Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oct. 27, 2010BROADNETS Greece1 Hi-sap: Secure and Scalable Web Server System for Shared Hosting Services Daisuke Hara, Ryohei Fukuda, Kazuki.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Oct. 27, 2010BROADNETS Greece1 Hi-sap: Secure and Scalable Web Server System for Shared Hosting Services Daisuke Hara, Ryohei Fukuda, Kazuki."— Presentation transcript:

1 Oct. 27, 2010BROADNETS 2010@Athens, Greece1 Hi-sap: Secure and Scalable Web Server System for Shared Hosting Services Daisuke Hara, Ryohei Fukuda, Kazuki Hyoudou, Ryota Ozaki, and Yasuichi Nakayama The University of Electro-Communications, Tokyo, Japan

2 2 Outline Introduction Background –Increase in end users’ Web contents –Problems of sharing a Web server –Existing approaches about runtime privilege Proposal - Hi-sap: Secure and Scalable Web Server System for Shared Hosting Services –Design –Implementation Evaluation Conclusions

3 3 Introduction Problem of sharing a Web server –Malicious users that share the server can potentially steal, delete, or tamper with other user’s files. Proposal: a Web server system that solves the problem and that achieves high site-number scalability with little performance degradation Contributions: 1.We have clarified security problems and requirements of shared hosting services. 2.We have clarified that existing approaches and their limitations. 3.We have designed a secure and scalable Web server system for shared hosting services, and implemented it on a Linux OS with SELinux.

4 4 Background More people are creating their own content and publishing it on the Web as the Internet grows in popularity. –End users create weblogs, wikis, CMSs. Shared hosting services are widely used. –Many customers share a server. 100s - 1000s sites/server –low price & flexible custom CGI, etc.

5 5 Hosting service Shared hosting service vs. Dedicated hosting service Shared hosting serviceDedicated hosting service Analogy of housesapartment / condominiumsingle-family house the number of Web sites : Web server programs : machines N:1:1 *N = 100s - 1000s 1:1:1 available machine resource (e.g. CPU, memory, disk) limited (share)all (dedicate) feelow (a few $/month)expensive Suitable for end users Target of our study … Web site machine Web server program …

6 6 Problem of sharing a Web server Processes of a Web server program (e.g. Apache) –A parent process run under the privilege of a root user. binding port 80 –Many server (child) processes run under the privilege of a dedicated user (e.g. apache, www-data, www). processing requests Read, write, execution permission on these content files must be granted to an other. –UNIX permission model: owner/group/other

7 7 Problem of sharing a Web server (cont.) Malicious users that share the server can illegally steal, delete, or tamper with other user’s files. –(i-1) command attack, (i-2) HTTP attack Server process www User account User’s file Web server Web client (i-1) (i-2) (0) File permission rw-/---/r-- (static contents (e.g., HTML and image files)) rw-/---/rw- (e.g., log files, wiki’s data files) rwx/---/r-x (CGI scripts) HTTP Command-line tools Malicious user A B C (1) receive HTTP request (2) process request (3) send response www: runtime privilege

8 8 Existing approaches about runtime privilege Security in Server Basic Performance (Throughput/Latency) Site-number Scalability Generality Container /VM excellent poor (overhead of virtualization) poor (modifications of kernel) PHP safe mode goodexcellent poor (PHP-specific) POSIX ACL (with suEXEC) good poor (twice fork&exec) excellentgood (vanilla Apache) poorexcellent good Existing approaches solve a portion of the security problem, but they either lack performance, site-number scalability, or generality.

9 9 Design The privilege of server processes is changed in advance to reuse them. => It can avoid performance degradation. A “dispatcher” distributes requests to “workers” that are server processes and run under the privilege of an individual user. A forward Dispatcher BC workers A,B,C – privilege of server processes (an individual user) reusable

10 10 Partition Hi-sap protects customer files by isolating them in separate security domains, called “partition”. –A unit of protection by using a secure OS facility Customer file Domain A Type A Domain B A Type B B Domain C worker (C) Type C C mod_ruby Content Y1 (Partition B) Content Y2 (Partition C) Site YSite X (Partition A) File access Type enforcement of a secure OS (a) (b) (a)An attacker cannot access files in other partition, (b)even if the files are on the same site. Server process worker (B) mod_perl worker (A) mod_python A,B,C – privilege/owner (an individual user) File permission rw-/---/-—

11 11 Content access scheduler A Web-server-level scheduler that enhances the scalability of the number of partitions in a server. It controls the creation and termination of workers.

12 12 Implementation We implemented Hi-sap on a Linux OS with SELinux. The dispatcher was implemented as an Apache module, mod_hisap, on an Apache HTTP server (ver. 2.0.55). One thousand Apache HTTP servers (ver. 2.0.55) were used as workers. –Each worker waited for requests at a unique port. The content access scheduler and other management facilities of the workers were implemented as a daemon, hisapd.

