hosting services 2012/7/18 SAINT2012 Izmir 21
Future Research Plans
• Encourage using mod_process_scurity
– Now relesing in https://modules.apache.org/
• We plan to design new virtual host architecture by combining mod_process_security with the module that can manage resources more flexibility on each virtual host.
2012/7/18 SAINT2012 Izmir 22
Top Related