US20140068786A1 - Securing Operating System/Web Server Systems and Methods - Google Patents
Securing Operating System/Web Server Systems and Methods Download PDFInfo
- Publication number
- US20140068786A1 US20140068786A1 US14/073,290 US201314073290A US2014068786A1 US 20140068786 A1 US20140068786 A1 US 20140068786A1 US 201314073290 A US201314073290 A US 201314073290A US 2014068786 A1 US2014068786 A1 US 2014068786A1
- Authority
- US
- United States
- Prior art keywords
- administrative
- jails
- executive
- user
- jail
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Definitions
- Malicious users can represent not just a nuisance but an outright threat to the well-being of many companies. More specifically, companies (and for that matter any organization) that rely on the Internet or other wide area networks to communicate with their customers, vendors, government agencies, employers, etc. stand vulnerable to a vast variety of hacking related threats. For instance, take a company that has a web site hosted on a third party web server. If a malicious user evades the security measures protecting the application, that malicious user (colloquially termed a “hacker”) can harm, steal, copy, delete, etc. sensitive files, applications, and other information associated with the web site, the users of the web site, and/or the company.
- malware or harmful code can be executed on hosted web sites.
- CSRF cross site request forgeries
- LFI/RFI remote-file-inclusion
- SQL structured query logic
- the malicious user's imagination is the only thing limiting the damage likely from such attacks and this is more so the case if that malicious user somehow accesses the administrative rights of the underlying operating system. In such cases, the malicious user could do severe damage, and even cover their tracks (by, for instance, erasing or altering security related audit trails).
- malware users once having mis-appropriated administrative rights, malicious users sometimes install and/or modify system binaries to install rootkits. By doing so they can create backdoors in to the compromised system that allows them to maintain access to the same despite corrective measures geared toward the more apparent harm that they might have caused.
- One consequence of these types of breaches is that they can modify the web application to log or copy passwords or other personally or financially sensitive information for subsequent mis-use.
- malicious users might cause a hosted web site (or other system) to generate voluminous outbound traffic (for instance, spam) much of which often carries malicious software itself. In this latter case, the hosted system becomes a “zombie” or “bot” denying or limiting its usefulness to the owner/operator.
- FIG. 1 illustrates a system of some embodiments.
- FIG. 2 illustrates a stack of some embodiments.
- FIG. 3 Illustrates a flow chart of a method for setting up an operating system and/or web server.
- FIG. 4 illustrates a flow chart of a method associated with an executive jail.
- FIG. 5 illustrates a flow chart of a method associated with an administrative jail.
- FIG. 6 illustrates cross mounted configuration files.
- This document discloses systems, apparatus, methods, etc. for securing operating systems, web servers, etc. and more specifically system, apparatus, methods, etc for securing operating systems and/or web servers by creating administrative jails and executive jails from their parent operating systems and mounting user applications from the parent operating system to the administrative jails and cross mounting them into the executive jails.
- FIG. 1 illustrates a system of some embodiments.
- FIG. 1 illustrates system 100 , a portion of the Internet 102 , various non administrative users 104 , a malicious user 106 , a user firewall 108 , one or more conventional hosts 110 , a host 112 of the current embodiment, a network and/or a host firewall 114 , a “man in the middle” 116 , conventional communications 118 , and communications 120 in accordance with the current embodiment.
- FIG. 1 illustrates that the host 112 of the current embodiment includes a plurality of executive jails 122 , administrative jails 124 , and application databases 125 . In the current embodiment, the host 112 also generates certain monitoring data (syslog data 130 ), compliance/auditing reports 134 , and hosts various user applications 140 .
- user applications 140 and associated application databases 125 provide some functionality for various non administrative users 104 .
- administrative users (not shown) associated therewith have responsibility for these user applications 140 , application databases 125 and the sought after functionality.
- These user applications 140 reside in or execute in the hosts 110 and/or 112 .
- the user applications 140 or application databases 125 ) become vulnerable to malicious activities, the subsequent actions of the user applications 140 can harm, or enable harm to, conventional hosts 110 .
- these user applications 140 themselves represent a source of vulnerability.
- users often desire to use these user applications 140 on hosts 110 and 112 that are readily accessible to all.
- Non administrative users 104 also usually desire to use the Internet 102 (or some other wide area network (WAN)) to connect their computing and communications devices to various hosts 110 using conventional communications 118 to conduct business, exchange information, etc. with other users. They often perform such actions via the user applications 140 and application databases 125 . As such, these non administrative users 104 want their interactions with the hosts 110 and 112 to be secure.
- various man in the middle 116 and other malicious users 106 interfere with, intercept, and/or mis-direct conventional communications 118 and/or otherwise hack into conventional host 110 with their own computing and communication device.
- these malicious users 106 often persist in their attacks and often use sophisticated, even clever, techniques while attempting to fulfill their purposes. Furthermore, they often wish to remain anonymous with their activities going undetected whenever they can arrange for such circumstances.
- systems 100 often employ user firewalls 108 associated with the computing devices that the non administrative users 104 use to communicate over the Internet 102 .
- Various conventional hosts 110 also employ network and/or host firewalls 114 at the hosts 112 , web servers, and other locations within system 100 .
- These firewalls 108 and 114 and other conventional security hardware, software, firmware, techniques, technologies, etc. attempt to detect, identify, and/or eliminate hacking threats from the malicious users 106 .
- conventional hosts 110 (and the often sensitive information, user applications 140 , web sites, etc. which they contain or host) remain vulnerable to malicious users 106 because the user application 140 is itself vulnerable.
- embodiments provide hosts 112 which employ executive jails 122 and administrative jails 124 to handle the communications 120 between the non administrative users 104 and the user applications 140 residing in the hosts 112 and to execute the user applications 140 themselves.
- Hosts 112 allow non administrative users 104 to access executive jails 122 and perform operations with the application databases 125 and/or user applications 140 . Should read/write operations in the hosts 112 be desired or caused by activities of the non administrative users 104 , the hosts 112 operate in such a manner that these read/write operations occur within the contexts associated with the executive jails 122 , the administrative jails 124 , user applications 140 , and/or the application databases 125 .
- hosts 112 will allow a write operation to itself, its system disk, or its underlying operating system. That is, system disk writes typically occur only with the consent and cooperation of the host administrative user 129 . But, in most situations, write operations are only permitted to the application databases 125 (for non administrative users 104 and through the user applications 140 ) and to the programming or coding or other administrative features of the user applications 140 (for administrative users).
- the host 112 is a web server hosting a particular web site and/or user applications 140 , the host associates an administrative jail 124 and a corresponding executive jail 122 with that web site.
- Host 112 acting as a parent operating system, maintains two copies of the web server or other user applications 140 with one residing in the administrative jail 124 and the other executing (or being executable) in the executive jail 122 . These two copies are typically mirror copies of each except for 1) the difference(s) between and/or caused by the configuration files mounted in the administrative jail 124 and those cross mounted into the executive jail 122 and 2) changes which the administrative user might be making to the administrative copy.
- Typical non administrative users 104 without administrative privileges to the web site interact with the web site via the executive jail 122 .
- Administrative users (with administrative rights to the web site, its underlying user applications 140 , information, etc.) interact with the web site via the administrative jail 124 .
- This bifurcation of the web site and/or other features of the current disclosure prevent man in the middle 116 and other malicious users 106 from performing many known hacking techniques on hosts 112 of embodiments and its contents, resources, etc. More specifically, the host 110 separates them at the network or host firewall 114 so that administrative users are white listed via their IP address or via a virtual private network (VPN) (or both) so that the host 110 can identify them as such.
- VPN virtual private network
- embodiments allow the hosts 112 to isolate such activities within the appropriate jails 122 and 124 . Actions that should occur in one jail 122 / 124 , but that do occur within the other jail 124 / 122 can therefore trigger an investigation and/or corrective action by the hosts 112 .
- FIG. 1 illustrates that the host administrative user 129 of embodiments can oversee and/or monitor the operation of the host 112 and/or the stack of protocols, techniques, entities, etc. associated therewith. More specifically, the host administrative user 129 can monitor the operation of the executive jails 122 , the administrative jails 124 , the users (with and without administrative privileges), malicious users 106 , and other aspects of the system 100 in general and, more specifically, the hosts 112 .
- the host administrative user 129 is not necessarily a user in the sense of a non administrative user 104 or an administrative user with responsibility for running one (or some subset of the user applications 140 and/or web sites) on the host 112 .
- the host administrative user 129 could access an executive jail 122 as a non administrative user 104 (and, therefore, without privileges) to assess how the host 112 appears to be running from such a perspective.
- a host administrative user 129 accesses the host 112 (and/or parent operating system) via a separate administrative network 142 in communication therewith.
- Host administrative users 129 can therefore log into the host 112 and then access (using their over-arching administrative privileges) the executive and administrative jails 122 and 124 to identify and address various issues. Otherwise, they typically have no specific duties associated with any specific user application 140 or application database 125 .
- hosts 112 of various embodiments can monitor syslog data 130 (and/or similar data) related to security and web logging to detect, identify, correct for, etc. malicious attacks and/or other unusual activity within or associated with host 112 .
- hosts 112 use such syslog data 130 to generate compliance/auditing reports 134 for Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bailey Act (GLBA), Sarbanes-Oxley Act, Payment Card Industry Data Security Standard (PCI DSS), etc. purposes related to the host 112 .
- HIPAA Health Insurance Portability and Accountability Act
- GLBA Gramm-Leach-Bailey Act
- PCI DSS Payment Card Industry Data Security Standard
- FIG. 2 illustrates a stack of some embodiments.
- the stack 200 can be a portion of system 100 and can be used to host various user web sites, user applications 140 , application databases 125 , etc.
- the stack 200 includes a number of objects, data directories, files, applications, etc. and operates under certain protocols such as, for illustrative purposes, the transfer control protocol/Internet protocol (TCP/IP) to serve the hosted user applications 140 .
- TCP/IP transfer control protocol/Internet protocol
- the stack 200 sometimes faces the Internet 102 through a host firewall 114 and/or a network firewall so that users can access those resources while the host 112 enjoys some protection from malicious attacks courtesy of those firewalls.
- TCP/IP transfer control protocol/Internet protocol
- the stack 200 can be considered to include the parent operating system 212 , the parent file structure 214 , system binaries, etc. and is at least in some respects the operational part of the host 112 .
- the stack 200 also controls access to the parent operating system 212 and parent file structure 214 . Indeed, it can hide the parent operating system 212 from non administrative users 104 , malicious users 106 , administrative users 248 , and from user and administrative jails 122 and 124 respectively. And, if desired, the stack 200 can be said to include the network and/or host firewalls 114 of some embodiments.
- certain malicious users 106 will at times attack the stack 200 and/or the user applications 140 .
- the user applications 140 can behave as if they were malicious due to its design, programming, security features, etc. which not meeting good design/programming practices.
- a malicious user 106 has gained local access in some way (perhaps through the user applications 140 or flaws thereof) they are sometimes able to pivot and attack the stack 200 (typically using RFI/LFI or command injection techniques if perimeter security stopped more direct attacks).
- the stack 200 of various embodiments eliminate or, if not, mitigate the risks of such attacks and malicious-like behavior from user applications 140 which fail to meet good design/programming practices, and malicious-like behavior by various non administrative users 104 and/or administrative users (even if they act without harmful intent).
- the stack 200 of the current embodiment includes a parent operating system 212 residing and/or operating in a host device such as host 112 .
- the scope of the current disclosure includes embodiments in which the host 112 resides in a virtual machine (VM) managed by a hypervisor as in some cloud environments.
- VM virtual machine
- the stack 200 of some embodiments also includes or defines a virtual local area network (VLAN) switch 202 , a parent file structure 214 , and virtual roots 224 and/or partitions therein for various executive jails 122 and for the corresponding administrative jails 124 respectively.
- the executive jails 122 and administrative jails 124 often reside within the parent file structure 214 and inherit certain files and directories there from.
- Embodiments also provide database jails 225 .
- the database jails 225 can also reside in virtual roots in the parent file structure 214 .
- FIG. 2 also illustrates hosted web sites 235 , an application configuration file 236 , an administrative user configuration file 237 , an executive version of a configuration file 238 , an administrative version of a user application 240 , a cross mounted and executable version of a user application 242 , a cross mount arrow 246 , and an administrative user 248 .
- the stack 200 provides the parent operating system 212 with which to indirectly run various user applications 140 , programs, etc. and/or to perform other secure operations desired by certain non administrative users 104 and administrative users 248 .
- the parent operating system 212 hosts various hosted web sites 235 and/or user applications 140 as desired by one or more users and, (as is disclosed further herein), does so through the executive jails 122 , administrative jails 124 , and database jails 225 . More specifically, the parent operating system 212 generally maintains mirror copies of the user applications 140 in the executive jails 122 and the administrative jails 124 .
- the stack 200 can employ a virtual image and a virtual local area network (VLAN) switch 202 so that if one portion of the stack becomes compromised, the compromise will have difficulty spreading.
- VLAN switch 202 can segment VLANS for each of the executive jails 122 , administrative jails 124 , and database jails 225 .
- the VLAN switch 202 allows stack 200 to block entities on one VLAN from seeing the other VLANs and entities, objects, resources, etc. therein. This segmentation results in a virtual firewall between the parent operating system 212 and users in the jails 122 , 124 , and 225 .
- VLAN switch 202 might or might not be a full-fledged switch in some hosts 112 .
- a full-fledged switch could be employed. This situation can occur when compliance, performance, etc. reasons suggest that a separate residency might be desirable.
- hosts 112 could handle the functions of VLAN switch 202 locally since it can detect the IP addresses of those parties involved.
- VLAN switch 202 makes non administrative users 104 access the apparent hosted web sites 235 via one VLAN and the IP addresses IP1 associated with the applicable executive jail(s) 122 . Meanwhile, VLAN switch 202 makes administrative users 248 access the apparent hosted web site 235 via another VLAN and addresses IP2 associated with the corresponding administrative jail 124 . Moreover, VLAN switch 202 connects the database jails 225 to the executive jails 122 and to the administrative jails 124 via another VLAN and IP addresses IP3 associated with the database jails 225 . Thus, users 104 and 248 operate within the jails 122 and 124 with access to the application databases 125 for both read and write operations to it as generally allowed by the user applications 140 and in compliance with permissions, privileges, etc.
- VLAN switch 202 performs these functions without allowing the various users knowledge of, much less access to, other hosted web sites 235 or jails residing in the stack 200 (unless host 112 permits knowledge of the other web sites 235 ).
- the bifurcation or segmentation of an apparent hosted web site 235 into the jails 122 , 124 , and 225 helps prevent man in the middle 116 from attacking the stack 200 or, at the least, limits the damage which they might be able to do should they partially succeed. More specifically, since the VLAN switch 202 segments the executive jails 122 and administrative jails 124 (and database jails 225 ) at the network and/or host firewall 114 level, the VLAN switch 202 can identify and white list administrative users 248 for access to their administrative jails 124 via the IP addresses from which they connect to the host 112 . Similar considerations can apply to white listing the non administrative users 104 at the VLAN switch 202 for access to the executive jails 122 . Virtual private network (VPN) technologies can be employed in the alternative, or in addition, toward further securing the jails 122 , 124 , and 225 from man in the middle 116 attacks.
- VPN Virtual private network
- non administrative users 104 and administrative users 248 have various responsibilities.
- the stack 200 associates user configuration files 237 and 238 with at least some of the administrative users 248 and at least some of the non administrative users 104 .
- the user configuration files 237 - 238 define which resources of the stack 200 the users 104 and 248 are allowed to access and which types of activities they can perform with respect there to.
- some differences will exist between the administrative version of the hosted web sites 235 (residing in the administrative jails 124 ) and the executable versions of the hosted web sites 235 (executing in the executive jails 122 ).
- the administrative versions of the user configuration files 237 in the administrative jails 124 will identify the administrative users 248 and their privileges while the executive versions of the user configuration files 238 in the executive jails 122 typically omit these details.
- the executive versions of the user configuration files 238 can identify the non administrative users 104 and their permissions in the executive jails 122 .
- the parent operating system 212 can allow administrative users 248 to spin multiple instances of executive jails 122 from one administrative jail 124 thereby further segregating non administrative users 104 into various categories for potentially separate and distinct handling. Such arrangements can also be convenient for administrative users 248 since they can maintain one administrative jail 124 that corresponds to many executive jails 122 . Accordingly, the scope of the current disclosure is not limited by a one-to-one correspondence between executive jails 122 and administrative jails 124 .
- the differing versions of the user configuration files 237 and 238 can allow particular users 104 and 248 differing permissions between jails 122 and 124 . Some of these user activities can occur within the context of, or in relationship with, the various underlying user applications 140 mounted from the parent operating system 212 into the administrative jails 124 and then cross mounted in to the executive jails 122 . Of course, because of differences between the administrative versions of the user configuration files 237 in the administrative jails 124 and the cross mounted executive version of the user configuration files 238 in the executive jails 122 , the corresponding versions of these applications 240 and 242 might behave differently in some situations. Thus, mounting arrow 246 illustrates the stack 200 having cross mounted an executable version of a user application 242 into an executive jail 122 from an administrative version of the user application 240 in an administrative jail 124 .
- the administrative jails 124 contain another configuration file, the application configuration file 236 , which defines (at least in part) the allowed behavior of the administrative user applications 240 in the administrative jails 124 as it relates to various administrative users 248 .
- the application configuration file 236 is not cross mounted to the corresponding executive jails 122 .
- the administrative version of the user configuration file 237 is cross mounted into the executive jail 122 (without, though, typically conveying any information related to the administrative users 248 , their configuration related information, and/or other jails 122 and 124 ).
- the application configuration file 236 of embodiments often contains different usernames/passwords to the application database 125 , different salts used for session tokens, etc. Moreover, the application configuration file 236 modifies the behavior of the user application 140 and/or application database 125 by granting/denying privileges, permissions, rights, etc. given to the various administrative users 248 .
- configuration files 236 to 238 might not be in the form of a separate cohesive file, object, etc. Rather, these configuration “files” 236 to 238 can represent a collection or set of configuration related settings, parameters, permissions, privileges, etc. spread throughout the stack 200 . Therefore, for the sake of convenience, these potentially disparate sets of configuration information will be referred to as configuration files 236 to 238 herein.
- an administrative user 238 is operating within the context of the administrative version of the user application 240 and wants to access the administrative version of the user configuration file 237 , the administrative user 248 will find it located in the administrative jail 124 .
- a non administrative user 104 or a malicious users 106 operating within the context of the more public and executable version of the user application 242 will at most find instead the less sensitive, executive user configuration file 238 (without information pertaining to administrative privileges or the un-cross mounted administrative versions of the user applications 240 ).
- these two different versions of the configuration files 237 and 238 point to different locations on disk as the parent file structure 214 defines it thereby further complicating the task of a malicious user 106 who would likely want access to the administrative information in the administrative configuration files 236 and 238 if they knew that these files existed.
- the administrative version of the user configuration file 237 can contain password files to the application database 125 and/or user application 140 .
- the other version of the configuration file 238 can also contain a separate password file to the application database 125 and/or user application 140 .
- the password files in the two versions of the user configuration files 237 and 238 can be different and indeed often are.
- the administrative version of the configuration file 237 can contain an administrative username:password pair that gives some user (administrative user 248 ) read/write access to the application database 125 and the user application 140 .
- the database jail 225 can restrict access to the application database 125 to deny users in the executive jails 122 the ability to connect to the application database 125 as administrative users 248 .
- the stack 200 prevents many types of SQL injection attacks or, in the alternative, limits such attacks to just those application database 125 tables that the non administrative user 104 has access privileges to (or has in some way gained access there to).
- an instance of one application database 125 associated with one underlying user application 140 might be temporarily compromised. But the stack 200 will limit the spread of the attack.
- the stack 200 can include a network or host firewall 114 through which it selectively faces the Internet 102 .
- the host firewall 114 can attempt to detect, identify, and prohibit malicious and/or unauthorized activity with respect to the stack 200 and, more specifically, sensitive information, programs, user applications 140 and associated application databases 125 , etc. associated therewith. For instance, malicious users 106 often target, or cause damage to, the parent operating system 212 itself, its binaries (or components thereof), the various user configuration files 236 to 238 , user applications 140 , etc. contained therein.
- Stacks 200 can also use host firewalls 114 to help prevent malicious users 106 in the executive jails 122 from connecting to the administrative jails 124 even if these jails 122 and 124 operate in the same machine. As a result, if such an attack occurs, the stack 200 can isolate it despite the attack not traversing an Ethernet cable or other physical connection between machines. Network firewalls, when employed, can also assist the stack 200 in deterring attacks in that they prevent malicious users 106 who have compromised a jail 122 , 124 , or 225 from pivoting and attacking applications in other jails 122 , 124 , or 225 .
- Network and/or host firewalls 114 can also prevent an attack from pivoting to the administrative network 142 used to manage the physical machine(s) on which the stack 200 operates since the two interfaces (one for the public and one for the host administrative user 129 ) can be handled separately.
