Confining the Insider Threat in Mass Virtual Hosting Systems

Marco Prandini, Eugenio Faldella, Roberto Laschi

Abstract

Mass virtual hosting is a widespread solution to the market need for a platform allowing the inexpensive deployment of web sites. By leveraging the ever-increasing performances of server platforms, it is possible to let hundreds of customers share the available storage, computing, and connectivity facilities, eventually attaining a satisfying level of service for a fraction of the total cost of the platform. Since the advent of dynamic web programming, however, achieving a sensible tradeoff between security and efficiency in mass hosting solutions has become quite difficult. The most efficient and widespread solution, in fact, foresees the execution with undifferentiated rights of code belonging to different customers, thus opening the possibility of unauthorized access of one customer to the others’ data. This paper illustrates a possible solution to this problem, based on the integration of Mandatory Access control techniques within the web server. The proposed solution guarantees robust isolation between resources belonging to different subjects, without introducing a sensible increase in resource utilization.

References

  1. Hypertext Transfer Protocol - HTTP/1.1 - http://www.ietf.org/rfc/rfc2616.txt
  2. Apache Server website. - http://httpd.apache.org/
  3. Netcraft Web Server Survey. - http://news.netcraft.com/archives/web_server_survey .html
  4. Apache: Conceptual Architecture by Ahmed Hassan. - http://plg.uwaterloo.ca/aeehassa/ cs746/as1/apache1.html
  5. Extending Apache: Apache Modules. - http://apache.hpi.uni-postsdam.de/document/ 3_3Extending _Apache.html
  6. VMware web site. - http://www.vmware.com/
  7. Barham P., Dragovic B., Fraser K., Hand S., Harris T., Ho A., Neugebauer R., Pratt I., and Warfield A., Xen and the art of virtualization. Proc. 19th ACM symposium on Operating systems principles, October, 2003, ACM Press, 162-177
  8. Common Gateway Interface v1.1. - http://hoohoo.ncsa.uiuc.edu/cgi/
  9. RSBAC web site. - http://www.rsbac.org/
  10. La Padula, L. J., Rule Set Modeling of a Trusted Computer System, Essay, in: Information Security: An Integrated Collection of Essays, Hrsg.: Abrams, M. D., Jajodia, S., Podell, H. J., IEEE Computer Society Press, 1995
  11. LIDS web site. - http://www.lids.org/
  12. grsecurity web site. - http://www.grscurity.net/
  13. National Security Agency. Security-Enhanced Linux (SELinux). - http://www.nsa.gov/selinux
  14. Spencer R., Smalley S. D., Loscocco P., Hibler M., Andersen D. and Lepreau J., The Flask Security Architecture: System support for diverse security policies, Proc. 8th USENIX Security Symposium, Washington, D.C., 1999, pp 123-139
  15. D. E. Bell and L. J. LaPadula, Secure Computer Systems: Mathematical Foundations and Model, Technical Report M74-244, The MITRE Corporation, Bedford, MA, May 1973
  16. Smalley S., Vance C. and Salamon W. Implementing SELinux as a Linux Security Module - http://www.nsa.gov/selinux/papers/module.pdf
  17. Smalley S. D., Configuring the SELinux Policy. Nai Labs Report #02-007, June 2002
  18. Badger L., Sterne D. F., Sherman D. L., Walker K. M. and Haghighat S. A., A Domain and Type Enforcement Unix Prototype, Proc. 5th USENIX UNIX Security Symposium, Salt Lake City, UT, 1995, pp 127-140
  19. Sandhu R., Role-Based Access Control, Advances in Computer Science, 46, Academic Press, 1998
  20. PHP website. - http://www.php.net/
  21. PHP usage stats. - http://www.php.net/usage.php
  22. suPHP Project by Sebastian Marsching - http://www.suphp.org/
Download


Paper Citation


in Harvard Style

Prandini M., Faldella E. and Laschi R. (2007). Confining the Insider Threat in Mass Virtual Hosting Systems . In Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007) ISBN 978-972-8865-96-2, pages 105-114. DOI: 10.5220/0002431801050114


in Bibtex Style

@conference{wosis07,
author={Marco Prandini and Eugenio Faldella and Roberto Laschi},
title={Confining the Insider Threat in Mass Virtual Hosting Systems},
booktitle={Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)},
year={2007},
pages={105-114},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002431801050114},
isbn={978-972-8865-96-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)
TI - Confining the Insider Threat in Mass Virtual Hosting Systems
SN - 978-972-8865-96-2
AU - Prandini M.
AU - Faldella E.
AU - Laschi R.
PY - 2007
SP - 105
EP - 114
DO - 10.5220/0002431801050114