UBNS is not the only way to partition a service into multiple processes. Another complementary way is privilege separation [29]--in which an application is partitioned into two processes, one privileged and one unprivileged. For example, the listening part of the service which performs generic processing--initialization, waiting for new connections, etc. is often run as root (i.e., with administrative privileges) because some actions need these privileges (for example, to read the file containing hashed passwords or to bind to a port). Unfortunately, exploiting a security hole in a root level process fully compromises the computer. By splitting the server into two processes, the exposure of a root level process is minimized. In contrast to UBNS, retrofitting privilege separation is not difficult, and there exists both libraries [20] and compiler techniques [6] to do it. Both UBNS and privilege separation are design strategies to maximize the value of least privilege [32].
SSH is a widely used UBNS service [42,29], but is ill-suited to implement UBNS services--such as mail, calendaring, source control systems, remote file systems--because of the way network services are built. In the network case, the listening process exists before the connection is made and must at connect time know what user is associated with the service. Ssh's port forwarding3performs user authentication at the service host--but not at the service--and hence, to the service the users of a host are undifferentiated4. As a result, traditional UBNS services use authentication mechanisms such as SSL or passwords and OS mechanisms such as setuid which are awkward to program and may not be secure. In contrast, netAuth both authenticates and authorizes the user on a per service basis, so that the service runs only with the permission of the user. Unlike SSH, netAuth provides end-to-end securing from client to service.
Distributed Firewalls [5] (based on Keynote [5]) in contrast to SSH, implements per user authorization for services by adding this semantics to the connect and accept APIs. While Distributed Firewalls sit in front of the service, and thus are not integrated with the service, Virtual Private Services are integrated and thus can provide UBNS services [16]. In DisCFS [27], an interesting scheme is used to extend the set of users on the fly by adding their public keys; although we have not yet implemented it, we intend to use this mechanism to allow anonymous access (assuming authorization allows it for a service) thus combining the best of authenticated and public services.
Shamon [25,17] is a distributed access control system which runs on Virtual Machines (VMs). It ``knits'' together the access control specifications for different systems, and ensures the integrity of the resulting system using TPM and attestation techniques. Its communication, like netAuth, is implemented in IPsec and uses a modified xinetd to perform the authorization. Shamon implements a very comprehensive mechanism for authorization (targeted for very tightly integrated systems), in contrast to netAuth's less complete but simpler service-by-service authorization.
We do not describe the authorization part of netAuth in this paper for two reasons. First, there is not sufficient space. Second, the authentication mechanism can be used with any authorization model. For example, even POSIX authorization, privilege separation, and VMs could be combined to provide a reasonable base for UBNS. The most value for authorization is gained when privileges are based both on the executable and the user of the process, increasing the value of privilege separation. Such separation is essential to allow multiple privilege separated services to run on the same OS. Examples of such mechanisms include SELinux [34], AppArmor [9], and KernelSec [30]. Janus[15], MAPBox[2], Ostia[14] and systrace[28,22] are examples of sandboxing mechanisms which attenuate privileges.
SANE/Ethane [8,7] has a novel method of authorizing traffic in the network. An authorizing controller intercepts traffic and--based on user authentication for that host--determines whether to allow or deny the network flow. This enables errant hosts or routers to be isolated. However, the authentication information available to Ethane using traditional OS mechanisms is coarse grain (it cannot distinguish individual users or applications). Ethane and netAuth are complementary approaches, which could be combined to provide network-based authentication with fine-grained authentication.
Distributed authentication consist of two components: a mechanism to authenticate the remote user and a means to change the ownership of a process. Traditionally, UNIX performs user authentication in a (user space) process and then sets the User ID by calling setuid. The process doing setuid needs to run as the superuser (administrative mode in Windows) [39]. To reduce the dangers of exploits using such highly privileged processes, Compartmented Mode Workstations divided root privileges into about 30 separate capabilities [3], including a SETUID capability. These capabilities were also adopted by the POSIX 1e draft standard [1], which was widely implemented, including in Linux.
To limit the setuid privileges further,
Plan9 uses an even finer grain one-time-use capability
[10],
which allows a process owned by 
to change its owner to 
.
NetAuth takes a further step in narrowing this privilege
since it is limited to a particular connection and is non-transferable;
but a more important effect is that it is
statically declared and thus enhances information assurance
whether manually or automatically performed.
The traditional mechanism to provide user authentication in distributed systems is passwords. Such passwords are subject to dictionary and other types of attacks, and are regularly compromised. Even mechanisms like SSL typically use password based authentication for users [12] even though they can support public key encryption.
Kerberos [38] performs encryption using private key cryptography. Kerberos has a single point of failure if the KDC is compromised; private key also means that there is not non-repudiation to prove that the user did authenticate against a server; and requires that the KDC be trusted by both parties. Microsoft Window's primary authentication mechanism is Kerberos.
Plan9 uses a separate (privilege-separated) process called factotum, to hold authentication information and verify authentication. The factotum process associated with the server is required to create the change-of-owner capability. But factotum is invoked by the service, and hence can be bypassed allowing unauthenticated users to access the service. Of course, it is in principle possible to examine the source code for the service to determine whether authentication is bypassed, but this is an error prone process and must be done anew each time an application is modified. NetAuth, enforces authentication and authorization which cannot be bypassed and is easier to analyze.
The OKWS web server [21], built on top of the Asbestos OS [11] does a per user demultiplex, so that each web server process is owned by a single user. This in turn is based on HTTP-based connections, in which there can be multiple connections per user, tied together via cookies. It uses the web-specific mechanism for sharing authentication across multiple connections. OKWS was an inspiration for netAuth, which allows multiple connections from a user to go to the same server. NetAuth works by unambiguously naming the connection so that it works with any TCP/IP connection; and hence is much broader than web-based techniques.
Manigandan Radhakrishnan 2008-05-13