- network and host firewalls 114 typically allow some access thereto while doing so in manners calculated to thwart or at least impede the activities of malicious users 106 ; user applications 140 that fail to comply with good programming practices; and/or users 104 and 248 who act in malicious-like ways (even if acting in some errant manner without necessarily having harmful intent).
- the host firewall 114 can allow typical non administrative users 104 access to the mounted and executable version of the user applications 242 in the executive jails 122 via protocols such as the hyper text transfer-secure protocol (HTTP/S), the HTTP Secure Socket Layer (HTTP-SSL) protocol, the HTTP Transport Layer Security (HTTP-TLS) protocol, the SPDY protocol, the Web Developers Virtual Library (WDVL) protocol, the HTTP Next Generation (HTTP NG) protocol, etc. as well as other protocols now in existence or yet to be developed. While the protocols, ports, etc. might change from implementation to implementation, the stacks 200 could remain similar to those as disclosed herein.
- HTTP/S hyper text transfer-secure protocol
- HTTP-SSL HTTP Secure Socket Layer
- HTTP-TLS HTTP Transport Layer Security
- SPDY the Web Developers Virtual Library
- WDVL Web Developers Virtual Library
- HTTP NG HTTP Next Generation
- the network and/or host firewall 114 of the current embodiment can restrict access to the administrative jails 124 to only administrative users 248 with administrative privileges with respect to their corresponding administrative versions of the user applications 240 thereof.
- the stack 200 can also provide similar protection for the administrative versions of the configuration files 236 and 237 , directories, etc. in the administrative jails 124 .
- These administrative versions of the configuration files 236 to 237 sometimes contain sensitive application database 125 related password files that (if accessed) would yield higher access privileges to the user application 140 and application database 125 than warranted for non administrative users 104 and others thereby possibly meriting such protective measures.
- administrative access for the administrative users 248 to the administrative jails 124 is provided via secure technologies such as the virtual private network (VPN), the secure socket shell or secure shell (SSH/HTTPS) protocols, and/or other protocols now in existence or yet to be developed.
- VPN virtual private network
- SSH/HTTPS secure socket shell or secure shell
- SSH and HTTPS can be tunneled over a VPN connection such that administrative access to the administrative jails 124 is doubly encrypted (thereby rendering man in the middle 116 attacks particularly difficult to perform). Additional encryption methods could also be employed if desired.
- PFS perfect forward secrecy
- SSL public key infrastructure
- various combinations of such techniques can be used. For instance HTTPS access over SSH tunnels over a VPN connection could be used. In such manners vulnerabilities in one security technology can be mitigated while still providing protection from the other layered techniques. It is noted here that many embodiments employ redundant security mechanisms at certain points in the stack 200 to make malicious attacks, and the like, exponentially more difficult to execute and/or exploit.
- some embodiments implement such firewall related provisions through rules configured into the firewalls.
- rules configured into the firewalls.
- new rules can be configured in to the firewalls to account for such flaws and/or thwart attacks allowed by vulnerabilities resulting there from.
- these redundant security technologies can plug the gap with a relatively simple re-configuration of the firewalls involved until a fix or patch becomes available.
- the host 112 has certain jail related features pertinent to preventing, impeding, or otherwise thwarting malicious and/or unusual activities. For instance, the host 112 creates virtual roots for the individual executive jails 122 from each other as well as other operating areas, data structures, etc. The host 112 also creates virtual roots for the individual administrative jails 124 (which correspond to the executive jails 122 ) from each other as well as the executive jails 122 themselves, and the other operating areas, data structures, etc. of the host 112 . In addition, or in the alternative, the hosts create virtual roots associated from the jails 122 and 124 from which the users 104 and 248 cannot escape and mountings.
- chroot can be used to create these apparent root directories for the various jails 122 and 124 . Because the jails 122 and 124 offer security on top of the virtual roots (for instance, those created via chroot) programs and users operating in the jails 122 and 124 cannot access files outside of the directories thereby created. Moreover, these benefits should occur regardless of the underlying operating system (for instance FreeBSD®, Windows®, Apple®, Unix®, Linux®, etc.) within which the jails 122 and 124 operate provided that it supports such functionality.
- FreeBSD® FreeBSD®, Windows®, Apple®, Unix®, Linux®, etc.
- hosts 112 of various embodiments hide their parent file structures 214 . More particularly, the file system and binaries of hosts 112 cannot be accessed much less seen by users 104 , 106 , and/or 248 performing operations within the executive jails 122 and/or the administrative jails 124 .
- VLAN switch 202 effectively forces such users 104 , 106 , and 248 to access host 112 via the IP addresses IP1, IP2, and IP3 (associated respectively with the executive jail(s) 122 , administrative jail(s) 124 , and the application database jail(s) 225 . More specifically, the actual address of the host 112 can be withheld from the public while address IP1-IP2 can be available to legitimate users 104 and 248 .
- the addresses IP3 of the database jails 225 can likewise be withheld from the public since the VLAN switch 202 of embodiments handles communications therewith.
- the VLAN switch 202 hides the IP addresses associated with the host 112 , the parent operating system 212 , and/or the application databases 125 from outside scrutiny.
- users 104 , 106 , and 248 usually begin their activities within the context of the executive jails 122 and/or administrative jails 124 and not within the context of the underlying parent operating system 212 or the application databases 125 .
- the stack 200 hides the administrative jails 124 from the executive jails 122 so that users accessing (by any means) the executive jails 122 are unlikely to even realize that corresponding and separate administrative jails 124 might even exist. Furthermore, this result is true even after a malicious user 106 successfully compromises an executive jail 122 or a non administrative user 104 violates security in some manner, perhaps accidentally. Since the malicious user 106 or non administrative user 104 cannot see the administrative jail 124 , the architecture of the stack 200 will probably befuddle them and leave them unable to create even a “temp” (temporary) file with which to further exploit their breach since they have no write privileges within the executive jail 122 .
- each host 112 can have associated therewith a host administrative user 129 with broad privileges to access, monitor, edit, control, re-configure, etc. features of the pertinent host 112 and/or jails 122 , 124 , and 225 .
- the host administrative user 129 can patch and/or update the parent operating system 212 and the underlying user applications 140 , install new applications, reconfigure the network and/or host firewall 114 , the permissions of the jails 122 , 124 , and 225 , the cross mountings of user applications 140 , etc.
- These features allow the host administrative user 129 the ability to detect, investigate, mitigate, correct for, and/or mitigate unusual activities and malicious attacks against the host 112 and its resources.
- FIG. 2 also illustrates the parent file structure 214 of certain embodiments.
- the parent file structure 214 defines a directory or file structure which includes the virtual roots 224 and/or partitions in which the executive jails 122 and administrative jails 124 reside.
- the partitions are not necessary for the practice of the current disclosure. However, they do tend to eliminate or reduce outages and indeed all of the jails 122 , 124 , and 225 could share a partition (or not even be partitioned) and still be within the scope of the current disclosure.
- the parent file structure 214 also provides that the configuration files 236 to 238 reside in their appropriate virtual roots 224 and/or partitions thereby protecting them from malicious attacks or unusual activity in other partitions even if they exist as disparate sets of information.
- the stack 200 can ignore those items supposedly in the set if they are found outside of the appropriate locations in the parent file structure 214 . Of course, such an event itself might indicate that an unexpected change to the stack 200 occurred. Thus, the stack 200 could raise an alert or take some other corrective action.
- the parent operating system 212 can be any type of operating system capable of supporting executive, administrative, and database jails 122 , 124 , and 125 including, but not limited to, the FreeBSD®, Windows®, Apple®, Unix®, Linux®, etc. operating systems. Among other activities related to hosting hosted web sites 235 and/or user applications 140 , the parent operating system 212 can perform file management functions. In so doing, the parent operating system 212 interacts with the parent file structure 214 to determine which users 104 , 106 , 129 , and 248 can perform various operations on these files.
- the parent operating system 212 can also store syslog data 130 and/or other data related to system 100 security (re-configurations, access attempts, etc.) In the alternative, or in addition, the parent operating system 212 can deliver syslog data 130 to appropriate administrative jails 124 or other locations inaccessible to non administrative users 104 (or malicious users 106 acting there as) if desired. For instance, while embodiments can deliver syslog data 130 to an executive jail 122 , stacks 200 of many embodiments restrict delivery of syslog data 130 to locations other than the executive jails 122 such as the administrative jails 124 and/or a dedicated partition in the parent file structure 214 .
- the parent operating system 212 can also store information useful for HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, etc. compliance/auditing purposes and the like.
- pre-existing syslog data 130 stored in the parent file structure 214 (or an administrative jail 124 ) cannot be tampered with after an executive jail 122 has been compromised, malicious users 106 cannot cover or destroy evidence of their activities.
- a malicious user 106 might cause additional syslog data 130 to be appended to such pre-existing syslog data 130 but no alterations of the pre-existing information would result. Accordingly, such syslog data 130 can be deemed to be “forensically secured” against tampering by malicious user 106 and others.
- the parent operating system 212 of embodiments controls all aspects of the executive jails 122 and the administrative jails 124 including the apparent hosted web sites 235 (and/or other user applications 140 ) running therein. For instance, these entities and the users operating therein must communicate through permissions granted by the firewall(s) and the configuration files 236 to 238 residing in the parent operating system 212 .
- the administrative network 142 can sit on a virtual-LAN that differs from the one used to handle Internet-bound and/or Internet-originating traffic via VLAN switch 202 .
- the parent file structure 214 is hidden from the executive jails 122 , the administrative jails 124 , and/or users 104 , 106 , and 248 operating therein.
- host administrative user(s) 129 can be the only individual having access to the parent operating system 212 and/or parent file structure 214 .
- malicious users 106 find their ability thwarted or at least impeded to sniff traffic; pivot to other machines (whether virtual or real) running similar stacks 200 ; brute force host administrative user accounts, etc.
- each hosted web sites 235 of embodiments can appear to non administrative users 104 from outside of the stack 200 as if they were singular, coherent entity residing on the host 112 .
- the hosted web sites 235 appear to contain all user applications 140 , files, information, functionality, etc. normally associated with a web site (or in the case of a stand-alone user application 140 , corresponding features) as viewed by non administrative users 104 .
- the stack 200 allows non administrative users 104 from outside of the stack 200 read-only access to the cross mounted and executable user applications 242 residing in the executive jails 122 . Moreover, if desired, such access can be by way of secure protocols such as, but not limited to, the HTTP/S protocol. In this manner, even non administrative users 104 can cause the execution of the cross mounted and executable user application 242 thereby obtaining the functionality of it which they seek. In contrast, there to, the stack 200 allows administrative access to the administrative versions of the user applications 240 , and/or hosted web sites 235 via the administrative jails 124 .
- Such administrative access can be by way of a combination of secure techniques such as the SSH-HTTP/S protocol and/or other protocols, techniques, etc since it allows administrative users 248 the ability to perform writes to the administrative user applications 240 (or, rather, its programming and/or coding), update hosted web sites 235 , add additional modules/applications, etc. if desired.
- secure techniques such as the SSH-HTTP/S protocol and/or other protocols, techniques, etc since it allows administrative users 248 the ability to perform writes to the administrative user applications 240 (or, rather, its programming and/or coding), update hosted web sites 235 , add additional modules/applications, etc. if desired.
- parent operating systems can represent one vulnerability of many conventional operating systems. In part this is so because they define the partitions of their conventional stacks and the resources contained therein. As a result, malicious users 106 often target them for unauthorized editing, copying, theft, etc. They do so, many times, by mimicking or otherwise misappropriating the user identity (UID) of a valid user. In some embodiments, therefore, stacks 200 of the current embodiment prevent all users 104 and 248 who have valid UIDs from owning files
- administrative users 248 sometimes create files and give the ownership to some World Wide Web (www) or other Internet 102 user (for instance Apache®).
- www World Wide Web
- the stack 200 can prevent the UID from the administrative jail 124 and the UID in the executive jail 122 reflecting the same user.
- the stack prevents such UIDs from being associated with any user 104 or 248 and/or performs cross checks to identify such situations. Accordingly, if the file (or code therein) becomes compromised and its read-only access has been disabled, the malicious users 106 apparently causing the change still will have no ability to modify the file because they don't own it. Nor does any other non administrative user 104 (within the corresponding executive jail 122 ).
- such files are associated to a UID that has no username attached to it.
- Administrative users 248 might also desire to upload new code through the web interface. For instance, an administrative user 248 might upload a new or modified plug-in to their content management system for instance. While such behavior is common, it also creates a vulnerability in that the plug-in might or might not meet good design/programming standards and could have been generated by a malicious users 106 . Thus, the stack 200 can ignore files (here, the plug-in) which are owned by particular UIDs and/or only allow execution of files which have no associated UID attached to it within the executive jails 122 . Embodiments, do allow stacks 200 to select whether such features are employed and across which jails 122 and 124 as might be desired.
- the foregoing features allow such administrative users 248 to maintain, configure, etc. their administrative user applications 240 , application databases 125 , hosted web sites 235 , etc. despite the features of the stack 200 related to security as disclosed further herein.
- These administrative users 248 generally want to control the hosted web sites 235 and/or user application 140 to provide content and/or functionality to some Internet 102 or WAN audience, client base, group of followers, etc. More specifically, administrative users 249 often want to upload pictures, movies, and other content. They might also want to moderate comments or take other actions with respect to their offerings.
- These types of administrative users 248 differ from the host administrative user 129 who watches the host 112 , performs operating system patch management, and so on.
- the hosted web site 235 and/or user application 140 administrative users 248 typically reside on the Internet 102 or some WAN and do desire some write privileges to their application databases, users applications 140 , hosted web sites 235 , etc.
- stack 200 mounts the system binaries for both the administrative jails 124 and the executive jails 122 as read-only and in their virtual roots 224 and/or partitions.
- stack 200 mounts the system binaries for both the administrative jails 124 and the executive jails 122 as read-only and in their virtual roots 224 and/or partitions.
- an administrative user 248 operating in their administrative jail 124 could not inadvertently or purposefully modify system binaries other than those copies related to the administrative version of their own user application 240 in their administrative jail 124 .
- administrative users 124 cannot modify copies of system binaries in other jails 122 and 124 much less those associated with the parent operating system 212 .
- users with appropriate administrative privileges (administrative users 248 ) to the administrative jails 124 can own and therefore edit files within their administrative jails 124 .
- the foregoing features allow administrative users 248 to maintain their application databases 125 , user applications 140 , hosted web sites 235 , etc. without risking the security of the parent operating system 212 by allowing malicious users 106 opportunity to insert a rootkit (using for instance a kernel module, compromised library, etc.) to create a backdoor.
- a rootkit using for instance a kernel module, compromised library, etc.
- various features of the executive jails 122 and administrative jails 124 are further disclosed at this juncture. Take, for instance, executive jails 122 of some embodiments. For one thing, the cross mounted and executable user applications 242 in the executive jails 122 appear to non administrative users 104 outside of the stack 200 as the hosted web site 235 (or other resource) which they believe that they are accessing. The foregoing statement implies, and, in some embodiments, it is true, that this appearance is misleading.
- each executive jail 122 is also located in a virtual root from the other executive jails 122 (and other aspects of the parent operating system 212 ). Moreover, each individual executive jail 122 , and the group of them as a whole, is located in virtual roots separate from those of the administrative jails 124 .
- the stack 200 of embodiments can improve on such security features. For instance, because the administrative version of the user configuration files 237 in the administrative jails 124 can differ from the executive user configuration file 238 in the executive jails 122 , differing access privileges can be supplied to non administrative users 104 and administrative users 248 in those jails 122 and 124 depending on which jail 122 or 124 they operate from within.
- one user logged in to an executive jail 122 could have read-only access to the application database 125 while that same user (logged in as an administrative user 248 ) could have read/write privileges to the application database 125 from within the corresponding administrative jail 124 .
- Executive jails 122 (as well as the administrative jails 124 ) of some embodiments can be compared to lightweight virtual machines (VMs).
- VMs virtual machines
- stacks 200 of embodiments provisions these executive jails 122 with just those resources reasonably associated with the functions which they are likely to perform within the stack 200 (notably, executing the cross mounted and executable user applications 242 ) of the administrative user applications 240 .
- the administrative jails 124 can provide functionality for maintaining the administrative user applications 240 .
- the stack 200 of embodiments does allow access to the application database(s) 125 via the versions of user applications 240 and 242 executing in the jails 122 and 124 . Moreover, even that access can be limited at the firewall level and by the database jails 225 (using the configuration information in the differing versions of the user configuration files 237 and 238 ) and/or the IP addresses from which access thereto is sought.
- the stack 200 can provide access to the application databases 125 at a user-by-user level of granularity while protecting the parent operating system 212 and its binaries and parent file structure 214 from unauthorized disk write operations. Indeed, no disk write privileges are associated with the executive jails 122 (or users or cross mounted and executable user applications 242 therein). Conventional stacks cannot grant such user-by-user read/write access to the application databases 125 (and the executable user applications 242 ) without exposing the parent operating system 212 to threats from malicious user 106 and threats from user applications 140 not meeting good design/programming practices.
- the stack 200 grants neither the executive jails 122 nor any entity therein any outbound egress over the interface to the Internet 102 . In part, this denies malicious users 106 the opportunity to get a malicious command (which relies on some external file for instance, those used during a PHP RFI attack) running in an executive jail 122 and that fetches dangerous programs or code from the Internet 102 or elsewhere. Nor does the stack 200 allow access to the parent file structure 214 by the executive jails 122 or entities associated therewith. Each executive jail 122 also contains executive user configuration files 238 cross mounted from the corresponding administrative user configuration files 237 (which are mounted in the administrative jail 124 ). Similarly, each executive jail contains therein the cross mounted and executable user applications 242 .
- stacks 200 limit their access to reaching the web server (or host 112 ) ports and/or whatever services might be running and exposed at those locations. That is, in some embodiments, public users can view information provided by the cross mounted and executable user applications 242 and/or hosted web sites 235 but cannot otherwise interact with them or anything else in the executive jails 122 (except for those objects within the execution permissions associated with the executable user applications 242 ).
- the stack 200 of embodiments therefore denies public users the permission to do more than merely browse through hosted web sites 235 and/or other information available in the executive jails 122 . More specifically, the stack 200 does not allow public users write privileges of any sort (including writes to application databases 125 and disk writes). This is not to say that the stack 200 prevents user applications 140 from allowing even public users to access the application databases 125 . Rather, the user applications can do so by, for instance, allowing a public user to post a comment to a blog article. But, that sort of access can be managed by the user application 140 . Thus public users cannot edit any information to which they might gain access unless allowed by the user application 140 or the permissions associated with the application database 125 .
- valid non administrative users 104 can access the executive jails 122 and cross mounted and executable user applications 242 for which they have been granted access rights. Of course, they still have no authority to write to the parent operating system 212 , the area of disk in which it might be stored (for instance, a series of locations in a redundant array of independent disks), its binaries, its parent file structure 214 , etc. Indeed, they (and the executive jails 122 themselves) can see neither the parent operating system 212 nor the corresponding administrative jails 124 (or any other administrative jail 124 or executive jail 122 ). That is, the stack 200 hides the parent operating system 212 and the administrative jails 124 from each of the executive jails 122 .
- exceptions can be made such as anything that is intentionally cross mounted into the executive jails 122 1) from the administrative jails 124 (by the administrative users 248 ) or 2) from the parent operating system 212 (by a host administrative user 129 ). Nonetheless, some stacks 200 allow such access to the mounted executable user applications 242 and/or hosted web sites 235 in the executive jails 122 for which non administrative users 104 have access via protocols such as, but not limited to, HTTP/S.
- Stacks 200 of embodiments also define how the various administrative jails 124 behave. While the cross mounted and executable user applications 242 in the executive jails 122 can appear to be the hosted web sites 235 for the public, the administrative user applications 240 within the administrative jails 124 appear to be the hosted web sites 235 to the corresponding administrative users 248 as far as the performance of their administrative functions is concerned. As noted, these administrative jails 124 are located in separate virtual directories from each other, the executive jails 122 , and other areas of the parent operating system 212 and therefore users 104 and 248 operating in one jail 122 or 124 cannot access other jails 122 or 124 .
- the administrative jails 124 can also resemble lightweight VMs in that the stack 200 of the current embodiment provisions them with only the resources likely to be associated with their functionality within the stack 200 (via a copy of some minimum set of binaries of the underlying parent operating system 212 ). As such, administrative jails 124 of some embodiments do allow both read and write privileges to users authorized as administrative users 248 with respect to the administrative versions of their user applications 240 and application databases 125 . But these privileges are rather limited in scope. More specifically, the read/write privileges granted to these administrative jails 124 and administrative users 248 relate only to the mounted administrative user applications 240 , application databases 125 , and/or hosted web sites 235 .
- parent operating system 212 is hidden from the administrative jails 124 and any mounted executable user applications 242 , administrative users 248 , etc. therein or otherwise associated therewith.
