Building Secure High-Performance Web Services with OKWS

Maxwell Krohn, MIT Computer Science and AI Laboratory

[email protected]

Abstract Web servers, and to limit the severity of unforeseen prob-

lems, we introduce OKWS, the OK Web Server. Unlike
OKWS is a toolkit for building fast and secure Web ser- typical Web servers, OKWS is specialized for dynamic
vices. It provides Web developers with a small set of content and is not well-suited to serving files from disk.
tools that has proved powerful enough to build complex It relies on existing Web servers, such as Flash [23] or
systems with limited effort. Despite its emphasis on se- Apache [3], to serve images and other static content. We
curity, OKWS shows performance improvements com- argue (in Section 5.4) that this separation of static and
pared to popular systems: when servicing fully dynamic, dynamic content is natural and, moreover, contributes to
non-disk-bound database workloads, OKWS’s through- security.
put and responsiveness exceed that of Apache 2 [3], What OKWS does provide is a simple, powerful, and
Flash [23] and Haboob [44]. Experience with OKWS in a secure toolkit for building dynamic content pages (also
commercial deployment suggests it can reduce hardware known as Web services). OKWS enforces the natural
and system management costs, while providing security principle of least privilege [27] so that those aspects of
guarantees absent in current systems. the system most vulnerable to attack are the least use-
ful to attackers. Further, OKWS separates privileges so
1 Introduction that the different components of the system distrust each
other. Finally, the system distrusts the Web service devel-
Most dynamic Web sites today maintain large server-side oper, presuming him a sloppy programmer whose errors
databases, to which their users have limited access via can cause significant damage. Though these principles
HTTP interfaces. Keeping this data hidden and correct are not novel, Web servers have not generally incorpo-
is critical yet difficult. Indeed, headlines are replete with rated them.
stories of the damage and embarrassment remote attack- Using OKWS to build Web services, we show that
ers can visit on large Web sites. compromises among basic security principles, perfor-
Most attacks against Web sites exploit weaknesses in mance, and usability are unnecessary. To this effect,
popular Web servers or bugs in custom application-level the next section surveys and categorizes attacks on Web
logic. In practice, emphasis on rapid deployment and per- servers, and Section 3 presents simple design principles
formance often comes at the expense of security. that thwart them. Section 4 discusses OKWS’s imple-
Consider the following example: Web servers typ- mentation of these principles, and Section 5 argues that
ically provide Web programmers with powerful and the resulting system is practical for building large sys-
generic interfaces to underlying databases and rely on tems. Section 6 discusses the security achieved by the
coarse-grained database-level permission systems for ac- implementation, and Section 7 analyzes its performance,
cess control. Web servers also tend to package logically showing that OKWS’s specialization for dynamic content
separate programs into one address space. If a particular helps it achieve better performance in simulated dynamic
Web site serves its search and newsletter-subscribe fea- workloads than general purpose servers.
tures from the same machine, a bug in the former might
allow a malicious remote client to select all rows from 2 Brief Survey of Web Server Bugs
a table of subscribers’ email addresses. In general, any-
thing from a buffer overrun to an unexpected escape se- To justify our approach to dynamic Web server design,
quence can expose private data to an attacker. Moreover, we briefly analyze the weaknesses of popular software
few practical isolation schemes exist aside from running packages. Our goal is to represent the range of bugs that
different services on different machines. As a result, a have arisen in practice. Historically, attackers have ex-
flaw in one service can ripple through an entire system. ploited almost all aspects of conventional Web servers,
To plug the many security holes that plague existing from core components and scripting language exten-
sions to the scripts themselves. The conclusion we draw Denial of Service Attacks. Aside from TCP/IP-based
is that a better design—as opposed to a more correct DoS attacks, Apache has been vulnerable to a number of
implementation—is required to get better security prop- application-specific attacks. Apache versions released in
erties. 2003 failed to handle error conditions on certain “rarely
In our survey, we focus on the Apache [3] server due used ports,” and would stop servicing incoming connec-
to its popularity, but the types of problems discussed are tions as a result [38]. Another 2003 release allowed lo-
common to all similar Web servers, including IBM Web- cal configuration errors to result in infinite redirection
Sphere [14], Microsoft IIS [19] and Zeus [47]. loops [8]. In some versions of Apache, attackers could
exhaust Apache’s heap simply by sending a large se-
quence of linefeed characters [37].
2.1 Apache Core and Standard Modules
There have been hundreds of major bugs in Apache’s 2.2 Scripting Extensions to Apache
core and in its standard modules. They fit into the fol-
lowing categories: Apache’s security worsens considerably when compiled
with popular modules that enable dynamically-generated
content such as PHP [25]. In the past two years alone,
Unintended Data Disclosure. A class of bugs results
at least 13 critical buffer overruns have been found in
from Apache delivering files over HTTP that are sup-
the PHP core, some of which allowed attackers to re-
posed to be private. For instance, a 2002 bug in Apache’s
motely execute arbitrary code [9, 28]. In six other
mod dav reveals source code of user-written scripts [42].
cases, faults in PHP allowed attackers to circumvent its
A recent discovery of leaked file descriptors allows re-
application level chroot-like environment, called “Safe
mote users to access sensitive log information [7]. On
Mode.” One vulnerability exposed /etc/passwd via
Mac OS X operating systems, a local find-by-content in-
posix getpwnam [5]. Another allowed attackers to write
dexing scheme creates a hidden yet world-readable file
PHP scripts to the server and then remotely execute them;
called .FBCIndex in each directory indexed. Versions
this bug persisted across multiple releases of PHP in-
of Apache released in 2002 expose this file to remote
tended as fixes [35].
clients [41]. In all cases, attackers can use knowledge
Even if a correct implementation of PHP were possi-
about local configuration and custom-written application
ble, it would still provide Web programmers with am-
code to mount more damaging attacks.
ple opportunity to introduce their own vulnerabilities. A
canonical example is that beginning PHP programmers
Buffer Overflows and Remote Code Execution. fail to check for sequences such as “..” in user input
Buffer overflows in Apache and its many modules are and therefore inadvertently allow remote access to sen-
common. Unchecked boundary conditions found re- sitive files higher up in the file system hierarchy (e.g.,
cently in mod alias and mod rewrite regular expres- ../../../etc/passwd). Similarly, PHP scripts that
sion code allow local attack [39]. In 2002, a common embed unescaped user input inside SQL queries present
Apache deployment with OpenSSL had a critical bug openings for “SQL Injection.” If a PHP programmer ne-
in client key negotiation, allowing remote attackers to glects to escape user input properly, a malicious user can
execute arbitrary code with the permissions of the Web turn a benign SELECT into a catastrophic DELETE.
server. The attacking code downloads, compiles and exe- The PHP manual does state that PHP scripts might be
cutes a program that seeks to infect other machines [36]. separated and run as different users to allow for privilege
There have been less-sophisticated attacks that re- separation. In this case, however, PHP could not run as
sulted in arbitrary remote code execution. Some Win- an Apache module, and the system would require a new
dows versions of Apache execute commands in URLs PHP process forked for every incoming connection. This
that follow pipe characters (‘|’). A remote attacker can isolation strategy is at odds with performance.
therefore issue the command of his choosing from an
unmodified Web browser [40]. On MS-DOS-based sys- 3 Design
tems, Apache failed to filter out special device names,
allowing carefully-crafted HTTP POST requests to exe- If we assume that bugs like the ones discussed above are
cute arbitrary code [43]. Other problems have occurred inevitable when building a large system, the best remedy
when site developers call Apache’s htdigest utility is to limit the effectiveness of attacks when they occur.
from within CGI scripts to manage HTTP user authen- This section presents four simple guidelines for protect-
