LISA 2000 Abstract
SubDomain: Parsimonious Server Security
Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton
Pu, Perry Wagle and Virgil Gligor, WireX Communications, Inc.
Internet security incidents have shown that while network
cryptography tools like SSL are valuable to Internet service, the hard
problem is to protect the server itself from attack. The host security
problem is important because attackers know to attack the weakest
link, which is vulnerable servers. The problem is hard because
securing a server requires securing every piece of software on the
server that the attacker can access, which can be a very large set of
software for a sophisticated server. Sophisticated security
architectures that protect against this class of problem exist, but
because they are either complex, expensive, or incompatible with
existing application software, most Internet server operators have not
chosen to use them.
This paper presents SubDomain: an OS extension designed to provide
sufficient security to prevent vulnerability rot in Internet server
platforms, and yet simple enough to minimize the performance,
administrative, and implementation costs. SubDomain does this by
providing a least privilege mechanism for programs
rather than for users. By orienting itself to programs rather than
users, SubDomain simplifies the security administrator's task of
securing the server.
This paper describes the problem space of securing Internet
servers, and presents the SubDomain solution to this problem. We
describe the design, implementation, and operation of SubDomain, and
provide working examples and performance metrics for services such as
HTTP, SMTP, POP, and DNS protected with SubDomain.