- administrative users 248 cannot update modify, etc. parent operating system 212 binaries despite their administrative privileges within the administrative jails 124 .
- administrative jails 124 contain the administrative user configuration files 237 corresponding to their administrative users 248 .
- the administrative jails 124 also include the administrative versions of the user applications 240 .
- administrative users 104 of hosted web sites 235 might log-in in to their administrative jails 124 and use WordPress®, Microsoft FrontPage®, NetObjects Fusion®, or other site authoring tools to edit their hosted web sites 235 and/or similar tools for editing administrative user applications 240 and/or application databases 125 .
- administrative users 248 could log in using various shopping carts, content management systems, etc. such as Joomla!®, OSCommerce®, Joomla®, Zen Cart®, etc. to manipulate their hosted web sites 235 .
- the administrative users 248 typically log into their administrative jails 124 to use their write access privileges in accordance with the permissions granted by the administrative user configuration files 237 .
- the non administrative user 104 might attempt to perform some operation involving a write operation to the cross mounted and executable user applications 242 (or rather the administrative versions of the user application 240 itself).
- the cross mounting of the administrative user applications 240 to the executive jail 122 from the administrative jail 124 occurs via a hardened Apache/PHP scripting implementation.
- the scope of the current disclosure is not limited to Apache/PHP web servers/programming languages.
- stack 200 also by default can include certain HTTP headers which can improve security.
- stacks 200 of embodiments can include HTTP headers such as:
- This header (which is supported by most browsers) prevents users other than the administrative user 248 for a hosted web site 235 from framing that web site. Accordingly, this header reduces click jacking.
- X-Content-Security-Policy allow ‘self’; img-src ‘self’ data:; options inline-script eval-script; This experimental CSP header built into makes it harder for malicious users 106 to inject malicious content into hosted web sites 235 thereby also helping prevent XSS attacks.
- full apparent functionality of the executable user application 242 can be provided to a non administrative user 104 (as intended by the administrative user 248 ) operating within the executive jail 122 while controlling disk access. These actions can also be accomplished while prohibiting user activities that might be malicious or unusual with regard to the administrative user application 240 itself and/or the parent operating system 212 .
- the administrative jails 124 of some embodiments do face the Internet 102 through applicable access techniques (for instance, VPN). More specifically, administrative users 248 can access their administrative jails 124 (and the administrative user applications 240 therein) through various secure protocols available now and/or yet to be developed such as combinations of SSH-HTTPS, VPN techniques, etc. Such access can be password protected and/or encrypted. Moreover, Internet 102 access to/from the administrative jails 124 can be further restricted by various embodiments.
- the stack 200 can prohibit/prevent inbound Internet 102 traffic except for that traffic associated with authorized administrative users 248 (and/or the host administrative user 129 via the separate administrative network 142 ). Outbound Internet 102 access for these parties could, though, be allowed if desired.
- embodiments provide database jails 225 and/or virtual roots in which the application databases 125 can be located. While FIG. 2 illustrates a one-to-one correspondence between the database jails 225 and the application databases 125 , no such limitation exists with respect to the current disclosure.
- the stack 200 allows administrative users 248 to structure their user applications 140 and application databases 125 according to their desires.
- the database jails 225 operate in a manner similar to administrative jails 124 but without having a corresponding executive jail 122 . Entities in both the executive jails 122 and the administrative jails 124 (and entities therein) often have legitimate desires to access the application databases 125 residing in the database jails 225 . For instance, non administrative users 104 might want to send sensitive data to the application databases 125 pertaining to an account that they might have on a hosted web site 235 . Likewise, an administrative user 248 might need to alter the table structure of their application database 125 .
- the application configuration file 236 (for instance “app-confs” as illustrated in FIG. 6 ) can define username:password pairs for the various valid users 104 and 248 for access to the application databases 125 in the database jails 225 .
- the database jails 225 can detect the IP addresses (IP1 and/or IP2) from which access requests originate, it can disallow access requests from administrative users 248 from within the executive jails 122 whose write privileges to the application databases 125 belongs with the administrative jails 124 not the executive jails 122 .
- malicious users 106 trying to brute force an administrative password for an application database 125 from the executive jails 122 will fail even if they do correctly guess the username:password pair of an administrative user 248 .
- database jails 225 of some embodiments imposes no restriction on access attempts from valid administrative users 248 from within their administrative jails 124 although an administrative jail 124 /address IP2 mismatch could cause a database jail 225 to deny an access attempt of any sort from a particular administrative user 248 in a particular administrative jail 124 . Moreover, such an event could trigger a reaction from the stack 200 such as notifying a compliance officer, the host administrative user 128 , and/or security operations personnel.
- Jails 122 , 124 , and 225 can be implemented in stacks 200 as templates for a variety uses. For instance, while the foregoing has discussed executive, administrative, and database jails 122 , 124 , and 225 other jails such as (syslog) logging jails can be implemented by stacks 200 . Moreover, the various jails can exist within one (real or virtual) machine or on a plurality of separate devices with switches, firewalls, etc. deployed there between if desired. As a result, modular stacks 200 can be deployed and connected together to tailor systems as users might desire with the jails 122 , 124 , 225 , etc and permissions, privileges, rights, etc. securing the content therein.
- the host administrative user 129 is capable of editing the parent file structure 214 and the data, data structures, virtual roots, partitions, etc. defined therein. This means, in part, that the host administrative user 129 can edit the executive jails 122 , the administrative jails 124 , the corresponding relationships there between, the administrative user applications 240 , etc. Moreover, the host administrative user 129 can edit the configuration files 236 to 238 associated with both non administrative users 104 and administrative users 248 as well as the administrative versions of the user applications 240 . In other words, host administrative users 129 can have complete unrestricted access to the stack 200 via the administrative network 142 and needs no user configuration file with which to operate. Instead, the access of the host administrative user 129 comes via the administrative network 142 over which the host administrative users 129 has sole access.
- application and user configuration files 236 - 238 limit the activities of users 104 and 248 .
- the user configuration files 237 and 238 provide for resourcing the corresponding users 248 and 104 and define the activities in which they are permitted to engage.
- Application configuration files 236 typically contain application or web server specific configuration information and therefore determine how an administrative version of a user application 240 behaves in an administrative jail 124 .
- the application configuration file 236 also helps define how the hosted web sites 235 and/or administrative user applications 240 interact with their associated application databases 125 .
- the user configuration files 237 and 238 can also contain nonces that are unique to each file thereby complicating attempts to mis-use these user configuration files 237 and 238 . Thus, even if these files are compromised they do not allow a malicious user 106 (operating from the corresponding jail 122 / 124 ) to know the value of these nonces (in the differing versions of the configuration files 238 / 237 in the other jail 124 / 122 ). Moreover, no user configuration file 237 and/or 238 allows or is even permitted to allow non administrative users 104 or administrative users 248 access to the parent operating system 212 .
- the administrative versions of the user configuration files 237 can grant read/write privileges to the administrative users 248 from within their administrative jails 124 but not elsewhere.
- the only files in the parent operating system 212 (or the parent file structure 214 for that matter) that administrative users 248 can edit are their own administrative versions of their user applications 240 , their web servers, and the programming language(s) that their web servers might use (for instance, PHP, Python®, Perl, Java®, ASP.NET, etc.). But, even so, the stack 200 prevents administrative users 248 from modifying binaries of the parent operating system 212 itself. Note, also that it is only the administrative versions of the user configuration files 237 which define administrative privileges for the administrative users 248 .
- these administrative user configuration files 237 relate to the administrative users 248 do not get mounted to the executive jails 122 unless provided for by the host administrative user 129 .
- the administrative versions of the user configuration files 237 are not vulnerable to attack by malicious users 106 operating in the executive jails 122 (or by user applications 140 which are not written to good design/programming practices and/or that might be behaving in some potentially errant manner).
- the cross mounted and executive user configuration files 238 define privileges for these users. For instance, merely public users (those without valid passwords for a particular executive jail 122 ) can at most only read/view the information in the executive jails 122 since they have no cross mounted executive user configuration file 238 associated therewith. Non administrative users 104 who do have valid passwords can be given read access to the executable user applications 242 . This privilege means that they can use the executable user applications 242 (and the functionality provided thereby) but cannot alter the executive user applications 242 much less the un-cross mounted and hidden administrative versions of the user applications 240 .
- an un-privilege and non administrative user 104 accesses a hosted web site 235 , it will ordinarily appear to have full access to the application database 125 functionality if the user application 140 permits it.
- administrative functions (even within the administrative jails 124 ) are restricted by embodiments to prevent even administrative users 248 from writing to system disk.
- non administrative users 104 have no file ownership privileges anywhere in the stack 200 of many embodiments.
- the cross mounted and executive user configuration files 238 point to different storage locations within the parent operating system 212 than the corresponding administrative user configuration files 237 in the administrative jails 124 .
- no non administrative user 104 has the power to edit their own configuration files 237 or 238 .
- non administrative users 104 and administrative users 248 are therefore powerless to edit the parent operating system 212 or any portion thereof. Plus, since non administrative users 104 can only see and access the executive jails 122 and the contents thereof, rogue behavior on their part can, at worst, alter the executive and cross mounted user applications 242 and those executive user configuration files 238 that are also cross mounted in to the executive jails 122 in which they happen to be. But, they cannot alter the corresponding administrative configuration files 236 and 237 related to the administrative users 248 and the administrative versions of the user applications 240 in the administrative jails 124 . Thus, administrative versions of the user applications 240 and configuration files 236 and 237 remain safely hidden in the administrative jails 124 from non administrative users 104 and malicious users 106 .
- the password files associated with each executive jail 122 are independent from each other and can have at least some identical UID:password pairs therein.
- all cross mounted and executive user configuration files 238 are permitted only disk read only privileges (and access privileges to application database 125 via user applications 140 ) associated therewith.
- any disk write privilege appearing in a mounted and executive version of the user configuration file 238 would be a likely indication of rogue behavior: something altered that executive user configuration file 238 .
- the foregoing privilege restrictions ensure that no non administrative user 104 can write directly to any location within the parent operating system 212 without triggering suspicion.
- any disk writing activity that non administrative users 104 might attempt from the executive jails 122 would have to occur via cooperation with the executable user application 242 and the administrative version of the user application 240 and could only affect the associated application database 125 .
- the executive and administrative versions of the user configuration files 238 and 237 respectively, point to different storage locations in the parent operating system 212 and allow write privileges to no one other than administrative users 248 .
- Those privileges moreover, extend only to the administrative jails 124 , their binaries, administrative versions of the user applications 240 , associated application databases 125 , etc.
- Successful rogue behavior defeating the safeguards associated with all of the foregoing layers of protection would therefore seem hard to image.
- stacks 200 of the current embodiment include one or more backups to most, if not all, security features employed therein. These backups force malicious users 106 to find two or more simultaneous weaknesses to exploit (without being detecting) thereby making successful attacks exponentially more difficult than single-weakness-based exploits such as those to which conventional hosts 110 remain vulnerable.
- a more specific example illustrates an implementation of the cross mounting techniques employed by various stacks 200 .
- the administrative version of the configuration files 236 and 237 are cross mounted using different names in the executive jails 122 than the names of the corresponding files 236 and 237 in the administrative jails 124 . More specifically, suppose that a directory named /site-config/ exists in an administrative jail 124 and its corresponding executive jail 122 . Further suppose that the administrative version of this directory /site-config/ further defines a series of directories called ⁇ site_name ⁇ /app-config/public/.
- stacks 200 cross mount these directories into the executive jail 122 using a name such as /site-config/ ⁇ site_name ⁇ /app-config/. From the perspective of each executive jail 122 users therein would see /site-config/ ⁇ site_name ⁇ /app-config/. However, in the administrative jails 124 stacks 200 differentiate between the two versions.
- a malicious users 106 who manages to compromise the executive jail 122 will at best find what has been mounted from /site-config/ ⁇ site_name ⁇ /app-config/public/directories (and its contents) but will not see what the administrative jail contains in /site-config/ ⁇ site_name ⁇ /app-config/ even though from the executive jail the file path appears to be /site-config/ ⁇ site_name ⁇ /app-config/. That is, users will not see files associated with the parent version of that directory. Instead, they will only see the version of that directory in the executive jail 122 .
- FIG. 6 provides yet another cross mounting implementation.
- FIG. 6 illustrates cross mounted configuration files. More particularly, FIG. 6 illustrates an Apache implementation regarding the cross mounting of configuration files 236 to 238 . Moreover, FIG. 6 illustrates one Apache implementation which works around the lack of pathname-related glob * operator resources in Apache and which still allows the administrative jail 124 and executive jail 122 to possess their own copies of the configuration files (without requiring separate httpd.conf files in these jails 122 and 124 ). Moreover, the foregoing features allow stacks 200 to keep separate secure socket layer/transport layer security (SSL/TLS) certificates.
- SSL/TLS secure socket layer/transport layer security
- FIG. 6 illustrates, the files in the base jail (from which the administrative jail 124 and its corresponding executive jail 122 depend) are mounted to the administrative jail 124 as is in embodiments. This mounting arrangement therefore provides administrative users 248 operating within their administrative jail 124 access to all files pertinent to their administrative duties.
- a subset of the configuration files are cross mounted to the executive jail 122 .
- Arrows 602 , 604 , 606 , and 608 illustrate the partial cross mounting of some directories whereas arrow 610 indicates that one particular directory (here the tmp directory) does not get cross mounted into the executive jail 122 .
- Any directory containing sensitive information can be withheld from the cross mounting by administrative users 248 who segregate such directories from the directories which will be cross mounted or by some scheme in stacks 200 to so designate such directories.
- the file paths for other hosted web sites 235 do not appear anywhere (in the configuration files themselves or on disk) from the perspective of the executive jail 122 and those operating therein. In this manner, malicious users 106 cannot gain information that might have otherwise been leaked from the files, pathnames, etc. Again, these features help prevent a malicious user 106 from pivoting from one compromised web site 235 to attack another.
- the stack 200 of various embodiments allows user applications 140 and hosted web sites 235 to be designed, developed, written, etc. without security in mind. Indeed, these user applications 140 can contain just about any type of content, functionality, etc. without being a danger to other user applications 140 or the parent operating system 212 . Moreover, the user applications 140 can fail to meet good design/programming practices (at least from a security perspective) and be inherently susceptible to attack when executed by conventional hosts 110 , yet they can still execute securely within stacks 200 of embodiments.
- the user applications 140 themselves need not necessarily support various security technologies such as VPN, HTTP/S, SSH, etc. to enjoy the benefits thereof although application owners might desire to use such techniques to help foil man in the middle 116 attacks/vulnerabilities (for instance, intercepting sensitive information being transferred to/from the non administrative users 104 ). Although, the user applications 140 might execute more reliably of they do support such technologies. Furthermore, pre-existing user applications 140 need not be re-written or otherwise edited to be executed within the executive jails 122 since they can rely on the security features of stacks 200 to protect parts of the parent operating system 212 (and other hosted user applications 140 ) from their potentially errant behavior. For instance, the stacks 200 can require that non administrative users 104 access the (cross mounted versions) of the executable applications 242 via the HTTP/S protocol (or some other protocol) associated with certain executive jails 122 .
- the stacks 200 can require that non administrative users 104 access the (cross mounted versions) of the executable applications 242 via the HTTP/S protocol (or some other protocol) associated
- the executable user applications 242 are cross mounted to the executive jails 122 from the administrative jails 124 .
- rogue behavior in the executive jails 122 can only harm the cross mounted and executable user applications 242 , not the corresponding administrative versions of the user applications 240 in the administrative jails 124 .
- these two versions of the user applications 240 and 242 are stored in different virtual roots which are separated from each other by the parent operating system 212 .
- the stack 200 of embodiments also provides compliance/auditing features sometimes desired by users affected by HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, etc. rules.
- the stack 200 gives administrative users 248 (and host administrative users 129 for that matter) freedom to implement user applications 140 that watch for potential violations of the regulations, standards, industry practices, etc. with which they might want to comply (and changes thereto).
- these report-generating user applications 140 can detect intentional (or unintentional) changes in read/write privileges and send an alert informing a compliance officer (or other user) that a hosted web site 235 has detected a suspected attack and has responded in some fashion to restore compliance (should the attack or accidental occurrence such as an administrative mis-configuration have affected it).
- the stack 200 of the current embodiment can preserve all audit trails (or at least allow for their recovery) for further investigation. Stacks 200 thereby provide better post-forensic analysis as well.
- the stack 200 uses syslog monitoring capabilities including those related to security issues as well as those related to web logging.
- stacks 200 of embodiments can use other monitoring capabilities in place of syslog capabilities.
- the stack 200 can gather syslog data 130 (or similar information) from where ever it might arise in the system 100 .
- FIG. 2 illustrates syslog data 130 being gathered from virtual roots 224 and/or partition for the executive and administrative jails 122 and 124 respectively; from the parent operating system 212 ; from the parent file structure 214 ; and from the hosted web sites 235 .
- the stack 200 can take various actions. For instance, the stack 200 can stop the activity; revert to a last-known-safe-state; roll the activity back; allow it to continue while gathering intelligence about it; alert the host administrative user 129 ; respond according to a rule or set of rules; etc.
- stacks 200 of embodiments send syslog data 130 to the parent operating system 212 (and/or to off-site secure storage) for storage and subsequent processing.
- Some stacks 200 also (or instead) store syslog data 130 in the corresponding administrative jails 124 corresponding to the location of the activity that triggered the syslog reporting mechanism(s).
- the syslog data 130 is secured for subsequent review and analysis by either the host administrative user 129 and/or the administrative users 248 as the case may be.
- some embodiments forensically secure the syslog data 130 stored in the parent operating system 212 (and, perhaps, within a syslog dedicated partition if desired to, for instance, manage its size and prevent server denials of service should it become large enough to cause such effects).
- One of many secure mechanisms for sending syslog data 130 to the parent file structure 214 is the open source security (OSSEC) protocol.
- OSSEC open source security
- Parent operating systems 212 of embodiments also monitor for other pertinent data indicative of malicious, negligent, potentially errant, etc. behavior including (but not limited to): file modifications; permission changes; ownership changes; uptime/performance monitoring (of both executive and administrative jails 122 and 124 , web applications, user applications 140 , application databases 125 , hosted web sites 235 , etc.); disk input/output operations; allocated and available drive space; allocated and available memory; CPU utilization; successful and unsuccessful user login attempts; the number of TCP connections; the number of TCP states; web requests; etc.
- Parent operating system 212 can also monitor processes to help ensure that features such as syslog and/or the web servers remain operative. Of course, this syslog data 130 can be made available to compliance officers, compliance auditors, and/or other users in summary and/or detailed form. In any case, the stack 200 can make available a record of pertinent events for forensic analysis and/or review.
- syslog data 130 related thereto can be sent to and stored in the administrative jails 124 where the corresponding administrative users 248 would likely be the ones with interest in its contents.
- the host administrative user 129 could also review their syslog data 130 if desired since the privileges associated with the host administrative user 129 allows the host administrative user 129 access to the administrative jails 124 .
- the syslog 130 data can also be monitored, reviewed, and analyzed, used for corrective or remedial action, etc. by the administrative users 248 and/or host administrative user 129 .
- administrative user applications 240 can be provided to generate reports from the syslog data 130 sufficient to at least, in part, comply with HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, and/or similar rules.
- HIPAA HIPAA
- GLBA GLBA
- Sarbanes-Oxley Sarbanes-Oxley
- PCI DSS PCI DSS
- FIG. 3 Illustrates a flow chart of a method for setting up an operating system and/or web server. More specifically, FIG. 3 illustrates that the method 300 sometimes begins with the parent operating system 212 booting up and/or accessing its parent file structure 214 as reference 302 indicates. It is noted here that syslog data 130 monitoring and/or firewalls might have already be activated if desired. In any case, the parent operating system 212 can read the administrative application configuration files 236 looking for unexpected changes. See reference 304 .
- Method 300 can also include reading the administrative and executive user configuration files 237 and 238 as indicated at reference 306 . If desired, the parent operating system 212 can compare both versions of the user configuration files 237 and 238 (administrative and executive) if both are available and check for differences. An unexpected difference, of course, might indicate that at least something unusual and/or potentially worthy of investigating has occurred. In this manner (and perhaps others) the parent operating system 212 can begin identifying users 104 and 248 as they might attempt to access the host 112 (not that network services are necessarily running at this time).
- an alert can be raised and/or the activity stopped whether automatically or by intervention by a host administrative user 129 .
- the administrative application configuration file 236 could be inspected for unexpected modifications and appropriate actions taken should a discrepancy be detected.
- the parent operating system 212 can start the network and/or host firewall 114 application before any network services are started (or if another instance of it is desired). See reference 308 .
- the firewall can be configured to allow VLANs associated with the jails 122 and 124 and/or the application databases 125 to contact each other through the VLAN switch 202 , on certain ports, in certain manners, etc. so that the jails 122 and 124 and application databases 125 can support the functionality desired in the hosted web sites 235 and/or user applications 140 .