13 13 Overview of request processing Web client worker B workers … www worker A A A B B worker C C C C hisapd (3) ask to activate worker C root (i) select worker A, who has no requests (8) send response (6) process request reverse proxy (4) activate worker C (2) determine if worker C is active dispatcher (1) receive request GET / HTTP/1.1 Host: www.C.net (5) forward request (7) forward response Server process A,B,C,www,root: privilege UNIX domain socket HTTP Hi-sap heavy load (ii) terminate worker A

14 14 Evaluation Experimental environment Network Switching Hub DELL PowerConnect 2724 1000 BASE-T x 24 Server CPU AMD Opteron 240EE 1.4 GHz x 2 Memory4 GB (swap 8 GB) OS Fedora Core 4 (kernel 2.6.14) NIC Broadcom BCM5704C 1 Gbps Client CPU Intel Pentium III Xeon 500 MHz x 4 Memory256 MB (swap 512 MB) OS Fedora Core 4 (kernel 2.6.14) NIC Intel PRO/1000XT PWLA8490XT 1 Gbps Gigabit Ethernet

15 15 Basic performance evaluation - throughput - The throughput with Hi-sap was, on average, 2.0% lower than with Apache and was a maximum of 6.9% lower. The overhead of Hi-sap is very low. Web application: tDiary 2.0.2 (written in Ruby) Benchmark: httperf 0.8 One-to-one is similar to Hi-sap (mod_hisap and hisapd were not installed).

16 16 Basic performance evaluation - latency - The latencies of Apache, one-to-one, and Hi-sap were small. The latency of suEXEC was very large, so suEXEC is not suitable.

17 17 Site-number scalability evaluation Hi-sap’s scalability is high. –The reduction in throughput with Hi-sap as the number of partitions increased was lower than with one-to-one. With one-to-one, the OS crashed due to a memory shortage when the number of partitions reached about 600. Web application: PHP script (It calls phpinfo(), which displays the system information of the PHP language processor.) Benchmark: Apache Benchmark

18 18 Site-number scalability evaluation - memory utilization - The swap utilization of one-to-one increased dramatically as the number of partitions increased. –This is the reason for the OS crash. Hi-sap does not use swap space as much because of content access scheduler.

19 19 Conclusions Proposal: –A Web server system that solves the problem and that achieves high site-number scalability with little performance degradation Contributions: 1.We have clarified security problems and requirements of shared hosting services. 2.We have clarified existing approaches and their limitations. 3.We have designed a secure and scalable Web server system for shared hosting services, and implemented it on a Linux OS with SELinux. Our evaluation results demonstrate Hi-sap qualitatively and quantitatively satisfies the requirements.

20 20 Future work Optimizing the content access scheduler algorithm to avoid swapping and to enable more than 1000 sites to be housed Applying the concept of Hi-sap to other server programs that provide service to many users –e.g., mail servers and network file systems

21 21 Thank you. Any questions/comments?

Download ppt "Oct. 27, 2010BROADNETS Greece1 Hi-sap: Secure and Scalable Web Server System for Shared Hosting Services Daisuke Hara, Ryohei Fukuda, Kazuki."

Similar presentations

PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.

PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.
Chapter 3 Process Description and Control

Chapter 3 Process Description and Control
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Fast and Safe Performance Recovery on OS Reboot Kenichi Kourai Kyushu Institute of Technology.

Fast and Safe Performance Recovery on OS Reboot Kenichi Kourai Kyushu Institute of Technology.
1 GridTorrent Framework: A High-performance Data Transfer and Data Sharing Framework for Scientific Computing.

1 GridTorrent Framework: A High-performance Data Transfer and Data Sharing Framework for Scientific Computing.
XENMON: QOS MONITORING AND PERFORMANCE PROFILING TOOL Diwaker Gupta, Rob Gardner, Ludmila Cherkasova 1.

XENMON: QOS MONITORING AND PERFORMANCE PROFILING TOOL Diwaker Gupta, Rob Gardner, Ludmila Cherkasova 1.
1 Web Server Performance in a WAN Environment Vincent W. Freeh Computer Science North Carolina State Vsevolod V. Panteleenko Computer Science & Engineering.

1 Web Server Performance in a WAN Environment Vincent W. Freeh Computer Science North Carolina State Vsevolod V. Panteleenko Computer Science & Engineering.
Introduction to Virtualization

Introduction to Virtualization
2006/07/12ICPADS Secure and High-performance Web Server System for Shared Hosting Service Daisuke Hara and Yasuichi Nakayama The University.

2006/07/12ICPADS Secure and High-performance Web Server System for Shared Hosting Service Daisuke Hara and Yasuichi Nakayama The University.
1 Design and Implementation of A Content-aware Switch using A Network Processor Li Zhao, Yan Luo, Laxmi Bhuyan University of California, Riverside Ravi.

1 Design and Implementation of A Content-aware Switch using A Network Processor Li Zhao, Yan Luo, Laxmi Bhuyan University of California, Riverside Ravi.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.

3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
3.5 Interprocess Communication

3.5 Interprocess Communication
TCP Splicing for URL-aware Redirection

TCP Splicing for URL-aware Redirection
CacheMind: Fast Performance Recovery Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.

CacheMind: Fast Performance Recovery Using a Virtual Machine Monitor Kenichi Kourai Kyushu Institute of Technology, Japan.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Linux Networking CIS230.0325. Why Linux/Unix? Configurability ▫Customizable System to satisfy unique needs. Scalability ▫Able to serve an increasing number.

Linux Networking CIS Why Linux/Unix? Configurability ▫Customizable System to satisfy unique needs. Scalability ▫Able to serve an increasing number.
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.

Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
RAID-x: A New Distributed Disk Array for I/O-Centric Cluster Computing Kai Hwang, Hai Jin, and Roy Ho.

RAID-x: A New Distributed Disk Array for I/O-Centric Cluster Computing Kai Hwang, Hai Jin, and Roy Ho.
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
IBIS System: Requirements and Components Lois M. Haggard Office of Public Health Assessment.

IBIS System: Requirements and Components Lois M. Haggard Office of Public Health Assessment.

Similar presentations

Ads by Google