Oct. 27, 2010BROADNETS Greece1 Hi-sap: Secure and Scalable Web Server System for Shared Hosting Services Daisuke Hara, Ryohei Fukuda, Kazuki Hyoudou, Ryota Ozaki, and Yasuichi Nakayama The University of Electro-Communications, Tokyo, Japan

2 Outline Introduction Background –Increase in end users’ Web contents –Problems of sharing a Web server –Existing approaches about runtime privilege Proposal - Hi-sap: Secure and Scalable Web Server System for Shared Hosting Services –Design –Implementation Evaluation Conclusions

3 Introduction Problem of sharing a Web server –Malicious users that share the server can potentially steal, delete, or tamper with other user’s files. Proposal: a Web server system that solves the problem and that achieves high site-number scalability with little performance degradation Contributions: 1.We have clarified security problems and requirements of shared hosting services. 2.We have clarified that existing approaches and their limitations. 3.We have designed a secure and scalable Web server system for shared hosting services, and implemented it on a Linux OS with SELinux.

4 Background More people are creating their own content and publishing it on the Web as the Internet grows in popularity. –End users create weblogs, wikis, CMSs. Shared hosting services are widely used. –Many customers share a server. 100s s sites/server –low price & flexible custom CGI, etc.

5 Hosting service Shared hosting service vs. Dedicated hosting service Shared hosting serviceDedicated hosting service Analogy of housesapartment / condominiumsingle-family house the number of Web sites : Web server programs : machines N:1:1 *N = 100s s 1:1:1 available machine resource (e.g. CPU, memory, disk) limited (share)all (dedicate) feelow (a few $/month)expensive Suitable for end users Target of our study … Web site machine Web server program …

6 Problem of sharing a Web server Processes of a Web server program (e.g. Apache) –A parent process run under the privilege of a root user. binding port 80 –Many server (child) processes run under the privilege of a dedicated user (e.g. apache, www-data, www). processing requests Read, write, execution permission on these content files must be granted to an other. –UNIX permission model: owner/group/other

7 Problem of sharing a Web server (cont.) Malicious users that share the server can illegally steal, delete, or tamper with other user’s files. –(i-1) command attack, (i-2) HTTP attack Server process www User account User’s file Web server Web client (i-1) (i-2) (0) File permission rw-/---/r-- (static contents (e.g., HTML and image files)) rw-/---/rw- (e.g., log files, wiki’s data files) rwx/---/r-x (CGI scripts) HTTP Command-line tools Malicious user A B C (1) receive HTTP request (2) process request (3) send response www: runtime privilege

8 Existing approaches about runtime privilege Security in Server Basic Performance (Throughput/Latency) Site-number Scalability Generality Container /VM excellent poor (overhead of virtualization) poor (modifications of kernel) PHP safe mode goodexcellent poor (PHP-specific) POSIX ACL (with suEXEC) good poor (twice fork&exec) excellentgood (vanilla Apache) poorexcellent good Existing approaches solve a portion of the security problem, but they either lack performance, site-number scalability, or generality.

9 Design The privilege of server processes is changed in advance to reuse them. => It can avoid performance degradation. A “dispatcher” distributes requests to “workers” that are server processes and run under the privilege of an individual user. A forward Dispatcher BC workers A,B,C – privilege of server processes (an individual user) reusable

10 Partition Hi-sap protects customer files by isolating them in separate security domains, called “partition”. –A unit of protection by using a secure OS facility Customer file Domain A Type A Domain B A Type B B Domain C worker (C) Type C C mod_ruby Content Y1 (Partition B) Content Y2 (Partition C) Site YSite X (Partition A) File access Type enforcement of a secure OS (a) (b) (a)An attacker cannot access files in other partition, (b)even if the files are on the same site. Server process worker (B) mod_perl worker (A) mod_python A,B,C – privilege/owner (an individual user) File permission rw-/---/-—

11 Content access scheduler A Web-server-level scheduler that enhances the scalability of the number of partitions in a server. It controls the creation and termination of workers.

12 Implementation We implemented Hi-sap on a Linux OS with SELinux. The dispatcher was implemented as an Apache module, mod_hisap, on an Apache HTTP server (ver ). One thousand Apache HTTP servers (ver ) were used as workers. –Each worker waited for requests at a unique port. The content access scheduler and other management facilities of the workers were implemented as a daemon, hisapd.

13 Overview of request processing Web client worker B workers … www worker A A A B B worker C C C C hisapd (3) ask to activate worker C root (i) select worker A, who has no requests (8) send response (6) process request reverse proxy (4) activate worker C (2) determine if worker C is active dispatcher (1) receive request GET / HTTP/1.1 Host: (5) forward request (7) forward response Server process A,B,C,www,root: privilege UNIX domain socket HTTP Hi-sap heavy load (ii) terminate worker A

14 Evaluation Experimental environment Network Switching Hub DELL PowerConnect BASE-T x 24 Server CPU AMD Opteron 240EE 1.4 GHz x 2 Memory4 GB (swap 8 GB) OS Fedora Core 4 (kernel ) NIC Broadcom BCM5704C 1 Gbps Client CPU Intel Pentium III Xeon 500 MHz x 4 Memory256 MB (swap 512 MB) OS Fedora Core 4 (kernel ) NIC Intel PRO/1000XT PWLA8490XT 1 Gbps Gigabit Ethernet

15 Basic performance evaluation - throughput - The throughput with Hi-sap was, on average, 2.0% lower than with Apache and was a maximum of 6.9% lower. The overhead of Hi-sap is very low. Web application: tDiary (written in Ruby) Benchmark: httperf 0.8 One-to-one is similar to Hi-sap (mod_hisap and hisapd were not installed).

16 Basic performance evaluation - latency - The latencies of Apache, one-to-one, and Hi-sap were small. The latency of suEXEC was very large, so suEXEC is not suitable.

17 Site-number scalability evaluation Hi-sap’s scalability is high. –The reduction in throughput with Hi-sap as the number of partitions increased was lower than with one-to-one. With one-to-one, the OS crashed due to a memory shortage when the number of partitions reached about 600. Web application: PHP script (It calls phpinfo(), which displays the system information of the PHP language processor.) Benchmark: Apache Benchmark

18 Site-number scalability evaluation - memory utilization - The swap utilization of one-to-one increased dramatically as the number of partitions increased. –This is the reason for the OS crash. Hi-sap does not use swap space as much because of content access scheduler.

19 Conclusions Proposal: –A Web server system that solves the problem and that achieves high site-number scalability with little performance degradation Contributions: 1.We have clarified security problems and requirements of shared hosting services. 2.We have clarified existing approaches and their limitations. 3.We have designed a secure and scalable Web server system for shared hosting services, and implemented it on a Linux OS with SELinux. Our evaluation results demonstrate Hi-sap qualitatively and quantitatively satisfies the requirements.

20 Future work Optimizing the content access scheduler algorithm to avoid swapping and to enable more than 1000 sites to be housed Applying the concept of Hi-sap to other server programs that provide service to many users –e.g., mail servers and network file systems

21 Thank you. Any questions/comments?