- the parent operating system 212 of the current embodiment can begin setting up the jails 122 and 124 .
- the parent operating system 212 could set up the jails 122 and 124 before the aforementioned activities depending on the desires of the host administrative users 129 who might be directing the activities of the parent operating system 212 .
- the parent operating system 212 could create one or more administrative jails 124 or virtual roots as indicated at reference 310 . If the application configuration files 236 and the administrative version of the user configuration files 237 are not already mounted in the administrative jail 124 related virtual roots 224 and/or partitions the parent operating system 212 can mount these files in to the appropriate administrative jails 124 . See reference 312 .
- the parent operating system 212 could cross mount the administrative user applications 240 in to the administrative jails 124 as indicated at reference 314 .
- the parent operating system 212 could also create virtual roots for the executive jail(s) 122 as reference 316 indicates.
- Method 300 also includes the administrative user 248 cross mounting executive user configuration files 238 (for the non administrative users 104 ) to one or more executive jails 122 .
- non administrative users 104 accessing the executive jails 122 can be authenticated before they proceed with any activity therein. See reference 318 .
- reference 320 illustrates the operating system 212 cross mounting an executable user application 242 to the executive jail 122 which corresponds to the administrative jail 124 in which the administrative version had been located.
- any non administrative user 104 accesses the cross mounted and executable user application 242 , that non administrative user 104 can perform those activities for which for which they possess privileges in accordance with the cross mounted and executable user configuration file 238 . See reference 322 where non administrative users 104 are illustrated as making access requests upon the executive jails 122 .
- administrative users 248 might begin making read/write access requests to various administrative jails 124 , the binaries therein, administrative user applications 240 , application databases 125 , etc. If and/or when these requests occur, the administrative jails 124 can authenticate the users involved, check their privileges, and grant/deny access accordingly. See reference 326 and (and see also FIGS. 4 and 5 for further details in accordance with some embodiments).
- the parent operating system 212 collects syslog 130 data from a variety of sources within the host 112 and perhaps even from the system 100 .
- the parent operating system 212 could also collect syslog data 130 information throughout all or portions of the method 300 (and other methods such as methods 400 and 500 as illustrated by FIGS. 4 and 5 respectively). See reference 328 .
- the collected syslog data 130 can be analyzed (and/or compared with the expected conditions and activities in the host 112 ) to detect, identify, prohibit, etc. unusual, un-authorized, malicious, and other types of potentially errant activity.
- a security event and incident management (SEIM) tool capable of aggregating disparate data can be used to aid in monitoring the syslog data 130 (and/or syslog like data) and, via it, the operation of the host 112 .
- Appropriate reports can be generated at reference 328 (and/or at other times) if desired to satisfy compliance/auditing rules related to HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, etc.
- method 300 can repeat in whole, or in part, as reference 330 indicates.
- the stack 200 provides for system level self auditing during methods 300 , 400 , 500 , and at other times.
- FIG. 4 illustrates a flow chart of a method associated with an executive jail. More specifically, FIG. 4 further illustrates that method 400 can occur in association with a user attempting to access an executive jail 122 (see for instance reference 322 of FIG. 3 ). From the user perspective, (who might be a public user, a valid non administrative user 104 , a malicious user 106 , an administrative user 248 , a host administrative user 129 , etc.), the user will typically first make an access request via the network and/or host firewall 114 or VLAN switch 202 . At this time, the network and/or host firewall 114 and/or VLAN switch 202 can compare the request and/or information regarding the user to its rules, settings, configuration, etc. and determine whether to allow the user access to the executive jail 122 in accordance therewith. See reference 402 .
- the user is initially allowed read only access to the executive jail 122 via address IP1. See reference 404 .
- the user may then begin attempting various operations as indicated by reference 406 .
- all read operations within the executive jails 122 are allowed unless it is desired that even public browsing of information in the executive jail 122 be prohibited.
- the executive user application 242 , the administrative user application 240 , and the parent operating system 212 allows, some write operations might be permissible. But, if no such provisions have been made, any disk write operation will be denied by the executive jail 122 .
- method 400 branches at reference 408 . More specifically, if a mere disk read operation (which includes operations that happen to write to off-disk locations such as those involving application databases 125 ) is requested, as at reference 410 , the executive jail 122 allows access for that user for that request to the executable user application 242 , application database 125 , and/or hosted web site 235 identified by the request (in compliance with the administrative user application 240 and permissions granted by the stack 200 ). If the parent operating system 212 detects any disk write operations during the requested operation, appropriate actions can be taken.
- method 400 branches to reference 412 . More specifically, the parent operating system 212 notifies the administrative jail(s) 124 corresponding to the write request that such a request has been made. If the configuration of the administrative jail(s) 124 , executable user application 242 , administrative user application 240 , and the stack 200 involved in the apparent request all permit the request, the stack 200 can grant the request. But, if any such test fails, the stack 200 denies the request and perhaps issues an alert or takes other action. See references 412 and 414 . Typically, the stack 200 will prevent branches to references 412 and 414 which perform such disk write operations. However, if a particular user application 140 requires/requests such access, permissions can be pre-arranged with the consent/cooperation of host administrative user 129 if desired.
- the stack 200 denies the request. Ordinarily, disk write operations will cause method 400 to branch to references 416 and 418 . However, even if a supposedly non-malicious user has attempted a disk write operation in executive jail 122 , something unusual would seem to be occurring. Accordingly, it is recognized that a malicious user 106 might have gained control of this particular executive jail 122 despite the safeguards associated there with. The executive jail 122 will therefore usually attempt to deny the disk write operation. See reference 416 .
- the parent operating system 212 can stop execution of all activity associated with the particular executive jail 122 involved; freeze the configuration file 238 associated with the apparent non administrative user 104 involved; invalidate the password of that user (if that user has a valid password); alert the corresponding administrative user 248 and/or the host administrative user 129 ; or take other actions as might be desirable. See reference 418 .
- syslog data 130 available at reference 328 can be made available to support such activities.
- reference 420 indicates that the parent operating system 212 can be monitoring syslog 130 data during all or a portion of method 400 . Accordingly, if any activities, users, conditions in system 100 , etc. deviate from what is expected and/or permitted, the parent operating system 212 can take appropriate actions. Otherwise, method 400 can repeat, in whole or in part, as indicated at reference 422 .
- FIG. 5 illustrates a flow chart of a method associated with an administrative jail. More specifically, FIG. 5 illustrates method 500 whereby some administrative users 248 can access their administrative jails 124 .
- method 500 begins with a user making an access request to some administrative jail 124 through the network and/or host firewall 114 and/or VLAN switch 202 .
- the host firewall 114 and/or VLAN switch 202 can authenticate the user and otherwise verify that the access request (which, if granted, permits write activities within the requested administrative jail 124 ) was made in accordance with the configuration, rules, etc. of the host firewall 114 and/or VLAN switch 202 . See reference 502 . If not, the request is usually denied.
- the host firewall 114 and/or VLAN switch 202 allows the request to precede. See reference 504 .
- the apparent administrative user 248 gains access to the requested administrative jail 124 via address IP2 for instance, that user becomes free to perform various read and write operations to/from the administrative jails 124 therein, application databases 125 therein, administrative user configuration files 237 therein (except their own user configuration file 237 ), binaries therein, etc. But, as disclosed elsewhere herein, those operations are limited to the confines of the particular administrative jail 124 to which the user has gained access. Any attempted write activity outside of that administrative jail 124 , particularly disk writes or writes to other administrative jails 124 (or even executive jails 122 ) by that user, will trigger appropriate action(s) from the stack 200 of many embodiments. See reference 506 .
- the administrative jail 124 of the current embodiment will allow most read operations made by a user who gained access to an administrative jail 124 as long as those read operations pertain to that administrative jail 124 and/or comply with read-access-restrictions pertaining to other virtual roots of the parent operating system 212 .
- a read request to another administrative jail 124 , executive jail 122 , or the parent operating system 212 could serve to indicate the desirability of an investigation or other response.
- permitted read requests will be executed as shown by connector “A” and reference 518 .
- the method 500 branches to reference 510 .
- the administrative jail 124 can check the privileges associated with the supposed administrative user 248 as defined by the corresponding administrative user configuration file 237 . See reference 512 . Should a mismatch be found, the administrative jail 124 often denies the request and might also issue an alert or take other appropriate action. See reference 520 . If the requested operation (which might be a write operation to the administrative jails 124 of some type) satisfies the privileges of the supposed administrative user 248 , method 500 continues by checking whether the supposed administrative user 248 is operating in the virtual root (or administrative jail 124 ) associated therewith. See connector “B” and reference 514 . If not, something can often be assumed to be amiss and method 500 branches to reference 520 .
- reference 520 indicates that the administrative jail 124 denies the request. But, in the case of an unauthorized write attempt, it might be the case that more immediate action and/or alerting would be in order. The parent operating system 212 and/or the host administrative user 129 can be alerted and therefore respond accordingly.
- method 500 can include obtaining, analyzing, etc. syslog data 130 . These reviews of which can be performed by the host administrative user 129 , the administrative users 248 , or both if desired.
- the parent operating system 212 and/or a user application 140 can generate a compliance/auditing report if desired.
- the gathering of the syslog data 130 here can be performed continuously, periodically, on a scheduled basis, only when selected operations occur, etc.
- the syslog data 130 can be gathered from those portions of the system 100 at which it is desired to detect, isolate, stop, hinder, correct for, mitigate, etc. malicious, negligent, unauthorized, and/or other apparently errant activity might be desired. See reference 522 . More specifically, at reference 522 all events related to web access and/or logins can be logged even if valid to, for instance, keep track of those users who might be accessing a hosted web site 235 , application database 125 , user application 140 , etc.
- syslog and tools other than syslog can be employed. For instance Tripwire® and/or FTimes can monitor the checksums of various files in the jails 122 and 124 . If one of these tools detects a modification to a file it can alert the stack 200 and/or the host administrative user 129 . In addition, such tools can run in the parent operating system 212 where they can remain hidden from all users 104 , 106 , and 248 except the host administrative user 129 . This means, in part, that malicious users 106 (and even valid users 104 and 248 ) would be unaware of the tool and its monitoring efforts thereby making it more likely that a malicious (or accidental) change would be detected if attempted.
- the stack 200 could allow administrative users 248 to choose which resources (that they own) within their administrative jails 124 (and for that matter, in the executive jails 122 ) which they wish to have monitored for content integrity.
- resources that they own
- the stack 200 could allow administrative users 248 to choose which resources (that they own) within their administrative jails 124 (and for that matter, in the executive jails 122 ) which they wish to have monitored for content integrity.
- an administrative user 248 were to be informed of this service they would not necessarily need to know how it might be performed. In this way, administrative users 248 would be free to perform certain administrative functions (such as changing variable in the configuration files 236 and 237 ) without causing needless alerts.
- reference 522 illustrates that syslog data 130 and/or the like can be monitored and reviewed as desired.
- method 500 can repeat in whole, or in part, as desired as indicated at reference 524 .
- hosts 112 of various embodiments therefore place limits on the abilities of malicious users 106 and other users (and user applications 140 not written in accordance with good design/programming practices) to access, damage, or otherwise harm operating systems 212 , user applications 140 , web servers, etc.
- hosts 112 of some embodiments allow users (including administrative users 248 ) no authority to alter system variables, settings, etc. other than stopping and re-starting their hosted web sites 235 , user applications 140 , etc. Even these activities, though, can be detected via syslog reporting (and/or the like) so that an unusual pattern (or even an occurrence) of such events could trigger an investigation and/or corrective action.
- the worst that a malicious user 106 might be able to manage is being able to control one hosted web site 235 , one set of (commonly owned) user applications 140 , or command of one administrative jail 124 . Even so, that malicious user 106 would only be granted (by virtue of their attack) authority within those bounds and would further be limited to starting and/or stopping the (singular) hosted web site 235 .
- a malicious user 106 might be able to write sensitive credit card data to an executive jail 122 . But, in embodiments, that malicious user 106 could not read such sensitive data from the executive jail 122 because of the differing versions of the user configuration files 237 and 238 in the respective jails 124 and 122 . Moreover, the host firewall 114 might assist in mitigating the results of such events by denying the apparent administrative user's attempt to access the administrative user application 240 and/or application database 125 from the executive jails 122 . As a result, even if a malicious users 106 gained command execution within an executive jail 122 , that malicious user 106 could not brute force the credentials for the administrative user 248 .
- stacks 200 of embodiments provide improved security against malicious (or accidental) attacks and even against applications and/or web sites failing to meet good design/programming practices.
- stacks 200 of the current embodiment would recognize an attempt to execute a file outside of an executive jail 122 (even the administrative version of a user application 240 ) as an unusual, suspicious, and likely malicious attack. Likewise, stacks 200 would recognize attempts to edit administrative user applications 240 (even the executable user applications 242 ) outside of the corresponding administrative jails 124 as yet another type of malicious attack (or at least something unusual enough to perhaps merit investigation).
- a malicious user 106 can damage, destroy, or copy an executable user application 242 and/or executive user configuration files 238 in an executive jail 122 , that malicious user 106 cannot see, much less access, either the administrative jail(s) 124 , the resources therein (except those that are specifically cross mounted to the executive jail 122 such as application binaries, source code, etc.), or the parent operating system 212 and the resources stored therein.
- administrative users 248 can still access their administrative, and therefore, un-attacked versions of the user configuration file 237 and user applications 240 . More specifically, administrative users 248 can access these resources and inspect, modify, etc. the same. Changes made to these resources (in the administrative jail 124 ) can be cross mounted to the corresponding executive jail 122 for execution therein (and only therein in some embodiments) at the discretion of the administrative user 248 . In some embodiments, the stack 200 also password protects access to the administrative jails 124 . This helps reduce the risk should a malicious user 106 compromise one of the other administrative jails 124 (or executive jails 122 ) and it does so while still giving administrative users 248 full administrative access to the administrative user applications 240 .
- the stack 200 limits the resulting vulnerability to the administrative versions of their user applications 240 and administrative user configuration files 237 in that administrative jail 124 and not others.
- having two separate administrative jails 124 for some administrative users 248 would provide yet another level of redundancy in such situations whereby even a compromise of one of the two administrative jails 124 would leave the redundant administrative jail 124 in service in many scenarios.
- stacks 200 of embodiments can help defeat phishing attempts by (at the web server application firewall level) modifying some or all of the relative path references on the web sites to fully qualified paths, so that malicious users 106 end up send referring URLs (Uniform Resource Locators) when they make copies of the site to be phished. This might make it a bit easier to copy the template login, registration, change password page, etc.
- URLs Uniform Resource Locators
- embodiments provide web application firewalls either in front of the physical (web server) device on the Network or residing in the web server itself. These aspects of embodiments therefore deny malicious users 106 the ability to attack the hosts 112 and parent operating systems 212 directly.
- Embodiments therefore provide secure operating systems, web server systems, and methods possessing self compliance/auditing abilities with respect to HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, etc. rules.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
Systems and methods for securely operating web servers, operating systems, etc. Methods of embodiments include creating virtual roots for executive jails and corresponding administrative jails within parent operating systems. Embodiments also include setting privileges associated with each of the executive jails to disk read-only. Moreover, administrative jails are hidden from executive jails and the parent operating system is hidden from both sets of jails. Also, the methods include cross mounting user configuration information and/or applications from the administrative jails and in to the corresponding executive jails. Methods can include password protecting the administrative jails and/or restricting the executive jails from initiating outbound communications. Methods can also include storing security related syslog data in locations associated with parent file structure of the parent operating systems. Methods can also include storing web log related syslog data in locations associated with the administrative jails thereby providing, as desired, compliance/auditing reporting functions.
Description
- Malicious users can represent not just a nuisance but an outright threat to the well-being of many companies. More specifically, companies (and for that matter any organization) that rely on the Internet or other wide area networks to communicate with their customers, vendors, government agencies, employers, etc. stand vulnerable to a vast variety of hacking related threats. For instance, take a company that has a web site hosted on a third party web server. If a malicious user evades the security measures protecting the application, that malicious user (colloquially termed a “hacker”) can harm, steal, copy, delete, etc. sensitive files, applications, and other information associated with the web site, the users of the web site, and/or the company.
- For instance, malicious users can execute cross site request forgeries (CSRF) to take unauthorized actions while acting as or impersonating (electronically) another user. In other cases, local-file-inclusion, remote-file-inclusion (LFI/RFI), command injection and/or structured query logic (SQL) injection hacking techniques can allow malicious users to execute malware or harmful code on hosted web sites. Moreover, if a malicious user somehow manages to access the administrative functions of one web site, that malicious user might be able to use that control to access yet other web sites controlled by that administrative function thereby pivoting from one security breach to another and multiplying the potential for harm. The malicious user's imagination is the only thing limiting the damage likely from such attacks and this is more so the case if that malicious user somehow accesses the administrative rights of the underlying operating system. In such cases, the malicious user could do severe damage, and even cover their tracks (by, for instance, erasing or altering security related audit trails).
- Moreover, once having mis-appropriated administrative rights, malicious users sometimes install and/or modify system binaries to install rootkits. By doing so they can create backdoors in to the compromised system that allows them to maintain access to the same despite corrective measures geared toward the more apparent harm that they might have caused. One consequence of these types of breaches is that they can modify the web application to log or copy passwords or other personally or financially sensitive information for subsequent mis-use. In other hacking-related scenarios, malicious users might cause a hosted web site (or other system) to generate voluminous outbound traffic (for instance, spam) much of which often carries malicious software itself. In this latter case, the hosted system becomes a “zombie” or “bot” denying or limiting its usefulness to the owner/operator. The foregoing represents a small sampling of the vast array of threats that on-line systems face.
- The detailed description is described with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number usually identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items.
-
FIG. 1 illustrates a system of some embodiments. -
FIG. 2 illustrates a stack of some embodiments. -
FIG. 3 . Illustrates a flow chart of a method for setting up an operating system and/or web server. -
FIG. 4 illustrates a flow chart of a method associated with an executive jail. -
FIG. 5 illustrates a flow chart of a method associated with an administrative jail. -
FIG. 6 illustrates cross mounted configuration files. - This document discloses systems, apparatus, methods, etc. for securing operating systems, web servers, etc. and more specifically system, apparatus, methods, etc for securing operating systems and/or web servers by creating administrative jails and executive jails from their parent operating systems and mounting user applications from the parent operating system to the administrative jails and cross mounting them into the executive jails.
- To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the annexed figures. These aspects are indicative of various non-limiting ways in which the disclosed subject matter may be practiced, all of which are intended to be within the scope of the disclosed subject matter. Other advantages and novel features will become apparent from the following detailed disclosure when considered in conjunction with the figures and are also within the scope of the disclosure.