tication [6]. ing sensitive site data in the worst-case scenario, in which
an adversary remotely gains control of a Web server and dent functionality into independent processes. An adver-
can execute arbitrary commands with the Web server’s sary who compromises a Web server can examine its in-
privileges. We also present OKWS’s design, which fol- memory data structures, which might contain soft state
lows the four security guidelines without sacrificing per- used for user session management, or possibly secret to-
formance. kens that the Web server uses to authenticate itself to its
Throughout, we assume a cluster of Web servers and database. With control of a Web server process, an ad-
database machines connected by a fast, firewalled LAN. versary might hijack an existing database connection or
Site data is cached at the Web servers and persistently establish a new one with the authentication tokens it ac-
stored on the database machines. The primary security quired. Though more unlikely, an attacker might also
goals are to prevent intrusion and to prevent unauthorized monitor and alter network traffic entering and exiting a
access to site data. compromised server.
The important security principle here is to limit the
3.1 Practical Security Guidelines types of data that a single process can access. Site de-
signers should partition their global set of site data into
(1) Server processes should be chrooted. After compro- small, self-contained subsets, and their Web server ought
mising a server process, most attackers will try to gain to align its process boundaries with this partition.
control over the entire server machine, possibly by in-
stalling “back doors,” learning local passwords or private If a Web server implements principles (1) through (4),
keys, or probing local configuration files for errors. At and if there are no critical kernel bugs, an attacker cannot
the very least, a compromised Web server should have move from vulnerable to secure parts of the system. By
no access to sensitive files or directories. Moreover, an incorporating these principles, a Web server design as-
OS-level jail ought to hide all setuid executables from sumes that processes will be compromised and therefore
the Web server, since many privilege escalation attacks prevents uncompromised processes from performing un-
require such files (examples include the ptrace and bind safe operations, even when extended by careless Web de-
attacks mentioned in [17]). Privilege escalation is pos- velopers. For example, if a server architecture denies a
sible without setuid executables but requires OS-level successful attacker access to /etc/passwd, then a pro-
bugs or race conditions that are typically rarer. grammer cannot inadvertently expose this file to remote
An adversary can still do damage without control of clients. Similarly, if a successful attacker cannot arbitrar-
the Web server machine. The configuration files, source ily access underlying databases, then even a broken Web
files, and binaries that correspond to the currently run- script cannot enable SQL injection attacks.
ning Web server contain valuable hints about how to ac-
cess important data. For instance, PHP scripts often in- 3.2 OKWS Design
clude the username and plaintext password used to gain
access to a MySQL database. OS-enforced policy ought We designed OKWS with these four principles in mind.
to hide these files from running Web servers. OKWS provides Web developers with a set of libraries
and helper processes so they can build Web services as
(2) Server processes should run as unprivileged users. independent, stand-alone processes, isolated almost en-
A compromised process running as a privileged user can tirely from the file system. The core libraries provide
do significant damage even from within a chrooted en- basic functionality for receiving HTTP requests, access-
vironment. It might bind to a well-known network port. ing data sources, composing an HTML-formatted re-
It might also interfere with other system processes, espe- sponse, responding to HTTP requests, and logging the
cially those associated with the Web server: it can trace results to disk. A process called OK launcher daemon,
their system calls or send them signals. or okld, launches custom-built services and relaunches
them should they crash. A process called OK dispatcher,
(3) Server processes should have the minimal set of
or okd, routes incoming requests to appropriate Web ser-
database access privileges necessary to perform their
vices. A helper process called pubd provides Web ser-
task. Separate processes should not have access to each
vices with limited read access to configuration files and
other’s databases. Moreover, if a Web server process re-
HTML template files stored on the local disk. Finally, a
quires only row-wise access to a table, an adversary who
dedicated logger daemon called oklogd writes log entries
compromises it should not have the authority to perform
operations over the entire table. to disk. Figure 1 summarizes these relationships.
This architecture allows custom-built Web services to
(4) A server architecture should separate indepen- meet our stated design goals:
 Our approach is to view Web server architecture as
a dependency graph, in which the nodes represent pro-
cesses, services, users, and user state. An edge (a, b) de-
notes b’s dependence on a, meaning an attacker’s ability
to compromise a implies an ability to compromise b. The
crucial design decision is thus how to establish dependen-
cies between the more abstract notions of services, users
and user states, and the more concrete notion of a pro-
cess.
Let the set S represent a Web server’s constituent ser-
vices, and assume each service accesses a private pool
of data. (Two application-level services that share data
would thus be modelled by a single “service”.) A set of
users U interacts with these services, and the interaction
between user uj and service si involves a piece of state ti,j .
If an attacker can compromise a service si , he can com-
promise state ti,j for all j; thus (si , ti,j ) is a dependency for
all j. Compromising state also compromises the corre-
sponding user, so (ti,j , uj ) is also a dependency.
Let P = {p1 , . . . , pk } be a Web server’s pool of pro-
cesses. The design decision of how to allocate processes
Figure 1: Block diagram of an OKWS site setup with three Web reduces to where the nodes in P belong on the depen-
services (svc1 , svc2 , svc3 ) and two data sources (data1 , data2 ), dency graph. In the Apache architecture [3], each pro-
one of which (data2 ) is an OKWS database proxy. cess pi in the process pool can perform the role of any
service sj . Thus, dependencies (pi , sj ) exist for all j. For
Flash [3], each process in P is associated with a particular
(1) OKWS chroots all services to a remote jail di- service: for each pi , there exists sj such that (pi , sj ) is a
rectory. Within the jail, each process has just dependency. The size of the process pool P is determined
enough access privileges to read shared libraries by the number of concurrent active HTTP sessions; each
upon startup and to dump core upon abnormal ter- process pi serves only one of these connections. Java-
mination. The services otherwise never access the based systems like the Haboob Server [44] employ only
file system and lack the privileges to do so. one process; thus P = {p1 }, and dependencies (p1 , sj )
exist for all j.
(2) Each service runs as a unique non-privileged user.
Figures 2(a)-(c) depict graphs of Apache, Flash and
(3) OKWS interposes a structured RPC interface be- Haboob hosting two services for two remote users. As-
tween the Web service and the database and uses a suming that the “dependence” relationship is transitive,
simple authentication mechanism to align the parti- and that an adversary can compromise p1 , the shaded
tion among database access methods with the parti- nodes in the graph show all other vulnerable entities.
tion among processes. This picture assumes that the process of p1 is equally
vulnerable in the different architectures and that all archi-
(4) Each Web service runs as a separate process. The tectures succeed equally in isolating different processes
next section justifies this choice. from each other. Neither of these assumptions is entirely
true, and we will return to these issues in Section 6.2.
What is clear from these graphs is that in the case of
3.3 Process Isolation Flash, a compromise of p1 does not affect states t2,1 and
Unlike the other three principles, the fourth, of pro- t2,2 . For example, an attacker who gained access to ui ’s
cess isolation, implies a security and performance trade- search history (t1,i ) cannot access the contents of his in-
off since the most secure option—one Unix process per box (t2,i ).
external user—would be problematic for performance. A more strict isolation strategy is shown in Figure 2(d).
OKWS’s approach to this tradeoff is to assign one Unix The architecture assigns a process pi to each user ui . If
process per service; we now justify this selection. the attacker is a user ui , he should only be able to compro-
 (a) Apache (b) Flash (c) Haboob (d) Strict (e) OKWS

