Return to search

Single-Use Servers: A Generalized Design for Eliminating the Confused Deputy Problem in Networked Services

Internet application servers are currently designed to maximize resource efficiency by servicing many thousands of users that may fall within disparate privilege classes. Pooling users into a shared execution context in this way enables adversaries not only to laterally propagate attacks against other clients, but also to use the application server as a "confused deputy" to gain escalated privileges against sensitive backend data. In this work, we present the Single-use Server (SuS) model, which detects and defeats these attacks by separating users into isolated, containerized application servers with tailored backend permissions. In this model, exploited servers no longer have unfettered access to the backend data or other users. We create a prototype implementation of the SuS model for the WordPress content management system and demonstrate our model's ability to neutralize real-world exploits against vulnerable WordPress versions. We find that the SuS model achieves a high level of security while minimizing the amount of code modification required for porting an application server. In our performance evaluation, we find that the CPU and latency overheads of the SuS model are very low, and memory consumption scales linearly. We generalize the SuS model to be applicable to a wide range of application server and backend resource pairs. With our modularized codebase, we port IMAP, a widely-used mail retrieval protocol, to the SuS model and find that doing so requires minimal effort.

Identiferoai:union.ndltd.org:wpi.edu/oai:digitalcommons.wpi.edu:etd-theses-2396
Date11 May 2020
CreatorsLanson, Julian P.
ContributorsCraig A. Shue, Advisor
PublisherDigital WPI
Source SetsWorcester Polytechnic Institute
Detected LanguageEnglish
Typetext
Formatapplication/pdf
SourceMasters Theses (All Theses, All Years)

Page generated in 0.0026 seconds