-
FIG. 1 illustrates a system of some embodiments.FIG. 1 illustratessystem 100, a portion of the Internet 102, various nonadministrative users 104, amalicious user 106, auser firewall 108, one or moreconventional hosts 110, ahost 112 of the current embodiment, a network and/or ahost firewall 114, a “man in the middle” 116,conventional communications 118, andcommunications 120 in accordance with the current embodiment. Moreover,FIG. 1 illustrates that thehost 112 of the current embodiment includes a plurality ofexecutive jails 122,administrative jails 124, andapplication databases 125. In the current embodiment, thehost 112 also generates certain monitoring data (syslog data 130), compliance/auditing reports 134, and hostsvarious user applications 140. - Typically,
user applications 140 and associatedapplication databases 125 provide some functionality for various nonadministrative users 104. Moreover, administrative users (not shown) associated therewith have responsibility for theseuser applications 140,application databases 125 and the sought after functionality. These user applications 140 (and application databases 125) reside in or execute in thehosts 110 and/or 112. As such, if the user applications 140 (or application databases 125) become vulnerable to malicious activities, the subsequent actions of theuser applications 140 can harm, or enable harm to,conventional hosts 110. Thus, for ahost user applications 140 themselves represent a source of vulnerability. Yet, users often desire to use theseuser applications 140 onhosts - Non
administrative users 104 also usually desire to use the Internet 102 (or some other wide area network (WAN)) to connect their computing and communications devices tovarious hosts 110 usingconventional communications 118 to conduct business, exchange information, etc. with other users. They often perform such actions via theuser applications 140 andapplication databases 125. As such, these nonadministrative users 104 want their interactions with thehosts middle 116 and othermalicious users 106 interfere with, intercept, and/or mis-directconventional communications 118 and/or otherwise hack intoconventional host 110 with their own computing and communication device. Moreover, thesemalicious users 106 often persist in their attacks and often use sophisticated, even clever, techniques while attempting to fulfill their purposes. Furthermore, they often wish to remain anonymous with their activities going undetected whenever they can arrange for such circumstances. - As a result,
systems 100 often employuser firewalls 108 associated with the computing devices that the nonadministrative users 104 use to communicate over the Internet 102. Variousconventional hosts 110 also employ network and/orhost firewalls 114 at thehosts 112, web servers, and other locations withinsystem 100. Thesefirewalls malicious users 106. But, conventional hosts 110 (and the often sensitive information,user applications 140, web sites, etc. which they contain or host) remain vulnerable tomalicious users 106 because theuser application 140 is itself vulnerable. Its vulnerability might arise from malicious activity, its own design/programming (if it fails to meet good design/programming practices and in some cases even if it does meet these practices), and even from potentially errant actions of certain valid users (even if they act without harmful intent), etc. - As is disclosed further herein, embodiments provide
hosts 112 which employexecutive jails 122 andadministrative jails 124 to handle thecommunications 120 between the nonadministrative users 104 and theuser applications 140 residing in thehosts 112 and to execute theuser applications 140 themselves.Hosts 112 allow nonadministrative users 104 to accessexecutive jails 122 and perform operations with theapplication databases 125 and/oruser applications 140. Should read/write operations in thehosts 112 be desired or caused by activities of the nonadministrative users 104, thehosts 112 operate in such a manner that these read/write operations occur within the contexts associated with theexecutive jails 122, theadministrative jails 124,user applications 140, and/or theapplication databases 125. In addition, and usually on a pre-arranged basis,hosts 112 will allow a write operation to itself, its system disk, or its underlying operating system. That is, system disk writes typically occur only with the consent and cooperation of the hostadministrative user 129. But, in most situations, write operations are only permitted to the application databases 125 (for nonadministrative users 104 and through the user applications 140) and to the programming or coding or other administrative features of the user applications 140 (for administrative users). - Thus, for instance, if the
host 112 is a web server hosting a particular web site and/oruser applications 140, the host associates anadministrative jail 124 and a correspondingexecutive jail 122 with that web site.Host 112, acting as a parent operating system, maintains two copies of the web server orother user applications 140 with one residing in theadministrative jail 124 and the other executing (or being executable) in theexecutive jail 122. These two copies are typically mirror copies of each except for 1) the difference(s) between and/or caused by the configuration files mounted in theadministrative jail 124 and those cross mounted into theexecutive jail 122 and 2) changes which the administrative user might be making to the administrative copy. - Typical non
administrative users 104 without administrative privileges to the web site) interact with the web site via theexecutive jail 122. Administrative users (with administrative rights to the web site, itsunderlying user applications 140, information, etc.) interact with the web site via theadministrative jail 124. This bifurcation of the web site and/or other features of the current disclosure prevent man in themiddle 116 and othermalicious users 106 from performing many known hacking techniques onhosts 112 of embodiments and its contents, resources, etc. More specifically, thehost 110 separates them at the network orhost firewall 114 so that administrative users are white listed via their IP address or via a virtual private network (VPN) (or both) so that thehost 110 can identify them as such. Furthermore, by bifurcating the administration and execution of theuser applications 140, embodiments allow thehosts 112 to isolate such activities within theappropriate jails jail 122/124, but that do occur within theother jail 124/122 can therefore trigger an investigation and/or corrective action by thehosts 112. - Moreover,
FIG. 1 illustrates that the hostadministrative user 129 of embodiments can oversee and/or monitor the operation of thehost 112 and/or the stack of protocols, techniques, entities, etc. associated therewith. More specifically, the hostadministrative user 129 can monitor the operation of theexecutive jails 122, theadministrative jails 124, the users (with and without administrative privileges),malicious users 106, and other aspects of thesystem 100 in general and, more specifically, thehosts 112. The hostadministrative user 129 is not necessarily a user in the sense of a nonadministrative user 104 or an administrative user with responsibility for running one (or some subset of theuser applications 140 and/or web sites) on thehost 112. Although, if so desired, the hostadministrative user 129 could access anexecutive jail 122 as a non administrative user 104 (and, therefore, without privileges) to assess how thehost 112 appears to be running from such a perspective. To perform administrative duties related to thehost 112 itself, though, a hostadministrative user 129 accesses the host 112 (and/or parent operating system) via a separateadministrative network 142 in communication therewith. Hostadministrative users 129 can therefore log into thehost 112 and then access (using their over-arching administrative privileges) the executive andadministrative jails specific user application 140 orapplication database 125. - It might also be worth noting before turning to a more detailed discussion with respect to
FIG. 2 that hosts 112 of various embodiments can monitor syslog data 130 (and/or similar data) related to security and web logging to detect, identify, correct for, etc. malicious attacks and/or other unusual activity within or associated withhost 112. Indeed, in some embodiments, hosts 112 usesuch syslog data 130 to generate compliance/auditing reports 134 for Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bailey Act (GLBA), Sarbanes-Oxley Act, Payment Card Industry Data Security Standard (PCI DSS), etc. purposes related to thehost 112. These reports can be run on demand, on a scheduled basis, or as detected changes suggest that a report might be warranted. Moreover, because of various features of thehosts 112, these compliance/auditing reports 134 enjoy greater security themselves and provide better post-forensic capabilities thanhosts 110 heretofore available as well. -
FIG. 2 illustrates a stack of some embodiments. Thestack 200 can be a portion ofsystem 100 and can be used to host various user web sites,user applications 140,application databases 125, etc. Thus, thestack 200 includes a number of objects, data directories, files, applications, etc. and operates under certain protocols such as, for illustrative purposes, the transfer control protocol/Internet protocol (TCP/IP) to serve the hosteduser applications 140. Indeed, in a cloud environment, thestack 200 sometimes faces theInternet 102 through ahost firewall 114 and/or a network firewall so that users can access those resources while thehost 112 enjoys some protection from malicious attacks courtesy of those firewalls. Of course, other implementations are within the scope of the current disclosure. - With ongoing reference to
FIG. 2 , thestack 200 can be considered to include theparent operating system 212, theparent file structure 214, system binaries, etc. and is at least in some respects the operational part of thehost 112. Thestack 200 also controls access to theparent operating system 212 andparent file structure 214. Indeed, it can hide theparent operating system 212 from nonadministrative users 104,malicious users 106,administrative users 248, and from user andadministrative jails stack 200 can be said to include the network and/orhost firewalls 114 of some embodiments. - But, as noted with reference to
FIG. 1 , certainmalicious users 106 will at times attack thestack 200 and/or theuser applications 140. In other situations, theuser applications 140 can behave as if they were malicious due to its design, programming, security features, etc. which not meeting good design/programming practices. As a result, once amalicious user 106 has gained local access in some way (perhaps through theuser applications 140 or flaws thereof) they are sometimes able to pivot and attack the stack 200 (typically using RFI/LFI or command injection techniques if perimeter security stopped more direct attacks). As is disclosed further herein, certain aspects, features, etc. of thestack 200 of various embodiments eliminate or, if not, mitigate the risks of such attacks and malicious-like behavior fromuser applications 140 which fail to meet good design/programming practices, and malicious-like behavior by various nonadministrative users 104 and/or administrative users (even if they act without harmful intent). - Thus, it might be useful to disclose some aspects, features, etc. of the
stack 200 of the current embodiment. It might then be useful to disclose how these features operate together in the context of several methods while disclosing some of the results of these features and how they interact with each other. More specifically, thestack 200 of the current embodiment includes aparent operating system 212 residing and/or operating in a host device such ashost 112. Furthermore, the scope of the current disclosure includes embodiments in which thehost 112 resides in a virtual machine (VM) managed by a hypervisor as in some cloud environments. - The
stack 200 of some embodiments also includes or defines a virtual local area network (VLAN)switch 202, aparent file structure 214, andvirtual roots 224 and/or partitions therein for variousexecutive jails 122 and for the correspondingadministrative jails 124 respectively. Theexecutive jails 122 andadministrative jails 124 often reside within theparent file structure 214 and inherit certain files and directories there from. Embodiments also providedatabase jails 225. Thedatabase jails 225 can also reside in virtual roots in theparent file structure 214.FIG. 2 also illustrates hosted web sites 235, an application configuration file 236, an administrative user configuration file 237, an executive version of a configuration file 238, an administrative version of auser application 240, a cross mounted and executable version of auser application 242, across mount arrow 246, and anadministrative user 248. - As noted, in many cases the
stack 200 provides theparent operating system 212 with which to indirectly runvarious user applications 140, programs, etc. and/or to perform other secure operations desired by certain nonadministrative users 104 andadministrative users 248. In some cases, theparent operating system 212 hosts various hosted web sites 235 and/oruser applications 140 as desired by one or more users and, (as is disclosed further herein), does so through theexecutive jails 122,administrative jails 124, anddatabase jails 225. More specifically, theparent operating system 212 generally maintains mirror copies of theuser applications 140 in theexecutive jails 122 and theadministrative jails 124. - The
stack 200 can employ a virtual image and a virtual local area network (VLAN)switch 202 so that if one portion of the stack becomes compromised, the compromise will have difficulty spreading. For instance,VLAN switch 202 can segment VLANS for each of theexecutive jails 122,administrative jails 124, anddatabase jails 225. Moreover, theVLAN switch 202 allowsstack 200 to block entities on one VLAN from seeing the other VLANs and entities, objects, resources, etc. therein. This segmentation results in a virtual firewall between theparent operating system 212 and users in thejails -
VLAN switch 202 might or might not be a full-fledged switch in somehosts 112. For instance, if one or more of theapplication databases 125 reside in a separate (real) machine a full-fledged switch could be employed. This situation can occur when compliance, performance, etc. reasons suggest that a separate residency might be desirable. In other cases, hosts 112 could handle the functions ofVLAN switch 202 locally since it can detect the IP addresses of those parties involved. - More specifically,
VLAN switch 202 makes nonadministrative users 104 access the apparent hosted web sites 235 via one VLAN and the IP addresses IP1 associated with the applicable executive jail(s) 122. Meanwhile,VLAN switch 202 makesadministrative users 248 access the apparent hosted web site 235 via another VLAN and addresses IP2 associated with the correspondingadministrative jail 124. Moreover,VLAN switch 202 connects thedatabase jails 225 to theexecutive jails 122 and to theadministrative jails 124 via another VLAN and IP addresses IP3 associated with thedatabase jails 225. Thus,users jails application databases 125 for both read and write operations to it as generally allowed by theuser applications 140 and in compliance with permissions, privileges, etc. associated with thedatabase jails 225. Moreover, theVLAN switch 202 performs these functions without allowing the various users knowledge of, much less access to, other hosted web sites 235 or jails residing in the stack 200 (unlesshost 112 permits knowledge of the other web sites 235). - Again, the bifurcation or segmentation of an apparent hosted web site 235 into the
jails stack 200 or, at the least, limits the damage which they might be able to do should they partially succeed. More specifically, since theVLAN switch 202 segments theexecutive jails 122 and administrative jails 124 (and database jails 225) at the network and/orhost firewall 114 level, theVLAN switch 202 can identify and white listadministrative users 248 for access to theiradministrative jails 124 via the IP addresses from which they connect to thehost 112. Similar considerations can apply to white listing the nonadministrative users 104 at theVLAN switch 202 for access to theexecutive jails 122. Virtual private network (VPN) technologies can be employed in the alternative, or in addition, toward further securing thejails - As can be expected, non
administrative users 104 andadministrative users 248 have various responsibilities. As a result, thestack 200 associates user configuration files 237 and 238 with at least some of theadministrative users 248 and at least some of the nonadministrative users 104. The user configuration files 237-238 define which resources of thestack 200 theusers administrative jails 124 will identify theadministrative users 248 and their privileges while the executive versions of the user configuration files 238 in theexecutive jails 122 typically omit these details. But, the executive versions of the user configuration files 238 can identify the nonadministrative users 104 and their permissions in theexecutive jails 122. It might also be worth noting that theparent operating system 212 can allowadministrative users 248 to spin multiple instances ofexecutive jails 122 from oneadministrative jail 124 thereby further segregating nonadministrative users 104 into various categories for potentially separate and distinct handling. Such arrangements can also be convenient foradministrative users 248 since they can maintain oneadministrative jail 124 that corresponds to manyexecutive jails 122. Accordingly, the scope of the current disclosure is not limited by a one-to-one correspondence betweenexecutive jails 122 andadministrative jails 124. - The differing versions of the user configuration files 237 and 238 can allow
particular users jails underlying user applications 140 mounted from theparent operating system 212 into theadministrative jails 124 and then cross mounted in to theexecutive jails 122. Of course, because of differences between the administrative versions of the user configuration files 237 in theadministrative jails 124 and the cross mounted executive version of the user configuration files 238 in theexecutive jails 122, the corresponding versions of theseapplications arrow 246 illustrates thestack 200 having cross mounted an executable version of auser application 242 into anexecutive jail 122 from an administrative version of theuser application 240 in anadministrative jail 124. - In many embodiments, the
administrative jails 124 contain another configuration file, the application configuration file 236, which defines (at least in part) the allowed behavior of theadministrative user applications 240 in theadministrative jails 124 as it relates to variousadministrative users 248. However, the application configuration file 236 is not cross mounted to the correspondingexecutive jails 122. But, the administrative version of the user configuration file 237 is cross mounted into the executive jail 122 (without, though, typically conveying any information related to theadministrative users 248, their configuration related information, and/orother jails 122 and 124). - The application configuration file 236 of embodiments often contains different usernames/passwords to the
application database 125, different salts used for session tokens, etc. Moreover, the application configuration file 236 modifies the behavior of theuser application 140 and/orapplication database 125 by granting/denying privileges, permissions, rights, etc. given to the variousadministrative users 248. - It might be worth mentioning that configuration files 236 to 238 might not be in the form of a separate cohesive file, object, etc. Rather, these configuration “files” 236 to 238 can represent a collection or set of configuration related settings, parameters, permissions, privileges, etc. spread throughout the
stack 200. Therefore, for the sake of convenience, these potentially disparate sets of configuration information will be referred to as configuration files 236 to 238 herein. - That being said, if an administrative user 238 is operating within the context of the administrative version of the
user application 240 and wants to access the administrative version of the user configuration file 237, theadministrative user 248 will find it located in theadministrative jail 124. In contrast, a non administrative user 104 (or a malicious users 106) operating within the context of the more public and executable version of theuser application 242 will at most find instead the less sensitive, executive user configuration file 238 (without information pertaining to administrative privileges or the un-cross mounted administrative versions of the user applications 240). Moreover, these two different versions of the configuration files 237 and 238 point to different locations on disk as theparent file structure 214 defines it thereby further complicating the task of amalicious user 106 who would likely want access to the administrative information in the administrative configuration files 236 and 238 if they knew that these files existed. - As a result, the administrative version of the user configuration file 237 can contain password files to the
application database 125 and/oruser application 140. Meanwhile, the other version of the configuration file 238 can also contain a separate password file to theapplication database 125 and/oruser application 140. However, the password files in the two versions of the user configuration files 237 and 238 can be different and indeed often are. For instance, the administrative version of the configuration file 237 can contain an administrative username:password pair that gives some user (administrative user 248) read/write access to theapplication database 125 and theuser application 140. Furthermore, thedatabase jail 225 can restrict access to theapplication database 125 to deny users in theexecutive jails 122 the ability to connect to theapplication database 125 asadministrative users 248. In that way, if a malicious user 106 (or non administrative user 104) is attempting to submit sensitive information such as credit card information using an executive jail-related user account for access to theapplication database 125 they can have write access into theapplication database 125 to do so. But, thatmalicious user 106 would be unable to accessapplication database 125 with read privileges to access or steal existing credit card information therein. - Moreover, a malicious user 106 (or a typical non
administrative user 104 using auser application 140 which might fail to meet good design/programming practices) who managed to compromise anexecutive jail 122 could not brute force a valid administrative password for theapplication database 125 and/oruser application 140. Accordingly, thestack 200 prevents many types of SQL injection attacks or, in the alternative, limits such attacks to just thoseapplication database 125 tables that the nonadministrative user 104 has access privileges to (or has in some way gained access there to). Thus, at worst, an instance of oneapplication database 125 associated with oneunderlying user application 140 might be temporarily compromised. But thestack 200 will limit the spread of the attack. Having addressed some aspects of thejails user applications host firewalls 114 might be in order. - With continuing reference to
FIG. 2 , and as mentioned previously, thestack 200 can include a network orhost firewall 114 through which it selectively faces theInternet 102. Thehost firewall 114 can attempt to detect, identify, and prohibit malicious and/or unauthorized activity with respect to thestack 200 and, more specifically, sensitive information, programs,user applications 140 and associatedapplication databases 125, etc. associated therewith. For instance,malicious users 106 often target, or cause damage to, theparent operating system 212 itself, its binaries (or components thereof), the various user configuration files 236 to 238,user applications 140, etc. contained therein. -
Stacks 200 can also usehost firewalls 114 to help preventmalicious users 106 in theexecutive jails 122 from connecting to theadministrative jails 124 even if thesejails stack 200 can isolate it despite the attack not traversing an Ethernet cable or other physical connection between machines. Network firewalls, when employed, can also assist thestack 200 in deterring attacks in that they preventmalicious users 106 who have compromised ajail other jails host firewalls 114 can also prevent an attack from pivoting to theadministrative network 142 used to manage the physical machine(s) on which thestack 200 operates since the two interfaces (one for the public and one for the host administrative user 129) can be handled separately. - Despite the desire for security, many non
administrative users 104 andadministrative users 248 desire access to the resources of thesystem 100 and/or thestack 200. Accordingly, network andhost firewalls 114 typically allow some access thereto while doing so in manners calculated to thwart or at least impede the activities ofmalicious users 106;user applications 140 that fail to comply with good programming practices; and/orusers host firewall 114 can allow typical nonadministrative users 104 access to the mounted and executable version of theuser applications 242 in theexecutive jails 122 via protocols such as the hyper text transfer-secure protocol (HTTP/S), the HTTP Secure Socket Layer (HTTP-SSL) protocol, the HTTP Transport Layer Security (HTTP-TLS) protocol, the SPDY protocol, the Web Developers Virtual Library (WDVL) protocol, the HTTP Next Generation (HTTP NG) protocol, etc. as well as other protocols now in existence or yet to be developed. While the protocols, ports, etc. might change from implementation to implementation, thestacks 200 could remain similar to those as disclosed herein. - No matter the protocol(s) used, the network and/or
host firewall 114 of the current embodiment can restrict access to theadministrative jails 124 to onlyadministrative users 248 with administrative privileges with respect to their corresponding administrative versions of theuser applications 240 thereof. Moreover, thestack 200 can also provide similar protection for the administrative versions of the configuration files 236 and 237, directories, etc. in theadministrative jails 124. These administrative versions of the configuration files 236 to 237 sometimes containsensitive application database 125 related password files that (if accessed) would yield higher access privileges to theuser application 140 andapplication database 125 than warranted for nonadministrative users 104 and others thereby possibly meriting such protective measures. - In some embodiments, administrative access for the
administrative users 248 to theadministrative jails 124 is provided via secure technologies such as the virtual private network (VPN), the secure socket shell or secure shell (SSH/HTTPS) protocols, and/or other protocols now in existence or yet to be developed. Moreover, SSH and HTTPS can be tunneled over a VPN connection such that administrative access to theadministrative jails 124 is doubly encrypted (thereby rendering man in the middle 116 attacks particularly difficult to perform). Additional encryption methods could also be employed if desired. - For instance, perfect forward secrecy (PFS) techniques could be used to achieve multiple levels of encryption/security on top of less temporally secure services such as HTTPS. In some embodiments, moreover, mutual authenticated encryption techniques (in which the
host 112 validates that a user is valid based on pre-shared keys and vice versa, instead of relying on public key infrastructure (PKI) technology) could be used. In some embodiments, various combinations of such techniques can be used. For instance HTTPS access over SSH tunnels over a VPN connection could be used. In such manners vulnerabilities in one security technology can be mitigated while still providing protection from the other layered techniques. It is noted here that many embodiments employ redundant security mechanisms at certain points in thestack 200 to make malicious attacks, and the like, exponentially more difficult to execute and/or exploit. - Furthermore, some embodiments implement such firewall related provisions through rules configured into the firewalls. Thus, not only can the