Figure 2: Dependency graphs for various Web server architectures.

mise his own process pi , and will not have access to state 4.1 okld
belonging to other users uj . The problem with this ap-
proach is that it does not scale well. A Web server would The root process in the OKWS system is okld—the
either need to fork a new process pi for each incoming launcher daemon. This process normally runs as supe-
HTTP request or would have a large pool of mostly idle ruser but can be run as a non-privileged user for testing
processes, one for each currently active user (of which or in other cases when the Web server need not bind to
there might be tens of thousands). a privileged TCP port. When okld starts up, it reads the
configuration file /etc/okws config to determine the
OKWS does not implement the strict isolation strategy
locations of the OKWS helper processes, the anonymous
but instead associates a single process with each individ-
user ID range, which directories to use as jail directo-
ual service, shown in Figure 2(e). As a result OKWS
ries, and which services to launch. Next, okld launches
achieves the same isolation properties as Flash but with a
the logging daemon (oklogd) and the demultiplexing dae-
process pool whose size is independent of the number of
mon (okd), and chroots into its runtime jail directory. It
concurrent HTTP connections.
then launches all site-specific Web services. The steps
for launching a single service are:

4 Implementation 1. okld requests a new Unix socket connection from

oklogd.
OKWS is a portable, event-based system, written in C++
with the SFS toolkit [18]. It has been successfully tested 2. okld opens 2 socket pairs; one for HTTP connection
on Linux and FreeBSD. In OKWS, the different helper forwarding, and one for RPC control messages.
processes and site-specific services shown in Figure 1
3. okld calls fork.
communicate among themselves with SFS’s implemen-
tation of Sun RPC [32]; they communicate with exter- 4. In the child address space, okld picks a fresh
nal Web clients via HTTP. Unlike other event-based UID/GID pair (x.x), sets the new process’s group list
servers [23, 44, 47], OKWS exposes the event architec- to {x} and its UID to x. It then changes directories
ture to Web developers. into /cores/x.
To use OKWS, an administrator installs the helper bi-
naries (okld, okd, pubd and oklogd) to a standard direc- 5. Still in the child address space, okld calls execve,
tory such as /usr/local/sbin, and installs the site- launching the Web service. The new Web service
specific services to a runtime jail directory, such as process inherits three file descriptors: one for re-
/var/okws/run. The administrator should allocate two ceiving forwarded HTTP connections, one for re-
new UID/GID pairs for okd and oklogd and should also ceiving RPC control messages, and one for RPC-
reserve a contiguous user and group ID space for “anony- based request logging. Some configuration parame-
mous” services. Finally, administrators can tweak the ters in /etc/okws config are relevant to child ser-
master configuration file, /etc/okws config. Table 1 vices, and okld passes these to new children via the
summarizes the runtime configuration of OKWS. command line.
 process chroot jail run directory uid gid a known service, okd returns an HTTP 404 error. In typ-
okld /var/okws/run / root wheel
pubd /var/okws/htdocs / www www
ical settings, a small and fixed number of these services
oklogd /var/okws/log / oklogd oklogd are available—on the order of 10. The set of available
okd /var/okws/run / okd okd services is fixed once okd reads its configuration file at
svc1 /var/okws/run /cores/51001 51001 51001
svc2 /var/okws/run /cores/51002 51002 51002 launch time.
svc3 /var/okws/run /cores/51003 51003 51003
Upon startup, okd reads the OKWS configuration file
Table 1: An example configuration of OKWS. The entries in (/etc/okws config) to construct its dispatch table. It
the “run directory” column are relative to “chroot jails”. inherits two file descriptors from okld: one for logging,
and one for RPC control messages. okd then listens on
the RPC channel for okld to send it the server side of
6. In the parent address space, okld sends the server the child services’ HTTP and RPC connections (see Sec-
side of the sockets opened in Step 2 to okd. tion 4.1, Step 6). okd receives one such pair for each ser-
Upon a service’s first launch, okld assigns it a group and vice launched. The HTTP connection is the sink to which
user ID chosen arbitrarily from the given range (e.g., okd sends incoming HTTP requests from external clients
51001-51080). The service gets those same user and after successful demultiplexing. Note that okd needs ac-
group IDs in subsequent launches. It is important that no cess to oklogd to log Error 404 and Error 500 messages.
two services share a UID or GID, and okld ensures this okd also plays a role as a control message router for
invariant. The service executables themselves are owned the child services. In addition to listening for HTTP
by root, belong to the group with the anonymous GID x connections on port 80, okd also listens for internal re-
chosen in Step 4 and are set to mode 0410. quests from an administration client. It services the two
These settings allow okld to call execve after setuid RPC calls: R EPUB and R ELAUNCH. A site maintainer
but disallow a service process from changing the mode should call the former to “activate” any changes she
of its corresponding binary. okld changes the ownerships makes to HTML templates (see Section 4.4 for more de-
and permissions of service executables at launch if they tails). Upon receiving a R EPUB RPC, okd triggers a sim-
are not appropriately set. The directory used in Step 4 is ple update protocol that propagates updated templates.
the only one in the jailed file system to which the child A site maintainer should issue a R ELAUNCH RPC af-
service can write. If such a directory does not exist or ter updating a service’s binary. Upon receiving a R E -
has the wrong ownership or permissions, okld creates and LAUNCH RPC, okd simply sends an EOF to the relevant
configures it accordingly. service on its control socket. When a Web service re-
okld catches SIGCHLD when services die. Upon receiv- ceives such an EOF, it finishes responding to all pending
ing a non-zero exit status, okld changes the owner and HTTP requests, flushes its logs, and then exits cleanly.
mode of any core files left behind, rendering them inac- The launcher daemon, okld, then catches the correspond-
cessible to other OKWS processes. If a service exits un- ing SIGCHLD and restarts the service.
cleanly too many times in a given interval, okld will mark
it broken and refuse to restart it. Otherwise, okld restarts
dead services following the steps enumerated above.
4.3 oklogd
4.2 okd
All services, along with okd, log their access and error ac-
The okd process accepts incoming HTTP requests and tivity to local files via oklogd—the logger daemon. Be-
demultiplexes them based on the “Request-URI” in their cause these processes lack the privileges to write to the
first lines. For example, the HTTP/1.1 standard [11] de- same log file directly, they instead send log updates over
fines the first line of a GET request as: a local Unix domain socket. To reduce the total number
of messages, services send log updates in batches. Ser-
GET /habs pathi?hqueryi HTTP/1.1 vices flush their log buffers as they become full and at
Upon receiving such a request, okd looks up a Web ser- regularly-scheduled intervals.
vice corresponding to abs path in its dispatch table. If For security, oklogd runs as an unprivileged user in
successful, okd forwards the remote client’s file descrip- its own chroot environment. Thus, a compromised okd
tor to the requested service. If the lookup is successful or Web service cannot maliciously overwrite or truncate
but the service is marked “broken,” okd sends an HTTP log files; it would only have the ability to fill them with
500 error to the remote client. If the request did not match “noise.”
4.4 pubd abnormal termination. Also at initialization, a Web ser-
vice obtains static HTML templates and local configura-
Dynamic Web pages often contain large sections of static tion parameters from pubd. These data stay in memory
HTML code. In OKWS, such static blocks are called until a message from okd over the RPC control channel
HTML “templates”; they are stored as regular files, can
signals that the Web service should refetch. In imple-
be shared by multiple services and can include each other menting the init method, the Web developer need only
in a manner similar to Server Side Includes [4]. specify which database connections, templates and con-
OKWS services do not read templates directly from figuration files he requires.
the file system. Rather, upon startup, the publishing dae-
The process method specifies the actions required for
mon (pubd) parses and caches all required templates. It
incoming HTTP requests. In formulating replies, a Web
then ships parsed representations of the templates over
service typically accesses cached soft-state (such as user
RPC to other processes that require them. pubd runs as
session information), database-resident hard state (such
an unprivileged user, relegated to a jail directory that con-
as inbox contents), HTML templates, and configuration
tains only public HTML templates. As a security pre-
parameters. Because a Web service is implemented as a
caution, pubd never updates the files it serves, and ad-
single-threaded process, it does not require synchroniza-
ministrators should set its entire chrooted directory tree
tion mechanisms when accessing these data sources. Its
read-only (perhaps, on those platforms that support it, by
accesses to a database on behalf of all users are pipelined
mounting a read-only nullfs).
through a single asynchronous RPC channel. Similarly,
its accesses to cached data are guaranteed to be atomic
5 OKWS In Practice and can be achieved with simple lightweight data struc-
tures, without locking. By comparison, other popular
Though its design is motivated by security goals, OKWS
Web servers require some combination of mmap’ed files,
provides developers with a convenient and powerful
spin-locks, IPC synchronization, and database connec-
toolkit. Our experience suggests that OKWS is suitable
tion pooling to achieve similar results.
for building and maintaining large commercial systems.
At present, OKWS requires Web developers to pro-
gram in C++, using the same SFS event library that un-
5.1 Web Services dergirds all OKWS helper processes and core libraries.
A Web developer creates a new Web service as follows: To simplify memory management, OKWS exposes SFS’s
reference-counted garbage collection scheme and high-
1. Extends two OKWS generic classes: one that cor- level string library to the Web programmer. OKWS also
responds to a long-lived service, and one that corre- provides a C++ preprocessor that allows for Perl-style
sponds to an individual HTTP request. Implements “heredocs” and simplified template inclusion. Figure 3
the init method of the former and the process demonstrates these facilities.
method of the latter.

