Coffeehouse Thread

7 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Shared hosting -- With additional security

Back to Forum: Coffeehouse
  • User profile image
    IDWMaster

    I've recently been working on a project which involves running several applications on a single server, some of which may come from sources which are not verified for security. This is a typical example of shared hosting, which frequently poses security problems, due to so much unverified user code running on the same server, some of the code may potentially be malicious, and attempt to gain access to areas which it's not supposed to. To solve this problem, many web hosting companies started using virtual machines. However, the problem with these, is that they can be very expensive for companies to host (especially small businesses), due to the memory requirements they impose, the CPU time, and the power consumption. To solve this problem, I developed a virtual OS (specifically for server hosting), written in C#, called IDWOS 2012, which is designed to isolate each process into its own virtual machine, and prevent any kind of inter-application communication from occurring on the server. When each process on the server starts, it is assigned a security token, which needs to be passed to any "privileged function" on the system in order to determine what type of access the process has, and allows the privileged function to be invoked in a secure context (for example, calling File.Open("C:\\myfile.txt",FileMode.Open)) could redirect to a virtual filesystem, instead of the actual hard drive. This is the default action, and direct access to the system drive is only allowed if the application is "trusted" by the system administrator, and allowed to perform this kind of interaction. Otherwise, all calls made by the virtual machine (process) are redirected to more secure functions, or simply not allowed at all (for example, P/Invoking, and unsafe code is currently not supported).

     

    I will release this under a GPL license for non-commercial use (open-source), and a paid license for commercial use. 

  • User profile image
    AndyC

    Two questions spring to mind:

    1) How is this better than just running applications under separateuser accounts?

    2) Are you even allowed to specify 'non-commercial usage' on a GPL licensed app? I think not.

  • User profile image
    IDWMaster

    , AndyC wrote

    Two questions spring to mind:

    1) How is this better than just running applications under separateuser accounts?

    2) Are you even allowed to specify 'non-commercial usage' on a GPL licensed app? I think not.

    1 - Using separate user accounts does not really "virtualize" an application instance. My virtualized web server framework can be used to:

    • Redirect file IO operations without the knowledge of the application
    • Monitor and diagnose performance issues on a per-VM basis, and allow for prioritization of traffic/disk IO (disk bandwidth) based on the previous history of that application, as well as the number of IO operations the subscriber is paying for (or you can charge them based on how much disk IO operations they use)
    • Prevent malicious applications from running a DOS attack against the server by means of resource prioritization (QoS) and attack detection
    • Prevent execution of malicious code designed to exploit security vulnerabilities in the operating system itself (code running in the VM cannot directly access the host operating system, or P/Invoke into any native functions; 'unsafe' code such as pointers is also disabled)
    • Use VHDs as a tool for application instancing and versioning (to allow multiple instances of the same application to run on a server simultaneously, so the customer's existing sessions with a website are not interrupted during an application upgrade, and new customers can automatically access the newer version of the application; if this setting is enabled by the application vendor in an XML configuration file)

    2 - Perhaps not, but any products that ship with my server will be required to distribute their source code. I have contacted my lawyer and am awaiting a reply from him about this. I may need to choose another license.

  • User profile image
    cheong

    2) Are you even allowed to specify 'non-commercial usage' on a GPL licensed app? I think not.

    I think he can offer seperate license like what MySQL does.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    AndyC

    , IDWMaster wrote

    *snip*

    1 - Using separate user accounts does not really "virtualize" an application instance. My virtualized web server framework can be used to:

    • Redirect file IO operations without the knowledge of the application
    • Monitor and diagnose performance issues on a per-VM basis, and allow for prioritization of traffic/disk IO (disk bandwidth) based on the previous history of that application, as well as the number of IO operations the subscriber is paying for (or you can charge them based on how much disk IO operations they use)
    • Prevent malicious applications from running a DOS attack against the server by means of resource prioritization (QoS) and attack detection
    • Prevent execution of malicious code designed to exploit security vulnerabilities in the operating system itself (code running in the VM cannot directly access the host operating system, or P/Invoke into any native functions; 'unsafe' code such as pointers is also disabled)

    The trouble I have with that is that separate user accounts provide a significant level of security via hardware functionality in the CPU as well as extremely well tested code in the Windows kernel. By contrast, your framework relies quite heavily on the assumptions that Angel there aren't any flaws in the CLR that could be exploited and (b) there aren't any flaws in your code that can be manipulated to access other applications or privileged functions. That's a harder sell, especially if your framework is handing the security token to the untrusted application (which can potentially manipulate or fake it) and then trusting that when it's passed as a privileged function parameter (which seems to be what you are suggesting)

    The other concerns around I/O performance and/or potential resource hogging can also be handled by native Windows Server functionality (intended primarily for Terminal Servers) as could things like filesystem quotas and I/O usage logging.

    Perhaps the biggest issue though is that, if my reading is correct, applications would need to be written specifically to target your framework. For a hosting provider that's going to heavily limit the use, since it's a pretty strict requirement to try and enforce on clients. By contrast running an application under a dedicated user account is a pretty trivial task and doesn't require any special changes to an existing app (except possibly to remove LUA issues).

    , cheong wrote

    2) Are you even allowed to specify 'non-commercial usage' on a GPL licensed app? I think not.

    I think he can offer seperate license like what MySQL does.

    Not the same thing at all, MySQL provides a seperate license for inclusion in commercial products that do not wish to distribute their source code. You can still use the GPL version for commercial work if you wish. The entire purpose of the GPL is to ensure end users have freedom to do whatever they like with the code and a restriction on commercial usage is entirely contrary to that.

  • User profile image
    Bass

    With the GPL (if this is a library) you can require anyone using the the code to also GPL their work or put it under a license that is compatible with the GPL (eg. BSD 2-clause).

    From what IDW said in his 2nd post this seems to be his intention (free license for open source projects, commercial license for closed source projects), probably he mistakenly used "non-commercial use".

    IDWMaster,

    From what you want I think the GPL is not the best choice, probably the AGPL would fit your business model better. Although TBH the distinction between them can be a legal gray area so if you looking to a lawyer for advice maybe mention this.

    Good luck with this, it seems like an interesting idea.

  • User profile image
    IDWMaster

    , Bass wrote

    With the GPL (if this is a library) you can require anyone using the the code to also GPL their work or put it under a license that is compatible with the GPL (eg. BSD 2-clause).

    From what IDW said in his 2nd post this seems to be his intention (free license for open source projects, commercial license for closed source projects), probably he mistakenly used "non-commercial use".

    IDWMaster,

    From what you want I think the GPL is not the best choice, probably the AGPL would fit your business model better. Although TBH the distinction between them can be a legal gray area so if you looking to a lawyer for advice maybe mention this.

    Good luck with this, it seems like an interesting idea.

    Thanks! The AGPL/a second (proprietary license) seems like the perfect licensing model for my business! Haven't heard back from my lawyer yet, but I will let him know about this licensing option!

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.