user applications 140 be executed as-is, but if their execution reveals flaws in their design, new rules can be configured in to the firewalls to account for such flaws and/or thwart attacks allowed by vulnerabilities resulting there from. Moreover, if a vulnerability in a security technology surfaces, these redundant security technologies can plug the gap with a relatively simple re-configuration of the firewalls involved until a fix or patch becomes available. - With continuing reference to
FIG. 2 , thehost 112 has certain jail related features pertinent to preventing, impeding, or otherwise thwarting malicious and/or unusual activities. For instance, thehost 112 creates virtual roots for the individualexecutive jails 122 from each other as well as other operating areas, data structures, etc. Thehost 112 also creates virtual roots for the individual administrative jails 124 (which correspond to the executive jails 122) from each other as well as theexecutive jails 122 themselves, and the other operating areas, data structures, etc. of thehost 112. In addition, or in the alternative, the hosts create virtual roots associated from thejails users various jails jails jails jails executive jail 122 or an administrative jail 124) cannot affectother jails host 112. Moreover, activities injails 122 and/or 124, operating areas, data structures, etc. of thehost 112 cannot affect activities within anindividual jail - In addition, hosts 112 of various embodiments hide their
parent file structures 214. More particularly, the file system and binaries ofhosts 112 cannot be accessed much less seen byusers executive jails 122 and/or theadministrative jails 124. Note thatVLAN switch 202 effectively forcessuch users host 112 via the IP addresses IP1, IP2, and IP3 (associated respectively with the executive jail(s) 122, administrative jail(s) 124, and the application database jail(s) 225. More specifically, the actual address of thehost 112 can be withheld from the public while address IP1-IP2 can be available tolegitimate users database jails 225 can likewise be withheld from the public since theVLAN switch 202 of embodiments handles communications therewith. Thus, theVLAN switch 202 hides the IP addresses associated with thehost 112, theparent operating system 212, and/or theapplication databases 125 from outside scrutiny. As a resultsuch users executive jails 122 and/oradministrative jails 124 and not within the context of the underlyingparent operating system 212 or theapplication databases 125. - In addition, the
stack 200 hides theadministrative jails 124 from theexecutive jails 122 so that users accessing (by any means) theexecutive jails 122 are unlikely to even realize that corresponding and separateadministrative jails 124 might even exist. Furthermore, this result is true even after amalicious user 106 successfully compromises anexecutive jail 122 or a nonadministrative user 104 violates security in some manner, perhaps accidentally. Since themalicious user 106 or nonadministrative user 104 cannot see theadministrative jail 124, the architecture of thestack 200 will probably befuddle them and leave them unable to create even a “temp” (temporary) file with which to further exploit their breach since they have no write privileges within theexecutive jail 122. - As noted elsewhere herein, each
host 112 can have associated therewith a hostadministrative user 129 with broad privileges to access, monitor, edit, control, re-configure, etc. features of thepertinent host 112 and/orjails administrative user 129 can patch and/or update theparent operating system 212 and theunderlying user applications 140, install new applications, reconfigure the network and/orhost firewall 114, the permissions of thejails user applications 140, etc. These features allow the hostadministrative user 129 the ability to detect, investigate, mitigate, correct for, and/or mitigate unusual activities and malicious attacks against thehost 112 and its resources. -
FIG. 2 also illustrates theparent file structure 214 of certain embodiments. Theparent file structure 214 defines a directory or file structure which includes thevirtual roots 224 and/or partitions in which theexecutive jails 122 andadministrative jails 124 reside. The partitions, though, are not necessary for the practice of the current disclosure. However, they do tend to eliminate or reduce outages and indeed all of thejails parent file structure 214 also provides that the configuration files 236 to 238 reside in their appropriatevirtual roots 224 and/or partitions thereby protecting them from malicious attacks or unusual activity in other partitions even if they exist as disparate sets of information. If the configuration files 236 to 238 are actually disparate sets of such information, thestack 200 can ignore those items supposedly in the set if they are found outside of the appropriate locations in theparent file structure 214. Of course, such an event itself might indicate that an unexpected change to thestack 200 occurred. Thus, thestack 200 could raise an alert or take some other corrective action. - The
parent operating system 212 can be any type of operating system capable of supporting executive, administrative, anddatabase jails user applications 140, theparent operating system 212 can perform file management functions. In so doing, theparent operating system 212 interacts with theparent file structure 214 to determine whichusers parent operating system 212 can also storesyslog data 130 and/or other data related tosystem 100 security (re-configurations, access attempts, etc.) In the alternative, or in addition, theparent operating system 212 can deliversyslog data 130 to appropriateadministrative jails 124 or other locations inaccessible to non administrative users 104 (ormalicious users 106 acting there as) if desired. For instance, while embodiments can deliversyslog data 130 to anexecutive jail 122,stacks 200 of many embodiments restrict delivery ofsyslog data 130 to locations other than theexecutive jails 122 such as theadministrative jails 124 and/or a dedicated partition in theparent file structure 214. - The
parent operating system 212 can also store information useful for HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, etc. compliance/auditing purposes and the like. Moreover, becausepre-existing syslog data 130 stored in the parent file structure 214 (or an administrative jail 124) cannot be tampered with after anexecutive jail 122 has been compromised,malicious users 106 cannot cover or destroy evidence of their activities. At best, amalicious user 106 might causeadditional syslog data 130 to be appended to suchpre-existing syslog data 130 but no alterations of the pre-existing information would result. Accordingly,such syslog data 130 can be deemed to be “forensically secured” against tampering bymalicious user 106 and others. - In part because of the sensitive information stored in the
parent operating system 212 and the capabilities access to it enables, theparent operating system 212 of embodiments controls all aspects of theexecutive jails 122 and theadministrative jails 124 including the apparent hosted web sites 235 (and/or other user applications 140) running therein. For instance, these entities and the users operating therein must communicate through permissions granted by the firewall(s) and the configuration files 236 to 238 residing in theparent operating system 212. - Moreover, users on the
Internet 102 cannot log into theparent operating system 212 itself because administration of theparent operating system 212 occurs over theadministrative network 142. Theadministrative network 142 can sit on a virtual-LAN that differs from the one used to handle Internet-bound and/or Internet-originating traffic viaVLAN switch 202. Moreover, theparent file structure 214 is hidden from theexecutive jails 122, theadministrative jails 124, and/orusers parent operating system 212 and/orparent file structure 214. As a result,malicious users 106 find their ability thwarted or at least impeded to sniff traffic; pivot to other machines (whether virtual or real) runningsimilar stacks 200; brute force host administrative user accounts, etc. - Still with reference to
FIG. 2 , it might now be useful to disclose features of the hosted web sites 235. For one thing, each hosted web sites 235 of embodiments can appear to nonadministrative users 104 from outside of thestack 200 as if they were singular, coherent entity residing on thehost 112. Indeed, the hosted web sites 235 appear to contain alluser applications 140, files, information, functionality, etc. normally associated with a web site (or in the case of a stand-alone user application 140, corresponding features) as viewed by nonadministrative users 104. - But, the
stack 200 allows nonadministrative users 104 from outside of thestack 200 read-only access to the cross mounted andexecutable user applications 242 residing in theexecutive jails 122. Moreover, if desired, such access can be by way of secure protocols such as, but not limited to, the HTTP/S protocol. In this manner, even nonadministrative users 104 can cause the execution of the cross mounted andexecutable user application 242 thereby obtaining the functionality of it which they seek. In contrast, there to, thestack 200 allows administrative access to the administrative versions of theuser applications 240, and/or hosted web sites 235 via theadministrative jails 124. Such administrative access, depending on the embodiment, can be by way of a combination of secure techniques such as the SSH-HTTP/S protocol and/or other protocols, techniques, etc since it allowsadministrative users 248 the ability to perform writes to the administrative user applications 240 (or, rather, its programming and/or coding), update hosted web sites 235, add additional modules/applications, etc. if desired. - As mentioned elsewhere herein, parent operating systems can represent one vulnerability of many conventional operating systems. In part this is so because they define the partitions of their conventional stacks and the resources contained therein. As a result,
malicious users 106 often target them for unauthorized editing, copying, theft, etc. They do so, many times, by mimicking or otherwise misappropriating the user identity (UID) of a valid user. In some embodiments, therefore, stacks 200 of the current embodiment prevent allusers - More specifically, in some web server environments,
administrative users 248 sometimes create files and give the ownership to some World Wide Web (www) orother Internet 102 user (for instance Apache®). Thus, if that file gets cross mounted between the two jails thestack 200 can prevent the UID from theadministrative jail 124 and the UID in theexecutive jail 122 reflecting the same user. In some cases, the stack prevents such UIDs from being associated with anyuser malicious users 106 apparently causing the change still will have no ability to modify the file because they don't own it. Nor does any other non administrative user 104 (within the corresponding executive jail 122). Thus, in embodiments, such files are associated to a UID that has no username attached to it. -
Administrative users 248 might also desire to upload new code through the web interface. For instance, anadministrative user 248 might upload a new or modified plug-in to their content management system for instance. While such behavior is common, it also creates a vulnerability in that the plug-in might or might not meet good design/programming standards and could have been generated by amalicious users 106. Thus, thestack 200 can ignore files (here, the plug-in) which are owned by particular UIDs and/or only allow execution of files which have no associated UID attached to it within theexecutive jails 122. Embodiments, do allowstacks 200 to select whether such features are employed and across whichjails - The foregoing features allow such
administrative users 248 to maintain, configure, etc. theiradministrative user applications 240,application databases 125, hosted web sites 235, etc. despite the features of thestack 200 related to security as disclosed further herein. Theseadministrative users 248 generally want to control the hosted web sites 235 and/oruser application 140 to provide content and/or functionality to someInternet 102 or WAN audience, client base, group of followers, etc. More specifically, administrative users 249 often want to upload pictures, movies, and other content. They might also want to moderate comments or take other actions with respect to their offerings. These types ofadministrative users 248 differ from the hostadministrative user 129 who watches thehost 112, performs operating system patch management, and so on. The hosted web site 235 and/oruser application 140administrative users 248 typically reside on theInternet 102 or some WAN and do desire some write privileges to their application databases,users applications 140, hosted web sites 235, etc. - In the meantime, users on the
Internet 102 who (by way of a compromise of the web application 235) have somehow gained access to thehost 112 are not allowed to write to the system disk in embodiments. Furthermore (as noted elsewhere herein), even if they could do so, no files within the applicableexecutive jails 122 are owned by any UIDs within the password file of theexecutive jails 122. As a result, even if amalicious user 106 found that they had gained read/write access in anexecutive jail 122, thatmalicious user 106 would still be prevented from overwriting an executing web server 235 files because of their lack of file ownership and lack of write privileges (even while acting as a valid non administrative user 104). - Furthermore, stack 200 mounts the system binaries for both the
administrative jails 124 and theexecutive jails 122 as read-only and in theirvirtual roots 224 and/or partitions. As a result, even anadministrative user 248 operating in their administrative jail 124 (with privileged access there in) could not inadvertently or purposefully modify system binaries other than those copies related to the administrative version of theirown user application 240 in theiradministrative jail 124. More specifically, evenadministrative users 124 cannot modify copies of system binaries inother jails parent operating system 212. However, users with appropriate administrative privileges (administrative users 248) to the administrative jails 124 (or, rather, particular files therein) can own and therefore edit files within theiradministrative jails 124. The foregoing features allowadministrative users 248 to maintain theirapplication databases 125,user applications 140, hosted web sites 235, etc. without risking the security of theparent operating system 212 by allowingmalicious users 106 opportunity to insert a rootkit (using for instance a kernel module, compromised library, etc.) to create a backdoor. - With continuing reference to
FIG. 2 , various features of theexecutive jails 122 andadministrative jails 124 are further disclosed at this juncture. Take, for instance,executive jails 122 of some embodiments. For one thing, the cross mounted andexecutable user applications 242 in theexecutive jails 122 appear to nonadministrative users 104 outside of thestack 200 as the hosted web site 235 (or other resource) which they believe that they are accessing. The foregoing statement implies, and, in some embodiments, it is true, that this appearance is misleading. - Nonetheless, even access to the cross mounted and
executable user applications 242 can be password protected for valid nonadministrative users 104. As disclosed elsewhere herein, eachexecutive jail 122 is also located in a virtual root from the other executive jails 122 (and other aspects of the parent operating system 212). Moreover, each individualexecutive jail 122, and the group of them as a whole, is located in virtual roots separate from those of theadministrative jails 124. - Moreover, while access to the underlying tables in the application database 125 (for a given administrative version of a
user application 240 in a given administrative jail 124) can be controlled via logic in theadministrative user application 240, thestack 200 of embodiments, can improve on such security features. For instance, because the administrative version of the user configuration files 237 in theadministrative jails 124 can differ from the executive user configuration file 238 in theexecutive jails 122, differing access privileges can be supplied to nonadministrative users 104 andadministrative users 248 in thosejails jail executive jail 122 could have read-only access to theapplication database 125 while that same user (logged in as an administrative user 248) could have read/write privileges to theapplication database 125 from within the correspondingadministrative jail 124. - Executive jails 122 (as well as the administrative jails 124) of some embodiments can be compared to lightweight virtual machines (VMs). For the functionality the
jails parent operating system 212. As a result, these binaries can be stored in thejails executive jails 122 with just those resources reasonably associated with the functions which they are likely to perform within the stack 200 (notably, executing the cross mounted and executable user applications 242) of theadministrative user applications 240. Meanwhile, theadministrative jails 124 can provide functionality for maintaining theadministrative user applications 240. - More specifically, unless provided for otherwise, users operating within the
executive jails 122 have read only access to theexecutive jails 122 and its resources. Of course, as disclosed elsewhere herein, thestack 200 of embodiments does allow access to the application database(s) 125 via the versions ofuser applications jails - Thus, the
stack 200 can provide access to theapplication databases 125 at a user-by-user level of granularity while protecting theparent operating system 212 and its binaries andparent file structure 214 from unauthorized disk write operations. Indeed, no disk write privileges are associated with the executive jails 122 (or users or cross mounted andexecutable user applications 242 therein). Conventional stacks cannot grant such user-by-user read/write access to the application databases 125 (and the executable user applications 242) without exposing theparent operating system 212 to threats frommalicious user 106 and threats fromuser applications 140 not meeting good design/programming practices. - Furthermore, the
stack 200 grants neither theexecutive jails 122 nor any entity therein any outbound egress over the interface to theInternet 102. In part, this deniesmalicious users 106 the opportunity to get a malicious command (which relies on some external file for instance, those used during a PHP RFI attack) running in anexecutive jail 122 and that fetches dangerous programs or code from theInternet 102 or elsewhere. Nor does thestack 200 allow access to theparent file structure 214 by theexecutive jails 122 or entities associated therewith. Eachexecutive jail 122 also contains executive user configuration files 238 cross mounted from the corresponding administrative user configuration files 237 (which are mounted in the administrative jail 124). Similarly, each executive jail contains therein the cross mounted andexecutable user applications 242. - With continuing reference to
FIG. 2 , for users without valid passwords (i.e., the public), stacks 200 limit their access to reaching the web server (or host 112) ports and/or whatever services might be running and exposed at those locations. That is, in some embodiments, public users can view information provided by the cross mounted andexecutable user applications 242 and/or hosted web sites 235 but cannot otherwise interact with them or anything else in the executive jails 122 (except for those objects within the execution permissions associated with the executable user applications 242). - The
stack 200 of embodiments therefore denies public users the permission to do more than merely browse through hosted web sites 235 and/or other information available in theexecutive jails 122. More specifically, thestack 200 does not allow public users write privileges of any sort (including writes toapplication databases 125 and disk writes). This is not to say that thestack 200 preventsuser applications 140 from allowing even public users to access theapplication databases 125. Rather, the user applications can do so by, for instance, allowing a public user to post a comment to a blog article. But, that sort of access can be managed by theuser application 140. Thus public users cannot edit any information to which they might gain access unless allowed by theuser application 140 or the permissions associated with theapplication database 125. This applies not only toInternet 102 users but also to local users who are operating within the context of theexecutive jails 122. In this manner, even if a user compromised anexecutive jail 122 they still could not write to disk or theapplication database 125 except as otherwise permitted by theuser application 140 and/orapplication database 125. - However, valid non
administrative users 104 can access theexecutive jails 122 and cross mounted andexecutable user applications 242 for which they have been granted access rights. Of course, they still have no authority to write to theparent operating system 212, the area of disk in which it might be stored (for instance, a series of locations in a redundant array of independent disks), its binaries, itsparent file structure 214, etc. Indeed, they (and theexecutive jails 122 themselves) can see neither theparent operating system 212 nor the corresponding administrative jails 124 (or any otheradministrative jail 124 or executive jail 122). That is, thestack 200 hides theparent operating system 212 and theadministrative jails 124 from each of theexecutive jails 122. Of course, exceptions can be made such as anything that is intentionally cross mounted into theexecutive jails 122 1) from the administrative jails 124 (by the administrative users 248) or 2) from the parent operating system 212 (by a host administrative user 129). Nonetheless, somestacks 200 allow such access to the mountedexecutable user applications 242 and/or hosted web sites 235 in theexecutive jails 122 for which nonadministrative users 104 have access via protocols such as, but not limited to, HTTP/S. -
Stacks 200 of embodiments also define how the variousadministrative jails 124 behave. While the cross mounted andexecutable user applications 242 in theexecutive jails 122 can appear to be the hosted web sites 235 for the public, theadministrative user applications 240 within theadministrative jails 124 appear to be the hosted web sites 235 to the correspondingadministrative users 248 as far as the performance of their administrative functions is concerned. As noted, theseadministrative jails 124 are located in separate virtual directories from each other, theexecutive jails 122, and other areas of theparent operating system 212 and thereforeusers jail other jails - The
administrative jails 124 can also resemble lightweight VMs in that thestack 200 of the current embodiment provisions them with only the resources likely to be associated with their functionality within the stack 200 (via a copy of some minimum set of binaries of the underlying parent operating system 212). As such,administrative jails 124 of some embodiments do allow both read and write privileges to users authorized asadministrative users 248 with respect to the administrative versions of theiruser applications 240 andapplication databases 125. But these privileges are rather limited in scope. More specifically, the read/write privileges granted to theseadministrative jails 124 andadministrative users 248 relate only to the mountedadministrative user applications 240,application databases 125, and/or hosted web sites 235. In other words,administrative jails 124 and the correspondingadministrative users 248 enjoy no access to theparent operating system 212 or its components (for instance the parent file structure 214). In many embodiments, theparent operating system 212 is hidden from theadministrative jails 124 and any mountedexecutable user applications 242,administrative users 248, etc. therein or otherwise associated therewith. Thus,administrative users 248 cannot update modify, etc.parent operating system 212 binaries despite their administrative privileges within theadministrative jails 124. - As to their contents,
administrative jails 124 contain the administrative user configuration files 237 corresponding to theiradministrative users 248. Theadministrative jails 124 also include the administrative versions of theuser applications 240. Thus,administrative users 104 of hosted web sites 235 might log-in in to theiradministrative jails 124 and use WordPress®, Microsoft FrontPage®, NetObjects Fusion®, or other site authoring tools to edit their hosted web sites 235 and/or similar tools for editingadministrative user applications 240 and/orapplication databases 125. In addition, or in the alternative,administrative users 248 could log in using various shopping carts, content management systems, etc. such as Joomla!®, OSCommerce®, Drupal®, Zen Cart®, etc. to manipulate their hosted web sites 235. No matter, the form of access used, theadministrative users 248 typically log into theiradministrative jails 124 to use their write access privileges in accordance with the permissions granted by the administrative user configuration files 237. - However, once
administrative users 248 cross mount theexecutable user applications 242 to the correspondingexecutive jails 122 and a nonadministrative user 104 accesses these cross mounted andexecutable user applications 242, the nonadministrative user 104 might attempt to perform some operation involving a write operation to the cross mounted and executable user applications 242 (or rather the administrative versions of theuser application 240 itself). Thus, in some embodiments, the cross mounting of theadministrative user applications 240 to theexecutive jail 122 from theadministrative jail 124 occurs via a hardened Apache/PHP scripting implementation. Of course, the scope of the current disclosure is not limited to Apache/PHP web servers/programming languages. Rather, it can be extended to approaches using Nginx™, Tomcat, Java® 2 Platform, Enterprise Edition (J2EE®), Perl, Java®, Python®, ASP.NET, etc. Even so, by “hardened” it is meant that these hardened implementations of some embodiments do not allowoutbound Internet 102 access or disk write capabilities via these implementations. Instead, onlyadministrative users 248 in theiradministrative jails 124 have full access to theiradministrative user applications 240 and theiradministrative user applications 240 alone. Moreover, even that access is limited and does not extend to write-to-disk access and/or to system binary modifications other than those copies residing in theadministrative jails 124. - In some embodiments, stack 200 also by default can include certain HTTP headers which can improve security. For instance, stacks 200 of embodiments can include HTTP headers such as:
- This header (which is supported by most browsers) prevents users other than the
administrative user 248 for a hosted web site 235 from framing that web site. Accordingly, this header reduces click jacking.
X-XSS-Protection: 1; mode=block
While this header currently only appears to work in Internet Explorer, putting it in block mode or otherwise disabling it can prevent it from introducing vulnerabilities related to reflected cross site scripting (XSS) on the hosted websites 235.
Strict-Transport-Security: max-age=15768000
Strict-Transport-Security (STS) helps ensure that hosted web sites 235 will be HTTPS and therefore helps protect against man in the middle 116 attacks.