2. Runs the source file through OKWS’s preprocessor, 5.2 Asynchronous Database Proxies
which outputs C++ code.
OKWS provides Web developers with a generic li-
3. Compiles this C++ code into an executable, and in- brary for translating between asynchronous RPC and
stalls it in OKWS’s service jail. any given blocking client library, in a manner similar to
Flash’s helper processes [23], and “manual calling au-
4. Adds the new service to /etc/okws config. tomatic” in [1]. OKWS users can thus simply imple-
5. Restarts OKWS to launch. ment database proxies: asynchronous RPC front-ends
to standard databases, such as MySQL [21] or Berkeley
The resulting Web service is a single-threaded, event- DB [29]. Our libraries provide the illusion of a standard
driven process. asynchronous RPC dispatch routine. Internally, these
The OKWS core libraries handle the mundane me- proxies are multi-threaded and can block; the library han-
chanics of a service’s life cycle and its connections to dles synchronization and scheduling.
OKWS helper processes. At the initialization stage, Database proxies employ a small and static number of
a Web service establishes persistent connections to all worker threads and do not expand their thread pool. The
needed databases. The connections last the lifetime of intent here is simply to overlap requests to the underlying
the service and are automatically reopened in the case of data source so that it might overlap its disk accesses and
 void my_srvc_t::process ()
The application is Internet dating, and the site features a
{
str color = param["color"]; typical suite of services, including local matching, global
/*o matching, messaging, profile maintenance, site statistics,
print (resp) <<EOF; and picture browsing. Almost a million users have estab-
<html>
<head>
lished accounts on the site, and at peak times, thousands
<title>${param["title"]}</title> of users maintain active sessions. Our current implemen-
</head> tation uses 34 Web services and 12 database proxies.
EOF
include (resp, "/body.html",
We have found the system to be usable, stable and
{ COLOR => ${color}}); well-performing. In the absence of database bottle-
o*/ necks or latency from serving advertisements, OKWS
output (resp); feels very responsive to the end user. Even those
}
pages that require iterative computations—like match
Figure 3: Fragment of a Web service programmed in OKWS. computations—load instantaneously.
The remote client supplies the title and color of the page via Our Web cluster currently consists of four load bal-
standard CGI-style parameter passing. The runtime templating anced OKWS Web server machines, two read-only cache
system substitutes the user’s choice of color for the token COLOR servers, and two read-write database servers, all with dual
in the template /body.html. The variable my svc t::resp
Pentium 4 processors. We use multiple OKWS machines
represents a buffer that collects the body of the HTTP re-
only for redundancy; one machine can handle peak loads
sponse and then is flushed to the client via output(). With
the FilterCGI flag set, OKWS filters all dangerous metachar- (about 200 requests per second) at about 7% CPU uti-
acters from the param associative array. lization, even as it gzips most responses. A previous in-
carnation of this Web site required six ModPerl/Apache
servers [20] to accommodate less traffic. It ultimately
benefit from disk arm scheduling. was abandoned due to insufficient software tools and pro-
Database proxies ought to run on the database ma- hibitive hardware and hosting expenses [30].
chines themselves. Such a configuration allows the site
administrator to “lock down” a socket-based database
server, so that only local processes can execute arbitrary 5.4 Separating Static From Dynamic
database commands. All other machines in the cluster—
such as the Web server machines—only see the struc- OKWS relies on other machines running standard Web
tured, and thus restricted, RPC interface exposed by the servers to distribute static content. This means that all
database proxy. pages generated by OKWS should have only absolute
Finally, database proxies employ a simple mechanism links to external static content (such as images and style
for authenticating Web services. After a Web service sheets), and OKWS has no reason to support keep-alive
connects to a database proxy, it supplies a 20-byte au- connections [11]. The servers that host static content for
thentication token in a login message. The database OKWS, however, can enable HTTP keep-alive as usual.
proxy then grants the Web service permission to access We note that serving static and dynamic content from
a set of RPCs based on the supplied authentication token. different machines is already a common technique for
To facilitate development of OKWS database prox- performance reasons; administrators choose different
ies, we wrapped MySQL’s standard C library in an in- hardware and software configurations for the two types
terface more suitable for use with SFS’s libraries. We of workloads. Moreover, static content service does not
model our MySQL interface after the popular Perl DBI require access to sensitive site data and can therefore hap-
interface [24] and likewise transparently support both pen outside of a firewalled cluster, or perhaps at a differ-
parsed and prepared SQL styles. Figure 4 shows a simple ent hosting facility altogether. Indeed, some sites push
database proxy built with this library. static content out to external distribution networks such
as Akamai [2].
5.3 Real-World Experience In our commercial deployment, we host a cluster of
OKWS and database machines at a local colocation facil-
The author and two other programmers built a commer- ity; we require hands-on hardware access and a network
cial Web site using the OKWS system in six months [22]. configured for our application. We serve static content
We were assisted by two designers who knew little C++ from leased, dedicated servers at a remote facility where
but made effective use of the HTML templating system. bandwidth is significantly cheaper.
 struct user_xdr_t {
systems alone can guarantee. For instance, on PHP
string name<30>;
int age; systems, a particular service might only have SELECT
}; permissions to a database’s USERS table. But with
control of the PHP server, an attacker could still issue
// can only occur at initialization time
q = mysql->prepare (
commands like SELECT * FROM USERS. With OKWS,
"SELECT age,name FROM tab WHERE id=?"); if the RPC protocol restricts access to row-wise queries
and the keyspace of the table is sparse, the attacker has
id = 1; // get ID from client significantly more difficulty “mining” the database.1
user_xdr_t u;
stmt = q->execute (id); // might block! OKWS’s separation of code and privileges further lim-
stmt->fetch (&u.age, &u.name); its attacks. If a particular service is compromised, it can
reply (u); establish a new connection to a remote RPC database
Figure 4: Example of database proxy code with MySQL wrap-
proxy; however, because the service has no access to
per library. In this case, the Web developer is loading SQL source code, binaries, or ptraces of other services, it
results directly into an RPC XDR structure. knows no authentication tokens aside from its own.
Finally, OKWS database libraries provide runtime
checks to ensure that SQL queries can be prepared only
6 Security Discussion when a proxy starts up, and that all parameters passed to
queries are appropriately escaped. This check insulates
