Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar.

Slides:



Advertisements
Similar presentations
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Advertisements

Operating System Security
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Microkernels How to build a dependable, modular and secure operating system?
Computer Systems/Operating Systems - Class 8
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Announcement Project 2 Due Project 3 will be out this weekend.
DISTRIBUTED CONSISTENCY MANAGEMENT IN A SINGLE ADDRESS SPACE DISTRIBUTED OPERATING SYSTEM Sombrero.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
Agent-Based Acceptability-Oriented Computing International Symposium on Software Reliability Engineering Fast Abstract by Shana Hyvat.
A. Frank - P. Weisberg Operating Systems Introduction to Tasks/Threads.
User-Level Interprocess Communication for Shared Memory Multiprocessors Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest.
CS252: Systems Programming Ninghui Li Final Exam Review.
Secure Design Patterns
1 COMPSCI 110 Operating Systems Who - Introductions How - Policies and Administrative Details Why - Objectives and Expectations What - Our Topic: Operating.
Computer Science and Engineering 1 Service-Oriented Architecture Security 2.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Software Engineering General architecture. Architectural components:  Program organisation overview Major building blocks in a system Definition of each.
Figures – Chapter 14. Figure 14.1 System layers where security may be compromised.
Chapter 14 Protection Bernard Chen Spring Goal of Protection Protection was originally conceived as an adjunct to multiprogramming operation.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Privilege separation in Condor Bruce Beckles University of Cambridge Computing Service.
Date: November 9, 2011 Presenter – Munawar Hafiz Assistant Professor, CSSE, Auburn University A Tale of Four Research Ideas.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
 Distributed file systems having transaction facility need to support distributed transaction service.  A distributed transaction service is an extension.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Preventing Privilege Escalation Presented By Chad Frommeyer.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Unit 9: Distributing Computing & Networking Kaplan University 1.
CPSC 171 Introduction to Computer Science System Software and Virtual Machines.
M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young MACH: A New Kernel Foundation for UNIX Development Presenter: Wei-Lwun.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
Engineering Secure Software. Key Principles  Principle of Least privilege  Defense in Depth  Obviously No Vulnerabilities (vs. No Obvious)  i.e. Assume.
COSC573 Instructor: Professor Anvari Student:Shen Zhong ID#: Summer semester,1999 Washington.D.C.
Presented by: Dr. Munam Ali Shah
Introduction Contain two or more CPU share common memory and peripherals. Provide greater system throughput. Multiple processor executing simultaneous.
Em Spatiotemporal Database Laboratory Pusan National University File Processing : Database Management System Architecture 2004, Spring Pusan National University.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
June 1, 2004© Matt Bishop [Changed by Hamid R. Shahriari] Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Software Security Q: What does it mean to say that a program is secure? A: There is a sufficient amount of trust that the program maintains _____________,
Developing a Secure Internet Service SE Linux in Production Russell Coker Linux Consultant.
Operating System Structures
Chapter 14: System Protection
Chapter3 Security Strategies.
Providing Security for Embedded Devices Through Virtualization
COMPSCI 110 Operating Systems
Server Concepts Dr. Charles W. Kann.
Modularity and Memory Clearly, programs must have access to memory
Chapter 14: Protection.
Distrustful Decomposition
Announcement Project 2 Due Project 3 will be out this weekend.
Chapter 2: Operating-System Structures
Chapter 14: Protection.
Outline Chapter 2 (cont) OS Design OS structure
Chapter 29: Program Security
Web Information Systems Engineering (WISE)
Chapter 2: Operating-System Structures
Preventing Privilege Escalation
Secure Design Patterns
Presentation transcript:

Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. James Walden Dr. Charles Frank

Overview Introduction Architecture of qmail as a set of Design Decisions Architecture of Postfix as a parallel to qmail Similarities Differences Conclusions/Comments

Introduction qmail was designed as sendmail’s replacement Addressed Security issues Architecture made system easier to understand and maintain Postfix used qmail’s architecture as reference Design built towards performance Reduced redundancy Still achieved high level of security Both systems hold unblemished security report Both use similar security patterns Both evidence that security doesn’t have to come at the cost of performance`

Introduction Architecture of Systems (qmail and Postfix) Key Principle: Defense in Depth System does not depend on any single idea to achieve security Modularity Decreases the damage caused by security break-ins Ensures that many kinds of errors are not possible Makes inspection easier

qmail Architecture sendmail runs as one process, if compromised an attacker gains access to all processes TO AVOID: qmail follows Compartmentalization Security Pattern – Compartmentalization Separate system into different security domains Therefore, when one part of the system is compromised the others remain secure sendmail runs as a super-user Causes privilege issues TO AVOID: qmail follows the Distributed Responsibility Security Pattern Partition responsibility across compartments

qmail Architecture Mail queue must avoid Race Condition TO AVOID: qmail follows the Reliability Pattern, Unique Location for each Request ensure ever write request is to a different location Mailbox Management System crash leaves message in unreliable state TO AVOID: qmail follows the Reliability Pattern – Checkpointed System Design the system as a finite state machine. Make the state information persistent

qmail Architecture Multithreading can exhaust resources TO AVOID: qmail follows the Small Processes, Performance Pattern Make processes small, single task, limit memory Inherent problems using standards – C Library TO AVOID: qmail follows the Safe Data Structure, Security Pattern Represent strings with a data structure sendmail, program could execute body of message TO AVOID: qmail follows the Content Dependent Processing, Security Pattern Treat the received contents as mail message only

qmail Architecture Trust Partitioning – not trusting communication Payload TO AVOID: qmail follows the Trust Partitioning, Security Pattern Design the components to not trust inputs from other groups and to validate inputs

Postfix Architecture Similarities between qmail and Postfix Partitioning and responsibility distribution among processes Neither have a configuration language, this was one of the main problems with sendmail Postfix follow the qmail pattern Unique Location for Each Write Request qmail implements mail queue as single dir Postfix as single dir Postfix follows the Checkpointed System pattern to ensure that the system can restart gracefully from a crash

Postfix Architecture Differences Postfix uses lookup tables Mail Queue qmail uses one, Postfix has five Separate processes for sending mail using different protocols Postfix uses only one user to simplify configuration management. Qmail uses multiple user and group ids Creates a security risk, since everything is running under one id Introduces Security Pattern – chroot Jail Run processes under a separate least privilege user ids in a controlled environment

Postfix Architecture Postfix uses pre-forking, qmail forks on demand Security Pattern – Secure Preforking Consequences of daemon process compromises are especially bad b/c of their long life Solution – limit the lifetime of daemon processes and fork the again after a configurable, short life and run the daemons in a contained environment Postfix uses a softupdate file system, while qmail uses an async file system.

Postfix Architecture Postfix uses a Single-Threaded Facade Security Pattern Problem: multithreaded processes communicating with the outside environment are more vulnerable. Therefore they should be made simple in architecture, how can his be achieved? Solution: Processes on the perimeter should be single threaded and perform single tasks b/c multithreading involves complex resource management.

Postfix Architecture Postfix uses a Batch Transaction Performance Pattern Batch transactions to eliminate overhead Group related task to avoid task switching and process creation overhead Reliability Pattern – DoS Safety Protecting against Denial of Service attacks by setting resource limits Security Pattern – Policy Enforcement Point Channel all outside communication through one point where security mechanisms can be applied by defining security policies Postfix has spam filters, qmail does not

Conclusion/Questions While qmail’s and Postfix’s designs are not the same they both use common security patterns Both where designed with security as an original requirement Both are evidence that security does not have to come at the cost of performance Comments/Questions???