X-Content-Security-Policy: allow ‘self’; img-src ‘self’ data:; options inline-script eval-script;
This experimental CSP header built into makes it harder formalicious users 106 to inject malicious content into hosted web sites 235 thereby also helping prevent XSS attacks. - Thus, full apparent functionality of the
executable user application 242 can be provided to a non administrative user 104 (as intended by the administrative user 248) operating within theexecutive jail 122 while controlling disk access. These actions can also be accomplished while prohibiting user activities that might be malicious or unusual with regard to theadministrative user application 240 itself and/or theparent operating system 212. - Indeed, so that authorized
administrative users 248 can edit, reconfigure, etc. the administrative versions of theuser applications 240, theadministrative jails 124 of some embodiments do face theInternet 102 through applicable access techniques (for instance, VPN). More specifically,administrative users 248 can access their administrative jails 124 (and theadministrative user applications 240 therein) through various secure protocols available now and/or yet to be developed such as combinations of SSH-HTTPS, VPN techniques, etc. Such access can be password protected and/or encrypted. Moreover,Internet 102 access to/from theadministrative jails 124 can be further restricted by various embodiments. For instance, thestack 200 can prohibit/preventinbound Internet 102 traffic except for that traffic associated with authorized administrative users 248 (and/or the hostadministrative user 129 via the separate administrative network 142).Outbound Internet 102 access for these parties could, though, be allowed if desired. - As noted elsewhere herein, embodiments provide
database jails 225 and/or virtual roots in which theapplication databases 125 can be located. WhileFIG. 2 illustrates a one-to-one correspondence between thedatabase jails 225 and theapplication databases 125, no such limitation exists with respect to the current disclosure. Thestack 200 allowsadministrative users 248 to structure theiruser applications 140 andapplication databases 125 according to their desires. In many embodiments, thedatabase jails 225 operate in a manner similar toadministrative jails 124 but without having a correspondingexecutive jail 122. Entities in both theexecutive jails 122 and the administrative jails 124 (and entities therein) often have legitimate desires to access theapplication databases 125 residing in thedatabase jails 225. For instance, nonadministrative users 104 might want to send sensitive data to theapplication databases 125 pertaining to an account that they might have on a hosted web site 235. Likewise, anadministrative user 248 might need to alter the table structure of theirapplication database 125. - Thus, the application configuration file 236 (for instance “app-confs” as illustrated in
FIG. 6 ) can define username:password pairs for the variousvalid users application databases 125 in thedatabase jails 225. Since thedatabase jails 225 can detect the IP addresses (IP1 and/or IP2) from which access requests originate, it can disallow access requests fromadministrative users 248 from within theexecutive jails 122 whose write privileges to theapplication databases 125 belongs with theadministrative jails 124 not theexecutive jails 122. As a result,malicious users 106 trying to brute force an administrative password for anapplication database 125 from theexecutive jails 122 will fail even if they do correctly guess the username:password pair of anadministrative user 248. On the other hand,database jails 225 of some embodiments imposes no restriction on access attempts from validadministrative users 248 from within theiradministrative jails 124 although anadministrative jail 124/address IP2 mismatch could cause adatabase jail 225 to deny an access attempt of any sort from a particularadministrative user 248 in a particularadministrative jail 124. Moreover, such an event could trigger a reaction from thestack 200 such as notifying a compliance officer, the host administrative user 128, and/or security operations personnel. -
Jails stacks 200 as templates for a variety uses. For instance, while the foregoing has discussed executive, administrative, anddatabase jails stacks 200. Moreover, the various jails can exist within one (real or virtual) machine or on a plurality of separate devices with switches, firewalls, etc. deployed there between if desired. As a result,modular stacks 200 can be deployed and connected together to tailor systems as users might desire with thejails - How various users interact with the configuration files might merit some discussion at this juncture. Thus, the host
administrative user 129 is capable of editing theparent file structure 214 and the data, data structures, virtual roots, partitions, etc. defined therein. This means, in part, that the hostadministrative user 129 can edit theexecutive jails 122, theadministrative jails 124, the corresponding relationships there between, theadministrative user applications 240, etc. Moreover, the hostadministrative user 129 can edit the configuration files 236 to 238 associated with both nonadministrative users 104 andadministrative users 248 as well as the administrative versions of theuser applications 240. In other words, hostadministrative users 129 can have complete unrestricted access to thestack 200 via theadministrative network 142 and needs no user configuration file with which to operate. Instead, the access of the hostadministrative user 129 comes via theadministrative network 142 over which the hostadministrative users 129 has sole access. - In contrast, application and user configuration files 236-238 limit the activities of
users users user application 240 behaves in anadministrative jail 124. The application configuration file 236 also helps define how the hosted web sites 235 and/oradministrative user applications 240 interact with their associatedapplication databases 125. - The user configuration files 237 and 238 can also contain nonces that are unique to each file thereby complicating attempts to mis-use these user configuration files 237 and 238. Thus, even if these files are compromised they do not allow a malicious user 106 (operating from the
corresponding jail 122/124) to know the value of these nonces (in the differing versions of the configuration files 238/237 in theother jail 124/122). Moreover, no user configuration file 237 and/or 238 allows or is even permitted to allow nonadministrative users 104 oradministrative users 248 access to theparent operating system 212. - That means, in part, that the administrative versions of the user configuration files 237 can grant read/write privileges to the
administrative users 248 from within theiradministrative jails 124 but not elsewhere. Thus, and because evenadministrative users 248 cannot see theparent operating system 212, the only files in the parent operating system 212 (or theparent file structure 214 for that matter) thatadministrative users 248 can edit are their own administrative versions of theiruser applications 240, their web servers, and the programming language(s) that their web servers might use (for instance, PHP, Python®, Perl, Java®, ASP.NET, etc.). But, even so, thestack 200 preventsadministrative users 248 from modifying binaries of theparent operating system 212 itself. Note, also that it is only the administrative versions of the user configuration files 237 which define administrative privileges for theadministrative users 248. - Moreover, these administrative user configuration files 237 relate to the
administrative users 248 do not get mounted to theexecutive jails 122 unless provided for by the hostadministrative user 129. Thus, the administrative versions of the user configuration files 237 are not vulnerable to attack bymalicious users 106 operating in the executive jails 122 (or byuser applications 140 which are not written to good design/programming practices and/or that might be behaving in some potentially errant manner). - As to the non
administrative users 104 illustrated byFIG. 2 , the cross mounted and executive user configuration files 238 define privileges for these users. For instance, merely public users (those without valid passwords for a particular executive jail 122) can at most only read/view the information in theexecutive jails 122 since they have no cross mounted executive user configuration file 238 associated therewith. Nonadministrative users 104 who do have valid passwords can be given read access to theexecutable user applications 242. This privilege means that they can use the executable user applications 242 (and the functionality provided thereby) but cannot alter theexecutive user applications 242 much less the un-cross mounted and hidden administrative versions of theuser applications 240. - In other words, if an un-privilege and non
administrative user 104 accesses a hosted web site 235, it will ordinarily appear to have full access to theapplication database 125 functionality if theuser application 140 permits it. Of course, administrative functions (even within the administrative jails 124) are restricted by embodiments to prevent evenadministrative users 248 from writing to system disk. Moreover, nonadministrative users 104 have no file ownership privileges anywhere in thestack 200 of many embodiments. In addition, it might also be worth noting that the cross mounted and executive user configuration files 238 point to different storage locations within theparent operating system 212 than the corresponding administrative user configuration files 237 in theadministrative jails 124. And, again, no nonadministrative user 104 has the power to edit their own configuration files 237 or 238. - These non administrative users 104 (and administrative users 248) are therefore powerless to edit the
parent operating system 212 or any portion thereof. Plus, since nonadministrative users 104 can only see and access theexecutive jails 122 and the contents thereof, rogue behavior on their part can, at worst, alter the executive and cross mounteduser applications 242 and those executive user configuration files 238 that are also cross mounted in to theexecutive jails 122 in which they happen to be. But, they cannot alter the corresponding administrative configuration files 236 and 237 related to theadministrative users 248 and the administrative versions of theuser applications 240 in theadministrative jails 124. Thus, administrative versions of theuser applications 240 and configuration files 236 and 237 remain safely hidden in theadministrative jails 124 from nonadministrative users 104 andmalicious users 106. - With ongoing reference to
FIG. 2 , some additional disclosure related to the executive user configuration files 238 cross mounted in to theexecutive jails 122 might be useful at this juncture. On that note, all administrative user configuration files 237 associated with nonadministrative users 104 can be cross mounted to the correspondingexecutive jails 122 by theadministrative users 248 by their decisions regarding which files/information which they desire to have in the administrative configuration files 237 which are then cross mounted. Similar information pertaining to theadministrative users 248 is not permitted to be cross mounted by thestack 200 according to embodiments. These executive user configuration files 238 allows theexecutive jail 122 to verify non administrative users' 104 identities thereby further safeguarding other jails and/or virtual roots of theparent operating system 212 from rogue behavior. Moreover, since the cross mounting of the executive user configuration files 238 occurs on aexecutive jail 122 byexecutive jail 122 basis (or hosted web site 235 by hosted web site 235), the password files associated with each executive jail 122 (or hosted web site 235) are independent from each other and can have at least some identical UID:password pairs therein. - Again, in embodiments, all cross mounted and executive user configuration files 238 are permitted only disk read only privileges (and access privileges to
application database 125 via user applications 140) associated therewith. As a result, any disk write privilege appearing in a mounted and executive version of the user configuration file 238 would be a likely indication of rogue behavior: something altered that executive user configuration file 238. Moreover, the foregoing privilege restrictions ensure that no nonadministrative user 104 can write directly to any location within theparent operating system 212 without triggering suspicion. - Instead, any disk writing activity that non
administrative users 104 might attempt from theexecutive jails 122 would have to occur via cooperation with theexecutable user application 242 and the administrative version of theuser application 240 and could only affect the associatedapplication database 125. Again, the executive and administrative versions of the user configuration files 238 and 237, respectively, point to different storage locations in theparent operating system 212 and allow write privileges to no one other thanadministrative users 248. Those privileges, moreover, extend only to theadministrative jails 124, their binaries, administrative versions of theuser applications 240, associatedapplication databases 125, etc. Successful rogue behavior defeating the safeguards associated with all of the foregoing layers of protection would therefore seem hard to image. Indeed, stacks 200 of the current embodiment include one or more backups to most, if not all, security features employed therein. These backups forcemalicious users 106 to find two or more simultaneous weaknesses to exploit (without being detecting) thereby making successful attacks exponentially more difficult than single-weakness-based exploits such as those to whichconventional hosts 110 remain vulnerable. - With further reference to
FIG. 2 and the cross mounting of the user configuration files 236 to 238, a more specific example illustrates an implementation of the cross mounting techniques employed byvarious stacks 200. In the current embodiment, the administrative version of the configuration files 236 and 237 are cross mounted using different names in theexecutive jails 122 than the names of the corresponding files 236 and 237 in theadministrative jails 124. More specifically, suppose that a directory named /site-config/ exists in anadministrative jail 124 and its correspondingexecutive jail 122. Further suppose that the administrative version of this directory /site-config/ further defines a series of directories called {site_name}/app-config/public/. Instead of merely cross mounting {site_name}/app-config/public/ as named in that manner, stacks 200 cross mount these directories into theexecutive jail 122 using a name such as /site-config/{site_name}/app-config/. From the perspective of eachexecutive jail 122 users therein would see /site-config/{site_name}/app-config/. However, in theadministrative jails 124stacks 200 differentiate between the two versions. One way of doing so is to append “public” to the administrative directory name so that theadministrative users 248 know which files (or information) to put in each directory yet theuser application 140 can point to the same location on disc: /site-config/{site_name}/app-config/public/place holder.php will me mounted as /site-config/{site_name}/app-config/place_holder.php in theexecutive jail 124. In this situation, from the perspective of eachjail malicious users 106 who manages to compromise theexecutive jail 122 will at best find what has been mounted from /site-config/{site_name}/app-config/public/directories (and its contents) but will not see what the administrative jail contains in /site-config/{site_name}/app-config/ even though from the executive jail the file path appears to be /site-config/{site_name}/app-config/. That is, users will not see files associated with the parent version of that directory. Instead, they will only see the version of that directory in theexecutive jail 122. - But, the compromise stops there and in that
executive jail 122. While, amalicious user 106 might realize that they are in a jail (and maybe even that other jails exist), themalicious user 106 is unable to guess at what else might be there and, indeed, remains clueless which other hosted web sites 235,user applications 140, files, etc. might reside on the same disk (whether virtual or real). Of course, the particular file and directory names can change without affecting the scope of the disclosure. Moreover, the cross mounting of Apache-based configuration files can account for Apache's lack of facilities for handling the glob * operators in file paths (as opposed to its abilities to handle these operators in file names). In any case, such implementations prevent information leakage from the path names regarding other hosted web sites 235 that might reside in thehost 112. This feature therefore preventsmalicious users 106 from pivoting to attack these other hosted web sites 235.FIG. 6 provides yet another cross mounting implementation. -
FIG. 6 illustrates cross mounted configuration files. More particularly,FIG. 6 illustrates an Apache implementation regarding the cross mounting of configuration files 236 to 238. Moreover,FIG. 6 illustrates one Apache implementation which works around the lack of pathname-related glob * operator resources in Apache and which still allows theadministrative jail 124 andexecutive jail 122 to possess their own copies of the configuration files (without requiring separate httpd.conf files in thesejails 122 and 124). Moreover, the foregoing features allowstacks 200 to keep separate secure socket layer/transport layer security (SSL/TLS) certificates. So even if amalicious user 106 is able to steal an SSL/TLS certificate from oneexecutive jail 122 they will not be able to execute man in the middle 116 attacks on traffic to/from anotherjail 122 and/or 124 if these other jails use separate certificates. Such features limit the potential exposure to just one jail should a malicious user succeed in such scenarios. Additionally, asFIG. 6 illustrates, the files in the base jail (from which theadministrative jail 124 and its correspondingexecutive jail 122 depend) are mounted to theadministrative jail 124 as is in embodiments. This mounting arrangement therefore providesadministrative users 248 operating within theiradministrative jail 124 access to all files pertinent to their administrative duties. - However, a subset of the configuration files are cross mounted to the
executive jail 122. IndeedArrows arrow 610 indicates that one particular directory (here the tmp directory) does not get cross mounted into theexecutive jail 122. Any directory containing sensitive information can be withheld from the cross mounting byadministrative users 248 who segregate such directories from the directories which will be cross mounted or by some scheme instacks 200 to so designate such directories. With continuing reference toFIG. 6 , in theexecutive jail 122 the file paths for other hosted web sites 235 do not appear anywhere (in the configuration files themselves or on disk) from the perspective of theexecutive jail 122 and those operating therein. In this manner,malicious users 106 cannot gain information that might have otherwise been leaked from the files, pathnames, etc. Again, these features help prevent amalicious user 106 from pivoting from one compromised web site 235 to attack another. - Thus, the
stack 200 of various embodiments allowsuser applications 140 and hosted web sites 235 to be designed, developed, written, etc. without security in mind. Indeed, theseuser applications 140 can contain just about any type of content, functionality, etc. without being a danger toother user applications 140 or theparent operating system 212. Moreover, theuser applications 140 can fail to meet good design/programming practices (at least from a security perspective) and be inherently susceptible to attack when executed byconventional hosts 110, yet they can still execute securely withinstacks 200 of embodiments. - More specifically, the
user applications 140 themselves need not necessarily support various security technologies such as VPN, HTTP/S, SSH, etc. to enjoy the benefits thereof although application owners might desire to use such techniques to help foil man in the middle 116 attacks/vulnerabilities (for instance, intercepting sensitive information being transferred to/from the non administrative users 104). Although, theuser applications 140 might execute more reliably of they do support such technologies. Furthermore,pre-existing user applications 140 need not be re-written or otherwise edited to be executed within theexecutive jails 122 since they can rely on the security features ofstacks 200 to protect parts of the parent operating system 212 (and other hosted user applications 140) from their potentially errant behavior. For instance, thestacks 200 can require that nonadministrative users 104 access the (cross mounted versions) of theexecutable applications 242 via the HTTP/S protocol (or some other protocol) associated with certainexecutive jails 122. - As with the administrative user configuration files 237 (for valid non administrative users 104), the
executable user applications 242 are cross mounted to theexecutive jails 122 from theadministrative jails 124. Thus, rogue behavior in theexecutive jails 122 can only harm the cross mounted andexecutable user applications 242, not the corresponding administrative versions of theuser applications 240 in theadministrative jails 124. Again, these two versions of theuser applications parent operating system 212. - With reference again to
FIG. 2 , thestack 200 of embodiments also provides compliance/auditing features sometimes desired by users affected by HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, etc. rules. Thestack 200 gives administrative users 248 (and hostadministrative users 129 for that matter) freedom to implementuser applications 140 that watch for potential violations of the regulations, standards, industry practices, etc. with which they might want to comply (and changes thereto). For instance, viasyslog data 130 monitoring, these report-generatinguser applications 140 can detect intentional (or unintentional) changes in read/write privileges and send an alert informing a compliance officer (or other user) that a hosted web site 235 has detected a suspected attack and has responded in some fashion to restore compliance (should the attack or accidental occurrence such as an administrative mis-configuration have affected it). Moreover, becausemalicious users 106 cannot alter theunderlying syslog data 130 after-the-fact, thestack 200 of the current embodiment can preserve all audit trails (or at least allow for their recovery) for further investigation.Stacks 200 thereby provide better post-forensic analysis as well. - In some embodiments, the
stack 200 uses syslog monitoring capabilities including those related to security issues as well as those related to web logging. Of course, in the alternative or in addition, stacks 200 of embodiments can use other monitoring capabilities in place of syslog capabilities. Whether thestack 200 uses syslog capabilities or some other monitoring capabilities, thestack 200 can gather syslog data 130 (or similar information) from where ever it might arise in thesystem 100. For instance,FIG. 2 illustratessyslog data 130 being gathered fromvirtual roots 224 and/or partition for the executive andadministrative jails parent operating system 212; from theparent file structure 214; and from the hosted web sites 235. Thus, if it appears (from a comparison of thesyslog data 130 and the intended/expected features, aspects, etc. of the stack 200) that something unusual, un-authorized, or malicious might be occurring (or occurred), thestack 200 can take various actions. For instance, thestack 200 can stop the activity; revert to a last-known-safe-state; roll the activity back; allow it to continue while gathering intelligence about it; alert the hostadministrative user 129; respond according to a rule or set of rules; etc. - In any case, stacks 200 of embodiments send
syslog data 130 to the parent operating system 212 (and/or to off-site secure storage) for storage and subsequent processing. Somestacks 200 also (or instead)store syslog data 130 in the correspondingadministrative jails 124 corresponding to the location of the activity that triggered the syslog reporting mechanism(s). In any case, thesyslog data 130 is secured for subsequent review and analysis by either the hostadministrative user 129 and/or theadministrative users 248 as the case may be. Furthermore, some embodiments forensically secure thesyslog data 130 stored in the parent operating system 212 (and, perhaps, within a syslog dedicated partition if desired to, for instance, manage its size and prevent server denials of service should it become large enough to cause such effects). One of many secure mechanisms for sendingsyslog data 130 to theparent file structure 214 is the open source security (OSSEC) protocol. -
Parent operating systems 212 of embodiments also monitor for other pertinent data indicative of malicious, negligent, potentially errant, etc. behavior including (but not limited to): file modifications; permission changes; ownership changes; uptime/performance monitoring (of both executive andadministrative jails user applications 140,application databases 125, hosted web sites 235, etc.); disk input/output operations; allocated and available drive space; allocated and available memory; CPU utilization; successful and unsuccessful user login attempts; the number of TCP connections; the number of TCP states; web requests; etc.Parent operating system 212 can also monitor processes to help ensure that features such as syslog and/or the web servers remain operative. Of course, thissyslog data 130 can be made available to compliance officers, compliance auditors, and/or other users in summary and/or detailed form. In any case, thestack 200 can make available a record of pertinent events for forensic analysis and/or review. - Regarding web logging,
syslog data 130 related thereto can be sent to and stored in theadministrative jails 124 where the correspondingadministrative users 248 would likely be the ones with interest in its contents. Of course, the hostadministrative user 129 could also review theirsyslog data 130 if desired since the privileges associated with the hostadministrative user 129 allows the hostadministrative user 129 access to theadministrative jails 124. In either case, thesyslog 130 data can also be monitored, reviewed, and analyzed, used for corrective or remedial action, etc. by theadministrative users 248 and/or hostadministrative user 129. Additionally, administrative user applications 240 (and theirexecutable user application 242 counterparts) can be provided to generate reports from thesyslog data 130 sufficient to at least, in part, comply with HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, and/or similar rules. At this juncture it might be useful to disclose aspects of the operations ofsystems 100, hosts 112,stacks 200,parent operating systems 212, etc. of some embodiments. -
FIG. 3 . Illustrates a flow chart of a method for setting up an operating system and/or web server. More specifically,FIG. 3 illustrates that themethod 300 sometimes begins with theparent operating system 212 booting up and/or accessing itsparent file structure 214 asreference 302 indicates. It is noted here thatsyslog data 130 monitoring and/or firewalls might have already be activated if desired. In any case, theparent operating system 212 can read the administrative application configuration files 236 looking for unexpected changes. Seereference 304. -