In this section we discuss OKWS’s security benefits and sloppy programmers from the “SQL injection” attacks
shortcomings. mentioned in Section 2.2. We expect future versions of
OKWS to enforce the same invariants at compile time.
6.1 Security Benefits
(4) Process Isolation and Privilege Separation. OKWS
(1) The Local Filesystem. An OKWS service has almost is careful to separate the traditionally “buggy” aspects of
no access to the file system when execution reaches Web servers from the most sensitive areas of the system.
custom code. If compromised, a service has write access In particular, those processes that do the majority of
to its coredump directory and can read from OKWS HTTP parsing (the OKWS services) have the fewest
shared libraries. Otherwise, it cannot access setuid privileges. By the same logic, okld, which runs as
executables, the binaries of other OKWS services, or superuser, does no message parsing; it responds only
core dumps left behind by crashed OKWS processes. It to signals. For the other helper processes, we believe
cannot overwrite HTTP logs or HTML templates. Other the RPC communication channels to be less error-prone
OKWS services such as oklogd and pubd have more than standard HTTP messaging and unlikely to allow
privileges, enabling them to write to and read from the intruders to traverse process boundaries.
file system, respectively. However, as OKWS matures, Process isolation also limits the scope of those DoS
these helpers should not present security risks since they attacks that exploit bugs in site-specific logic. Since
do not run site-specific code. the operating system sets per-process limits on resources
such as file descriptors and memory, DoS vulnerabilities
(2) Other Operating System Privileges. Because should not spread across process boundaries. We could
OKWS runs logically separate processes under different make stronger DoS guarantees by adapting “defensive
user IDs, compromised processes (with the exception programming” techniques [26]. Qie et al. suggest com-
of okld) do not have the ability to kill or ptrace other piling rate-control mechanisms into network services, for
running processes. Similarly, no process save for okld dynamic prevention of DoS attacks. Their system is
can bind to privileged ports. applicable within OKWS’s architecture, which relegates
each service to a single address space. The same cannot
(3) Database Access. As described, all database be said for those systems that spread equivalent function-
access in OKWS is achieved through RPC channels, ality across multiple address spaces.
using independent authentication mechanisms. As a
result, an attacker who gains control of an OKWS web
service can only interact with the database in a manner 6.2 Security Shortcomings
specified by the RPC protocol declaration; he does
not have generic SQL client access. Note that this is The current implementation of OKWS supports only
a stronger restriction than simple database permission C++ for service development. OKWS programmers
 <html><head><title>Test Result</title></head>
that better models serving dynamic content in real-world
<body>
<? deployments, which we call the null service benchmark.
$db = mysql_pconnect("okdb.lcs.mit.edu"); For each of the platforms tested, we implemented a null
mysql_select_db("testdb", $db); service, which takes an integer input from a client, makes
$id = $HTTP_GET_VARS["id"];
$qry = "SELECT x,y FROM tab WHERE x=$id";
a database SELECT on the basis of that input, and returns
$result = mysql_query("$qry", $db); the result in a short HTML response (see Figure 5). Test
$myrow = mysql_fetch_row($result); clients make one request per connection: they connect to
print("QRY $id $myrow[0] $myrow[1]\n"); the server, supply a randomly chosen query, receive the
?>
</body>
server’s response, and then disconnect.
</html>
Figure 5: PHP version of the null service 7.2 Experimental Setup
All Web servers tested use a large database table filled
should use the provided “safe” strings classes when gen- with sequential integer keys and their 20-byte SHA-1
erating HTML output, and they should use only auto- hashes [12]. We constrained our client to query only the
generated RPC stubs for network communication; how- first 1,000,000 rows of this table, so that the database
ever, OKWS does not prohibit programmers from us- could store the entire dataset in memory. Our database
ing unsafe programming techniques and can therefore was MySQL version 4.0.16.
be made more susceptible to buffer overruns and stack- All experiments used four FreeBSD 4.8 machines. The
smashing attacks. Future versions of OKWS might make Web server and database machines were uniprocessor
these attacks less likely by supporting higher-level pro- 2.4GHz and 2.6GHz Pentium 4s respectively, each with
gramming languages such as Python or Perl. 1GB of RAM. Our two client machines ran Dual 3.0GHz
Another shortcoming of OKWS is that an adversary Pentium 4s with 2GB of RAM. All machines were con-
who compromises an OKWS service can gain access to nected via fast Ethernet, and there was no network con-
in-memory state belonging to other users. Developers gestion during our experiments. Ping times between the
might protect against this attack by encrypting cache en- clients and the Web server measured around 250 µs, and
tries with a private key stored in an HTTP cookie on the ping times between the Web server and database machine
client’s machine. Encryption cannot protect against an measured about 150 µs.
adversary who can compromise and passively monitor a We implemented our test client using the OKWS li-
Web server. braries and the SFS toolkit. There was no resource strain
Finally, independent aspects of the system might be on the client machines during our tests.
vulnerable due to a common bug in the core libraries.
7.3 OKWS Process Pool Tests
7 Performance Evaluation
We experimentally validated OKWS’s frugal process
In designing OKWS we decided to limit its process pool allocation strategy by showing that the alternative—
to a small and fixed size. In our evaluation, we tested running many processes per service—performs worse.
the hypothesis that this decision has a positive impact We thus configured OKWS to run a single service as a
on performance, examining OKWS’s performance as a variable number of processes, and collected throughput
function of the number of active service processes. We measurements (in requests per second) over the different
also present and test the claim that OKWS can achieve configurations. The test client was configured to simu-
high throughputs relative to other Web servers because late either 500, 1,000 or 2,000 concurrent remote clients
of its smaller process pool and its specialization for dy- in the different runs of the experiment.
namic content. Figure 6 summarizes the results of this experiment as
the number of processes varied between 1 and 450. We
7.1 Testing Methodology attribute the general decline in performance to increased
context-switching, as shown in Figure 7. In the single-
Performance testing on Web servers usually involves the process configuration, the operating system must switch
SPECweb99 benchmark [31], but this benchmark is not between the null service and okd, the demultiplexing dae-
well-suited for dynamic Web servers that disable Keep- mon. In this configuration, higher client concurrency im-
Alive connections and redirect to other machines for plies fewer switches, since both okd and the null service
static content. We therefore devised a simple benchmark have more outstanding requests to service before calling
 10000
2500

