Confining the Insider Threat in Mass Virtual Hosting Systems
Marco Prandini, Eugenio Faldella, Roberto Laschi
2007
Abstract
Mass virtual hosting is a widespread solution to the market need for a platform allowing the inexpensive deployment of web sites. By leveraging the ever-increasing performances of server platforms, it is possible to let hundreds of customers share the available storage, computing, and connectivity facilities, eventually attaining a satisfying level of service for a fraction of the total cost of the platform. Since the advent of dynamic web programming, however, achieving a sensible tradeoff between security and efficiency in mass hosting solutions has become quite difficult. The most efficient and widespread solution, in fact, foresees the execution with undifferentiated rights of code belonging to different customers, thus opening the possibility of unauthorized access of one customer to the others’ data. This paper illustrates a possible solution to this problem, based on the integration of Mandatory Access control techniques within the web server. The proposed solution guarantees robust isolation between resources belonging to different subjects, without introducing a sensible increase in resource utilization.
References
- Hypertext Transfer Protocol - HTTP/1.1 - http://www.ietf.org/rfc/rfc2616.txt
- Apache Server website. - http://httpd.apache.org/
- Netcraft Web Server Survey. - http://news.netcraft.com/archives/web_server_survey .html
- Apache: Conceptual Architecture by Ahmed Hassan. - http://plg.uwaterloo.ca/aeehassa/ cs746/as1/apache1.html
- Extending Apache: Apache Modules. - http://apache.hpi.uni-postsdam.de/document/ 3_3Extending _Apache.html
- VMware web site. - http://www.vmware.com/
- Barham P., Dragovic B., Fraser K., Hand S., Harris T., Ho A., Neugebauer R., Pratt I., and Warfield A., Xen and the art of virtualization. Proc. 19th ACM symposium on Operating systems principles, October, 2003, ACM Press, 162-177
- Common Gateway Interface v1.1. - http://hoohoo.ncsa.uiuc.edu/cgi/
- RSBAC web site. - http://www.rsbac.org/
- La Padula, L. J., Rule Set Modeling of a Trusted Computer System, Essay, in: Information Security: An Integrated Collection of Essays, Hrsg.: Abrams, M. D., Jajodia, S., Podell, H. J., IEEE Computer Society Press, 1995
- LIDS web site. - http://www.lids.org/
- grsecurity web site. - http://www.grscurity.net/
- National Security Agency. Security-Enhanced Linux (SELinux). - http://www.nsa.gov/selinux
- Spencer R., Smalley S. D., Loscocco P., Hibler M., Andersen D. and Lepreau J., The Flask Security Architecture: System support for diverse security policies, Proc. 8th USENIX Security Symposium, Washington, D.C., 1999, pp 123-139
- D. E. Bell and L. J. LaPadula, Secure Computer Systems: Mathematical Foundations and Model, Technical Report M74-244, The MITRE Corporation, Bedford, MA, May 1973
- Smalley S., Vance C. and Salamon W. Implementing SELinux as a Linux Security Module - http://www.nsa.gov/selinux/papers/module.pdf
- Smalley S. D., Configuring the SELinux Policy. Nai Labs Report #02-007, June 2002
- Badger L., Sterne D. F., Sherman D. L., Walker K. M. and Haghighat S. A., A Domain and Type Enforcement Unix Prototype, Proc. 5th USENIX UNIX Security Symposium, Salt Lake City, UT, 1995, pp 127-140
- Sandhu R., Role-Based Access Control, Advances in Computer Science, 46, Academic Press, 1998
- PHP website. - http://www.php.net/
- PHP usage stats. - http://www.php.net/usage.php
- suPHP Project by Sebastian Marsching - http://www.suphp.org/
Paper Citation
in Harvard Style
Prandini M., Faldella E. and Laschi R. (2007). Confining the Insider Threat in Mass Virtual Hosting Systems . In Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007) ISBN 978-972-8865-96-2, pages 105-114. DOI: 10.5220/0002431801050114
in Bibtex Style
@conference{wosis07,
author={Marco Prandini and Eugenio Faldella and Roberto Laschi},
title={Confining the Insider Threat in Mass Virtual Hosting Systems},
booktitle={Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)},
year={2007},
pages={105-114},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002431801050114},
isbn={978-972-8865-96-2},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)
TI - Confining the Insider Threat in Mass Virtual Hosting Systems
SN - 978-972-8865-96-2
AU - Prandini M.
AU - Faldella E.
AU - Laschi R.
PY - 2007
SP - 105
EP - 114
DO - 10.5220/0002431801050114