A Fast Method for Securing User Supplied Code Execution in Web Servers

Abstract

This paper presents a novel method for securing web servers while keeping performance overhead as low as possible. There are already existing methods for separating the execution user and group identities for different websites on the same web server, hence improving security, but all of them have performance and resource usage weaknesses. The mechanism presented here requires modifications also in the kernel of the operating system, not only in the web server. The method works by extracting the calling address of the process invoking a specific newly implemented system call in the Linux kernel. Based on this address, the new system call can decide whether to grant additional privileges to the invoking process or not. Integrating this method into the Apache web server (the most popular web server application for many years as of writing) makes it possible to create a secure environment for the different websites belonging to different users on the same server. Compared to similar solutions, the overhead of the method is very low. The last chapter presents measurement results comparing the performance of the original version and that of the modified version of the web server.