context switches per second

9000
2400
requests per second

2300 8000

2200 7000
2100 6000
2000 5000
1900 500 clients 500 clients
1000 clients 4000 1000 clients
1800 2000 clients 2000 clients
3000
1 10 100 1 10 100
number of processes (log scale) number of processes (log scale)
Figure 6: Throughputs achieved in the process pool test Figure 7: Context switching in the process pool test

3500 Haboob
sleep. This effect quickly disappears as the server dis- Flash
3000 Apache+PHP
tributes requests over more processes. As their numbers OKWS

requests per second

grow, each process has, on average, fewer requests to 2500
service per unit of time, and therefore calls sleep sooner
2000
within its CPU slice.
The process pool test supports our hypothesis that a 1500
Web server will consume more computational resources 1000
as its process pool grows. Although the experiments
500
completed without putting memory pressure on the op-
0
erating system, memory is more scarce in real deploy- 200 500 1000 1500 2000
ments. The null service requires about 1.5MB of core concurrent clients
memory, but our experience shows real OKWS service Figure 8: Throughputs for the single-service test
processes have memory footprints of at least 4MB, and
hence we expect memory to limit server pool size. More-
correspondence between processes and services.
over, in real deployments there is less memory to waste
We enabled HTTP access logging on all systems with
on code text, since in-memory caches on the Web ser-
the exception of Haboob, which does not support it. All
vices are crucial to good site performance and should be
systems used persistent database connections.
allowed to grow as big as possible.
7.4.1 Single-Service Workload
7.4 Web Server Comparison
In the single-service workload, clients with negligible la-
The other Web servers mentioned in Section 3.3— tency request a dynamically generated response from the
Haboob, Flash and Apache—are primarily intended for null service. This test entails the minimal number of ser-
serving static Web pages. Because we have designed vice processes for OKWS and Flash and therefore should
and tuned OKWS for an entirely dynamic workload, we allow them to exhibit maximal throughput. By contrast,
hypothesize that when servicing such workloads, it per- Apache and Haboob’s process pools do not vary in size
forms better than its more general-purpose peers. Our with the number of available services. We examined the
experiments in this section test this hypothesis. throughput (Figure 8) and responsiveness (Figure 9) of
Haboob is Java-based, and we compiled and ran it with the four systems as client concurrency increased. Fig-
FreeBSD’s native JDK, version 1.3. We tested Flash ure 10 shows the cumulative distribution of client laten-
v0.1a, built with FD SETSIZE set high so that Flash re- cies when 1,600 were active concurrently.
ported an ability to service 5116 simultaneous connec- Of the four Web servers tested, Haboob spent the most
tions. Also tested was Apache version 2.0.47 compiled CPU time in user mode and performed the slowest. A
with multi-threading support and running PHP version likely cause is the sluggishness of Java 1.3’s memory
4.3.3 as a dynamic shared object. We configured Apache management.
to handle up to 2000 concurrent connections. We ran When servicing a small number of concurrent clients,
OKWS in its standard configuration, with a one-to-one the Flash system outperforms the others; however, its per-
formance does not scale well. We attribute this degrada- 3
Haboob
tion to Flash’s CGI model: because custom-written Flash Flash
2.5

median latency in seconds

helper processes have only one thread of control, each Apache+PHP
OKWS
instantiation of a helper process can handle only one ex- 2
ternal client. Thus, Flash requires a separate helper pro-
cess for each external client served. At high concurrency 1.5
levels, we noted a large number of running processes (on
1
the order of 2000) and general resource starvation. Flash
also puts additional strain on the database, demanding 0.5
one active connection per helper—thousands in total. A
database pooling system might mitigate this negative per- 0
200 500 1000 1500 2000
formance impact. Flash’s results were noisy in general, concurrent clients
and we can best explain the observed non-monotonicity Figure 9: Median Latencies
as inconsistent operating system (and database) behavior
under heavy strain. 1
Apache achieves 37% of OKWS’s throughput on aver-
age. Its process pool is bigger and hence requires more 0.8
frequent context switching. When servicing 1,000 con-
current clients, Apache runs around 450 processes, and

percentile
0.6
context switches about 7500 times a second. We suspect
that Apache starts queuing requests unfairly above 1,000
0.4
concurrent connections, as suggested by the plateau in
Figure 9 and the long tail in Figure 10. Haboob
0.2 Flash
In our configuration, PHP makes frequent calls to the Apache+PHP
sigprocmask system call to serialize database accesses OKWS
among kernel threads within a process. In addition, 0
0.1 1 10 100
Apache makes frequent (and unnecessary) file system ac- latency in seconds (log scale)
cesses, which though serviced from the buffer cache still Figure 10: Client latencies for 1,600 concurrent clients
entail system call overhead. OKWS can achieve faster
performance because of a smaller process pool and fewer
system calls. by 23%. We observed that for this workload, Flash re-
quires even more service processes, and at times over
2,500 were running. When we switched from the single-
7.4.2 Many-Service Workload
service to the many-service configuration, the number of
In attempt to model a more realistic workload, we inves- OKWS service processes increased from 1 to 10. The
tigated Web servers running more services, serving more results from Figure 6 show this change has little im-
data, as experienced by clients over the WAN. We modi- pact on throughput. We can better explain OKWS’s di-
fied our null services to send out an additional 3000 bytes minished performance by arguing that larger HTTP re-
of text with every reply (larger responses would have sat- sponses result in more data shuffling in user mode and
urated the Web server’s access link in some cases). We more pressure on the networking stack in kernel mode.
made 10 uniquely-named copies of the new null service, The same explanation applies for Apache, which experi-
convincing the Web servers that they were serving 10 dis- enced a similar performance degradation.
tinct services. Finally, our clients were modified to pause
an average of 75 ms between establishing a connection 8 Related work
and sending an HTTP request. We ran the experiment
from 200 to 2000 simultaneous clients, and observed a Apache’s [3] many configuration options and modules al-
graph similar in shape to Figure 8. low Web programmers to extend its functionality with
Achieved throughputs are shown in Table 2 and are a variety of different programming languages. How-
compared to the results observed in the single-service ever, neither 1.3.x’s multi-process architecture nor 2.0.x’s
workload. Haboob’s performance degrades most notably, multi-threaded architecture is conducive to process isola-
probably because the many-service workload demands tion. Also, its extensibility and mushrooming code base
more memory allocations. Flash’s throughput decreases make its security properties difficult to reason about.
 Haboob Apache Flash OKWS opers to write Web services in C++ and uses some of the
1 Service 490 895 1,590 2,401 same sandboxing schemes we use here to achieve fault
10 Services 225 760 1,232 2,089 isolation. In more commercial settings, Java-based sys-
Change −54.0% −15.1% −22.5% −13.0% tems often favor thin Web servers, pushing more critical
tasks to application servers such as JBoss [15] and IBM
Table 2: Average throughputs in connections per second WebSphere [14]. Such systems limit a Web server’s ac-
cess to underlying databases in much the same way as
OKWS’s database proxies. Most Java systems, however,
Highly-optimized event-based Web servers such as
package all aspects of a system in one address space with
Flash [23] and Zeus [47] have eclipsed Apache in terms
many threads; our model for isolation would not extend
of performance. While Flash in particular has a history of
to such a setting. Furthermore, our experimental results
outstanding performance serving static content, our per-
indicate significant performance advantages of compiled
formance studies here indicate that its architecture is less
C++ code over Java systems.
suitable for dynamic content. In terms of process isola-
Other work has proposed changes to underlying oper-
tion, one could most likely implement a similar separa-
ating systems to make Web servers fast and more secure.
tion of privileges in Flash as we have done with OKWS.
The Exokernel operating system [16] allows its Cheetah
FastCGI [10] is a standard for implementing long-lived
Web server to directly access the TCP/IP stack, in order
CGI-like helper processes. It allows separation of func-
to reduce buffer copies allow for more effective caching.
tionality along process boundaries but neither articulates
The Denali isolation kernel [45] can isolate Web services
a specific security policy nor specifies the mechanics for
by running them on separate virtual machines.
maintaining process isolation in the face of partial server
compromise. Also, FastCGI requires the leader process
to relay messages between the Web service and the re- 9 Summary and Future Work
mote client. OKWS passes file descriptors to avoid the
overhead associated with FastCGI’s relay technique. OKWS is a toolkit for serving dynamic Web content, and
The Haboob server studied here is one of many possi- its architecture fits naturally into a compelling security
ble applications built on SEDA, an architecture for event- model. The system’s separation of processes provides
based network servers. In particular, SEDA uses serial reasonable assurances that vulnerabilities in one aspect
event queues to enforce fairness and graceful degrada- of the system do not metastasize. The performance re-
tion under heavy load. Larger systems such as Ninja [33] sults we have seen are encouraging: OKWS derives sig-
build on SEDA’s infrastructure to create clusters of Web nificant speedups from a small and fixed process pool,
servers with the same appealing properties. lightweight synchronization mechanisms, and avoidance
Other work has used the SFS toolkit to build static of unnecessary system calls. In the future, we plan to
Web Servers and Web proxies [46]. Though the current experiment with high-level language support and better
OKWS architecture is well-suited for SMP machines, the resilience to DoS attacks. Independent of future improve-
adoption of libasync-mp would allow for finer-grained ments, OKWS is stable and practical, and we have used
sharing of a Web workload across many CPUs. it to develop a popular commercial product.
OKWS uses events but the same results are possible
with an appropriate threads library. An expansive body Acknowledgments
of literature argues the merits of one scheme over the
other, and most recently, Capriccio’s authors [34] argue I am indebted to David Mazières for his help through-
that threads can achieve the same performance as events out the project, and to my advisor Frans Kaashoek for
in the context of Web servers, while providing program- help in preparing this paper. Michael Walfish signif-
mers with a more intuitive interface. Other recent work icantly improved this paper’s writing and presentation.
suggests that threads and events can coexist [1]. Such My shepherd Eddie Kohler suggested many important
techniques, if applied to OKWS, would simplify stack improvements, Robert Morris and Russ Cox assisted in
management for Web developers. debugging, and the anonymous reviewers provided in-
In addition to the PHP [25] scripting language investi- sightful comments. I thank the programmers, design-
gated here, many other Web development environments ers and others at OkCupid.com—Patrick Crosby, Jason
are in widespread use. Zope [48], a Python-based plat- Yung, Chris Coyne, Christian Rudder and Sam Yagan—
form, has gained popularity due to its modularity and for adopting and improving OKWS, and Jeremy Stribling
support for remote collaboration. CSE [13] allows devel- and Sarah Friedberg for proofreading. This research was
supported in part by the DARPA Composable High As- [25] PHP: Hypertext processor. http://www.php.net.
surance Trusted Systems program (BAA #01-24), under [26] X. Qie, R. Pang, and L. Peterson. Defensive programming:
Using an annotation toolkit to build DoS-resistant software. In
contract #N66001-01-1-8927. 5th Symposium on Operating Systems Design and
Implementation (OSDI ’02), Boston, MA, October 2002.
USENIX.
Availability [27] J. H. Saltzer and M. D. Schroeder. The protection of information
in computer systems. In Proceedings of the IEEE, volume 63,
OKWS is available under an open source license at 1975.
www.okws.org. [28] SecurityFocus. http://www.securityfocus.com.
[29] Sleepycat Software. http://www.sleepycat.com.
[30] The SparkMatch service. Previously available at
References http://www.thespark.com.
[1] A. Adya, J. Howell, M. Theimer, W. J. Bolosky, and J. R. [31] Standard performance evaluation corporation. the specweb99
Douceur. Cooperative task management without manual stack benchmark. http://www.spec99.org/osg/web99/.
management or, event-driven programming is not the opposite of [32] R. Srinivasan. RPC: Remote procedure call protocol
threaded programming. In Proceedings of the 2002 USENIX, specification version 2. RFC 1831, Network Working Group,
Monterey, CA, June 2002. USENIX. August 1995.
[2] Akamai Technologies, Inc. http://www.akamai.com. [33] J. R. van Berhen, E. A. Brewer, N. Borisova, M. C.
[3] The Apache Software Foundation. http://www.apache.org. an Matt Welsh, J. MacDonald, J. Lau, S. Gribble, and D. Culler.
[4] Apache Tutorial: Introduction to Server Side Includes. Ninja: A framework for network services. In Proceedings of the
http://httpd.apache.org/docs/howto/ssi.html. 2002 USENIX, Monterey, CA, June 2002. USENIX.
[5] Bugtraq ID 4606. SecurityFocus. [34] R. von Behren, J. Condit, F. Zhou, G. C. Necula, and E. Brewer.
http://www.securityfocus.com/bid/4606/info/. Capriccio: scalable threads for internet services. In Proceedings
[6] Bugtraq ID 5993. SecurityFocus. of the 19th ACM Symposium on Operating Systems Principles,
http://www.securityfocus.com/bid/5993/info/. Bolton Landing, NY, October 2003. ACM.
[7] Bugtraq ID 7255. SecurityFocus. [35] Vulnerability CAN-2001-1246. SecurityFocus.
http://www.securityfocus.com/bid/7255/info/. http://www.securityfocus.com/bid/2954/info/.
[8] Bugtraq ID 8138. SecurityFocus. [36] Vulnerability CAN-2002-0656. SecurityFocus.
http://www.securityfocus.com/bid/8138/info/. http://www.securityfocus.com/bid/5363/info/.
[9] CERT R Coordination Center. http://www.cert.org. [37] Vulnerability CAN-2003-0132. SecurityFocus.
[10] Open Market. Fastcgi. http://www.fastcgi.com. http://www.securityfocus.com/bid/7254/info/.
[11] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, [38] Vulnerability CAN-2003-0253.
P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol — http://www.securityfocus.com/bid/8137/info/.
HTTP/1.1. Internet Network Working Group RFC 2616, 1999. [39] Vulnerability CAN-2003-0542. SecurityFocus.
[12] FIPS 180-1. Secure Hash Standard. U.S. Department of http://www.securityfocus.com/bid/8911/info/.
Commerce/N.I.S.T., National Technical Information Service, [40] Vulnerability CVE-2002-0061. SecurityFocus.
Springfield, VA, April 1995. http://www.securityfocus.com/bid/4435/info/.
[13] T. Gchwind and B. A. Schmit. CSE — a C++ servlet [41] Vulnerability Note VU117243. CERT.
environment for high-performance web applications. In http://www.kb.cert.org/vuls/id/910713.
Proceedings of the FREENIX Track: 2003 USENIX Technical [42] Vulnerability Note VU91073. CERT.
Conference, San Antonio, TX, 2003. USENIX. http://www.kb.cert.org/vuls/id/910713.
[14] IBM corporation. IBM websphere application server. [43] Vulnerability Note VU979793. CERT.
http://www.ibm.com. http://www.kb.cert.org/vuls/id/979793.
[15] JBoss Group. http://www.jboss.org. [44] M. Welsh, D. Culler, and E. Brewer. SEDA: An architecture for
[16] M. F. Kaashoek, D. R. Engler, G. R. Ganger, H. M. Briceño, well-conditioned, scalable internet services. In Proceedings of
R. Hunt, D. Mazières, T. Pinckney, R. Grimm, J. Jannotti, and the 18th ACM Symposium on Operating Systems Principles,
K. Mackenzie. Application performance and flexibility on Chateau Lake Louise, Banff, Canada, October 2001. ACM.
exokernel systems. In Proceedings of the 16th ACM Symposium [45] A. Whitaker, M. Shaw, and S. D. Gribble. Scale and
on Operating Systems Principles, Saint-Malo, France, October performance in the denali isolation kernel. In 5th Symposium on
1997. ACM. Operating Systems Design and Implementation (OSDI ’02),
[17] S. T. King and P. M. Chen. Backtracking intrusions. In Boston, MA, October 2002. USENIX.
Proceedings of the 19th ACM Symposium on Operating Systems [46] N. Zeldovich, A. Yip, F. Dabek, R. Morris, D. Mazières, and
Principles, Bolton Landing, NY, October 2003. ACM. F. Kaashoek. Multiprocessor support for event-driven programs.
[18] D. Mazières. A toolkit for user-level file systems. In In Proceedings of the 2003 USENIX, San Antonio, TX, June
Proceedings of the 2001 USENIX. USENIX, June 2001. 2003. USENIX.
[19] Microsoft Corporation. IIS. http://www.microsoft.com/ [47] Zeus Technology Limited. Zeus Web Server.
windowsserver2003/iis/default.mspx. http://www.zeus.co.uk.
[20] mod perl. http://perl.apache.org. [48] The Zope Corporation. http://www.zope.org.
[21] MySQL. http://www.mysql.com.
[22] OkCupid.com. http://www.okcupid.com. Notes
[23] V. S. Pai, P. Druschel, and W. Zwaenepoel. Flash: An efficient
and portable Web server. In Proceedings of the 1999 USENIX, 1 Similar security properties are possible with a standard Web server
Monterey, CA, June 1999. USENIX. and a database that supports stored procedures, views, and roles.
[24] Perl DBI. http://dbi.perl.org.