Method 300 can also include reading the administrative and executive user configuration files 237 and 238 as indicated atreference 306. If desired, theparent operating system 212 can compare both versions of the user configuration files 237 and 238 (administrative and executive) if both are available and check for differences. An unexpected difference, of course, might indicate that at least something unusual and/or potentially worthy of investigating has occurred. In this manner (and perhaps others) theparent operating system 212 can begin identifyingusers host 112 or any user attempts a disk write operation anywhere in the host 112) an alert can be raised and/or the activity stopped whether automatically or by intervention by a hostadministrative user 129. Similarly, the administrative application configuration file 236 could be inspected for unexpected modifications and appropriate actions taken should a discrepancy be detected. - Furthermore, as part of
method 300, theparent operating system 212 can start the network and/orhost firewall 114 application before any network services are started (or if another instance of it is desired). Seereference 308. Moreover, because theexecutive jails 122 andadministrative jails 124 might both need to contact thecorresponding application databases 125, provisions can be made at about this time so that they can do so. For instance, the firewall can be configured to allow VLANs associated with thejails application databases 125 to contact each other through theVLAN switch 202, on certain ports, in certain manners, etc. so that thejails application databases 125 can support the functionality desired in the hosted web sites 235 and/oruser applications 140. - Thus, with at least some security measures in place, the
parent operating system 212 of the current embodiment can begin setting up thejails parent operating system 212 could set up thejails administrative users 129 who might be directing the activities of theparent operating system 212. For instance, theparent operating system 212 could create one or moreadministrative jails 124 or virtual roots as indicated atreference 310. If the application configuration files 236 and the administrative version of the user configuration files 237 are not already mounted in theadministrative jail 124 relatedvirtual roots 224 and/or partitions theparent operating system 212 can mount these files in to the appropriateadministrative jails 124. Seereference 312. At some point, theparent operating system 212 could cross mount theadministrative user applications 240 in to theadministrative jails 124 as indicated atreference 314. Theparent operating system 212 could also create virtual roots for the executive jail(s) 122 asreference 316 indicates. -
Method 300, as illustrated byFIG. 3 , also includes theadministrative user 248 cross mounting executive user configuration files 238 (for the non administrative users 104) to one or moreexecutive jails 122. Thus, nonadministrative users 104 accessing theexecutive jails 122 can be authenticated before they proceed with any activity therein. Seereference 318. At some point, it might become desirable for theadministrative user 248 to cross mount one or more of theexecutable user applications 242 from itsadministrative jail 124 in to anexecutive jail 122. Accordingly,reference 320 illustrates theoperating system 212 cross mounting anexecutable user application 242 to theexecutive jail 122 which corresponds to theadministrative jail 124 in which the administrative version had been located. Thus, if any nonadministrative user 104 accesses the cross mounted andexecutable user application 242, that nonadministrative user 104 can perform those activities for which for which they possess privileges in accordance with the cross mounted and executable user configuration file 238. Seereference 322 where nonadministrative users 104 are illustrated as making access requests upon theexecutive jails 122. - Of course, as indicated by
reference 324,administrative users 248 might begin making read/write access requests to variousadministrative jails 124, the binaries therein,administrative user applications 240,application databases 125, etc. If and/or when these requests occur, theadministrative jails 124 can authenticate the users involved, check their privileges, and grant/deny access accordingly. Seereference 326 and (and see alsoFIGS. 4 and 5 for further details in accordance with some embodiments). - As disclosed further herein, the
parent operating system 212 collects syslog 130 data from a variety of sources within thehost 112 and perhaps even from thesystem 100. Depending on the embodiment, theparent operating system 212 could also collectsyslog data 130 information throughout all or portions of the method 300 (and other methods such asmethods FIGS. 4 and 5 respectively). Seereference 328. Of course, the collectedsyslog data 130 can be analyzed (and/or compared with the expected conditions and activities in the host 112) to detect, identify, prohibit, etc. unusual, un-authorized, malicious, and other types of potentially errant activity. If desired, a security event and incident management (SEIM) tool capable of aggregating disparate data can be used to aid in monitoring the syslog data 130 (and/or syslog like data) and, via it, the operation of thehost 112. Appropriate reports can be generated at reference 328 (and/or at other times) if desired to satisfy compliance/auditing rules related to HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, etc. - Moreover,
method 300 can repeat in whole, or in part, asreference 330 indicates. Thus, thestack 200 provides for system level self auditing duringmethods -
FIG. 4 illustrates a flow chart of a method associated with an executive jail. More specifically,FIG. 4 further illustrates thatmethod 400 can occur in association with a user attempting to access an executive jail 122 (see forinstance reference 322 ofFIG. 3 ). From the user perspective, (who might be a public user, a valid nonadministrative user 104, amalicious user 106, anadministrative user 248, a hostadministrative user 129, etc.), the user will typically first make an access request via the network and/orhost firewall 114 orVLAN switch 202. At this time, the network and/orhost firewall 114 and/orVLAN switch 202 can compare the request and/or information regarding the user to its rules, settings, configuration, etc. and determine whether to allow the user access to theexecutive jail 122 in accordance therewith. Seereference 402. - If the user and/or request passed muster, the user is initially allowed read only access to the
executive jail 122 via address IP1. Seereference 404. The user may then begin attempting various operations as indicated byreference 406. In embodiments, all read operations within theexecutive jails 122 are allowed unless it is desired that even public browsing of information in theexecutive jail 122 be prohibited. Moreover, if theexecutive user application 242, theadministrative user application 240, and theparent operating system 212 allows, some write operations might be permissible. But, if no such provisions have been made, any disk write operation will be denied by theexecutive jail 122. - Accordingly,
method 400 branches atreference 408. More specifically, if a mere disk read operation (which includes operations that happen to write to off-disk locations such as those involving application databases 125) is requested, as atreference 410, theexecutive jail 122 allows access for that user for that request to theexecutable user application 242,application database 125, and/or hosted web site 235 identified by the request (in compliance with theadministrative user application 240 and permissions granted by the stack 200). If theparent operating system 212 detects any disk write operations during the requested operation, appropriate actions can be taken. - If a permissible, pre-arranged, disk write operation has been requested,
method 400 branches toreference 412. More specifically, theparent operating system 212 notifies the administrative jail(s) 124 corresponding to the write request that such a request has been made. If the configuration of the administrative jail(s) 124,executable user application 242,administrative user application 240, and thestack 200 involved in the apparent request all permit the request, thestack 200 can grant the request. But, if any such test fails, thestack 200 denies the request and perhaps issues an alert or takes other action. Seereferences stack 200 will prevent branches toreferences particular user application 140 requires/requests such access, permissions can be pre-arranged with the consent/cooperation of hostadministrative user 129 if desired. - In many embodiments, if no disk write operations of any kind are provided for in a particular executive jail 122 (which is typical), the
stack 200 denies the request. Ordinarily, disk write operations will causemethod 400 to branch toreferences executive jail 122, something unusual would seem to be occurring. Accordingly, it is recognized that amalicious user 106 might have gained control of this particularexecutive jail 122 despite the safeguards associated there with. Theexecutive jail 122 will therefore usually attempt to deny the disk write operation. Seereference 416. If the write operation succeeds any way, theparent operating system 212 can stop execution of all activity associated with the particularexecutive jail 122 involved; freeze the configuration file 238 associated with the apparent nonadministrative user 104 involved; invalidate the password of that user (if that user has a valid password); alert the correspondingadministrative user 248 and/or the hostadministrative user 129; or take other actions as might be desirable. Seereference 418. - Of course, as noted elsewhere herein,
syslog data 130 available at reference 328 (or available in the background) can be made available to support such activities. Moreover,reference 420 indicates that theparent operating system 212 can be monitoring syslog 130 data during all or a portion ofmethod 400. Accordingly, if any activities, users, conditions insystem 100, etc. deviate from what is expected and/or permitted, theparent operating system 212 can take appropriate actions. Otherwise,method 400 can repeat, in whole or in part, as indicated atreference 422. -
FIG. 5 illustrates a flow chart of a method associated with an administrative jail. More specifically,FIG. 5 illustratesmethod 500 whereby someadministrative users 248 can access theiradministrative jails 124. In many situations,method 500 begins with a user making an access request to someadministrative jail 124 through the network and/orhost firewall 114 and/orVLAN switch 202. As inmethod 400, thehost firewall 114 and/orVLAN switch 202 can authenticate the user and otherwise verify that the access request (which, if granted, permits write activities within the requested administrative jail 124) was made in accordance with the configuration, rules, etc. of thehost firewall 114 and/orVLAN switch 202. Seereference 502. If not, the request is usually denied. - Otherwise, the
host firewall 114 and/orVLAN switch 202 allows the request to precede. Seereference 504. Once the apparentadministrative user 248 gains access to the requestedadministrative jail 124 via address IP2 for instance, that user becomes free to perform various read and write operations to/from theadministrative jails 124 therein,application databases 125 therein, administrative user configuration files 237 therein (except their own user configuration file 237), binaries therein, etc. But, as disclosed elsewhere herein, those operations are limited to the confines of the particularadministrative jail 124 to which the user has gained access. Any attempted write activity outside of thatadministrative jail 124, particularly disk writes or writes to other administrative jails 124 (or even executive jails 122) by that user, will trigger appropriate action(s) from thestack 200 of many embodiments. Seereference 506. - Indeed, as indicated by
reference 508, theadministrative jail 124 of the current embodiment will allow most read operations made by a user who gained access to anadministrative jail 124 as long as those read operations pertain to thatadministrative jail 124 and/or comply with read-access-restrictions pertaining to other virtual roots of theparent operating system 212. But, for instance, a read request to anotheradministrative jail 124,executive jail 122, or the parent operating system 212 (which are supposedly hidden from theadministrative jail 124 involved) could serve to indicate the desirability of an investigation or other response. In other words, permitted read requests will be executed as shown by connector “A” andreference 518. But, if some operation other than a permissible read operation is attempted by the user in the context of theadministrative jail 124 involved, themethod 500 branches toreference 510. - At
reference 510, theadministrative jail 124 can check the privileges associated with the supposedadministrative user 248 as defined by the corresponding administrative user configuration file 237. Seereference 512. Should a mismatch be found, theadministrative jail 124 often denies the request and might also issue an alert or take other appropriate action. Seereference 520. If the requested operation (which might be a write operation to theadministrative jails 124 of some type) satisfies the privileges of the supposedadministrative user 248,method 500 continues by checking whether the supposedadministrative user 248 is operating in the virtual root (or administrative jail 124) associated therewith. See connector “B” andreference 514. If not, something can often be assumed to be amiss andmethod 500 branches toreference 520. As with an impermissible read operation,reference 520 indicates that theadministrative jail 124 denies the request. But, in the case of an unauthorized write attempt, it might be the case that more immediate action and/or alerting would be in order. Theparent operating system 212 and/or the hostadministrative user 129 can be alerted and therefore respond accordingly. - In any case, after the
administrative jail 124 either denies or executes a requested operation associated with itself,method 500 can include obtaining, analyzing, etc.syslog data 130. These reviews of which can be performed by the hostadministrative user 129, theadministrative users 248, or both if desired. In addition or in the alternative, theparent operating system 212 and/or auser application 140 can generate a compliance/auditing report if desired. Moreover, the gathering of thesyslog data 130 here (and inmethods 300 and 400) can be performed continuously, periodically, on a scheduled basis, only when selected operations occur, etc. As disclosed elsewhere herein, thesyslog data 130 can be gathered from those portions of thesystem 100 at which it is desired to detect, isolate, stop, hinder, correct for, mitigate, etc. malicious, negligent, unauthorized, and/or other apparently errant activity might be desired. Seereference 522. More specifically, atreference 522 all events related to web access and/or logins can be logged even if valid to, for instance, keep track of those users who might be accessing a hosted web site 235,application database 125,user application 140, etc. - For content integrity monitoring purposes, syslog and tools other than syslog can be employed. For instance Tripwire® and/or FTimes can monitor the checksums of various files in the
jails stack 200 and/or the hostadministrative user 129. In addition, such tools can run in theparent operating system 212 where they can remain hidden from allusers administrative user 129. This means, in part, that malicious users 106 (and evenvalid users 104 and 248) would be unaware of the tool and its monitoring efforts thereby making it more likely that a malicious (or accidental) change would be detected if attempted. - In the alternative, the
stack 200 could allowadministrative users 248 to choose which resources (that they own) within their administrative jails 124 (and for that matter, in the executive jails 122) which they wish to have monitored for content integrity. Of course, if anadministrative user 248 were to be informed of this service they would not necessarily need to know how it might be performed. In this way,administrative users 248 would be free to perform certain administrative functions (such as changing variable in the configuration files 236 and 237) without causing needless alerts. In any case,reference 522 illustrates thatsyslog data 130 and/or the like can be monitored and reviewed as desired. - In any case,
method 500 can repeat in whole, or in part, as desired as indicated atreference 524. - Thus, hosts 112 of various embodiments therefore place limits on the abilities of
malicious users 106 and other users (anduser applications 140 not written in accordance with good design/programming practices) to access, damage, or otherwise harmoperating systems 212,user applications 140, web servers, etc. For instance, hosts 112 of some embodiments allow users (including administrative users 248) no authority to alter system variables, settings, etc. other than stopping and re-starting their hosted web sites 235,user applications 140, etc. Even these activities, though, can be detected via syslog reporting (and/or the like) so that an unusual pattern (or even an occurrence) of such events could trigger an investigation and/or corrective action. In some embodiments, it is predicted that the worst that amalicious user 106 might be able to manage is being able to control one hosted web site 235, one set of (commonly owned)user applications 140, or command of oneadministrative jail 124. Even so, thatmalicious user 106 would only be granted (by virtue of their attack) authority within those bounds and would further be limited to starting and/or stopping the (singular) hosted web site 235. - Accordingly, a
malicious user 106 might be able to write sensitive credit card data to anexecutive jail 122. But, in embodiments, thatmalicious user 106 could not read such sensitive data from theexecutive jail 122 because of the differing versions of the user configuration files 237 and 238 in therespective jails host firewall 114 might assist in mitigating the results of such events by denying the apparent administrative user's attempt to access theadministrative user application 240 and/orapplication database 125 from theexecutive jails 122. As a result, even if amalicious users 106 gained command execution within anexecutive jail 122, thatmalicious user 106 could not brute force the credentials for theadministrative user 248. Thus, it would still require anadministrative user 248 operating from within the correspondingadministrative jail 124 to read and/or edit such sensitive information. As a result, stacks 200 of embodiments provide improved security against malicious (or accidental) attacks and even against applications and/or web sites failing to meet good design/programming practices. - Furthermore, stacks 200 of the current embodiment would recognize an attempt to execute a file outside of an executive jail 122 (even the administrative version of a user application 240) as an unusual, suspicious, and likely malicious attack. Likewise, stacks 200 would recognize attempts to edit administrative user applications 240 (even the executable user applications 242) outside of the corresponding
administrative jails 124 as yet another type of malicious attack (or at least something unusual enough to perhaps merit investigation). - Furthermore, while it might be possible for a
malicious user 106 to damage, destroy, or copy anexecutable user application 242 and/or executive user configuration files 238 in anexecutive jail 122, thatmalicious user 106 cannot see, much less access, either the administrative jail(s) 124, the resources therein (except those that are specifically cross mounted to theexecutive jail 122 such as application binaries, source code, etc.), or theparent operating system 212 and the resources stored therein. - In addition, because the underlying system-level directories and files (in the parent file structure 214) are not writable for
non-administrative users 104, evenmalicious users 106 in theexecutive jails 122 cannot modify existing system-level files or insert dangerous files in to hosted web sites 235 (or other aspects of stacks 200). In addition, becausestacks 200 of some embodiments prevent egress from theexecutive jails 122,malicious users 106 will have much more difficulty with including, using, or leveraging external or remote files to mount RFI attacks on the hosted web sites 235 or other aspects of the system. - In the meantime,
administrative users 248 can still access their administrative, and therefore, un-attacked versions of the user configuration file 237 anduser applications 240. More specifically,administrative users 248 can access these resources and inspect, modify, etc. the same. Changes made to these resources (in the administrative jail 124) can be cross mounted to the correspondingexecutive jail 122 for execution therein (and only therein in some embodiments) at the discretion of theadministrative user 248. In some embodiments, thestack 200 also password protects access to theadministrative jails 124. This helps reduce the risk should amalicious user 106 compromise one of the other administrative jails 124 (or executive jails 122) and it does so while still givingadministrative users 248 full administrative access to theadministrative user applications 240. Thus, even if amalicious user 106 compromises oneadministrative jail 124, thestack 200 limits the resulting vulnerability to the administrative versions of theiruser applications 240 and administrative user configuration files 237 in thatadministrative jail 124 and not others. Of course, having two separateadministrative jails 124 for someadministrative users 248 would provide yet another level of redundancy in such situations whereby even a compromise of one of the twoadministrative jails 124 would leave the redundantadministrative jail 124 in service in many scenarios. - Of course, changes made to their resources by an administrative user 248 (or a
malicious user 106 acting as an administrative user 248) can be written to theparent operating system 212, but only within the correspondingadministrative jail 124. A disk write of this information (or any other information) anywhere else would trigger a response from thestack 200. Thus, no otheradministrative jail 124 can be affected nor can theparent operating system 212 itself be attacked in such scenarios. Likewise, if somemalicious user 106 compromises a particularadministrative jail 124, any outbound malicious activity will be limited to that particular compromisedadministrative jail 124 and no others. - Moreover, because of certain firewall rules, VPN access requirements, etc. that are associated with
administrative jails 124 of some embodiments,malicious users 106 cannot execute brute force attacks against thestack 200 for information regarding the administrative users 248 (for instance, their passwords). In the alternative, or in addition, stacks 200 of embodiments can help defeat phishing attempts by (at the web server application firewall level) modifying some or all of the relative path references on the web sites to fully qualified paths, so thatmalicious users 106 end up send referring URLs (Uniform Resource Locators) when they make copies of the site to be phished. This might make it a bit easier to copy the template login, registration, change password page, etc. that themalicious user 106 would likely make a copy of and modify to log the phished information (which once a user is phished is normally copied anyway) but more importantly it ends up sending these referring URLs back to the site. These referring URLS can be watched for and therefore detected and thwarted. Affected users can also be notified of these all-too-common attacks thereby improving overall user security. Moreover, embodiments provide web application firewalls either in front of the physical (web server) device on the Network or residing in the web server itself. These aspects of embodiments therefore denymalicious users 106 the ability to attack thehosts 112 andparent operating systems 212 directly. - As another result of the current disclosure, for a
malicious users 106 to mis-use the privileges of anadministrative user 248, not only must the administrative user 248 (ormalicious user 106 acting there as) be authenticated and logged in through the VPN interface, but thatmalicious user 106 also has to take additional actions to compromise security. For instance, thatmalicious user 106 would have to force a CSRF of the administrative version of the hosted web site 235 oruser application 240 in the administrative jail 124 (not in theexecutive jail 122 where it would fail for lack of privileges anyway). However, embodiments provide for adding nonces at the web server application firewall level on forms for subsequent verification during subsequent valid user sessions thereby aiding the detection and thwarting of such attacks. - Furthermore, even
administrative users 248 of thehosts 110 cannot hack into each other's hosted web sites 235 or theadministrative user applications 240. Nor can they alter or eliminate (after-the-fact)syslog data 130 or other security related information which might have been generated by their unusual, malicious, unauthorized, or apparently errant activities. Thus, while they might be able to insert erroneous and/or falsifiedsyslog data 130, they will have difficulty modifying and/or concealingsyslog data 130 created by their earlier activities because those activities logged concurrently with those earlier activities. Embodiments therefore provide secure operating systems, web server systems, and methods possessing self compliance/auditing abilities with respect to HIPAA, GLBA, Sarbanes-Oxley, PCI DSS, etc. rules. - Although the subject matter has been disclosed in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts disclosed above. Rather, the specific features and acts described herein are disclosed as illustrative implementations of the claims.
Claims (20)
1. A machine readable medium storing machine executable instructions which when executed by the machine cause the machine to execute a method comprising:
creating virtual roots for a plurality of executive jails from a parent operating system and separate from each other in a first set of locations in a parent file structure of the parent operating system;
setting privileges associated with each of the individual executive jails to disk read-only for users accessing the executive jails via an interface with a wide area network;
creating virtual roots for a plurality of administrative jails corresponding to the plurality of executive jails from the parent operating system, separate from each other, and from each of the executive jails in a second set of locations in the parent file structure of the parent operating system;
hiding all of the administrative jails from all of the executive jails;
hiding the parent operating system from all of the executive jails and from all of the administrative jails; and
cross mounting a user configuration information from a first of the administrative jails in to a first of the executive jails corresponding to the first administrative jail.
2. The machine readable medium of claim 1 storing further instructions which when executed by the machine cause the machine to hide the parent file structure of the parent operating system from the executive jails and the administrative jails.
3. The machine readable medium of claim 1 storing further instructions which when executed by the machine cause the machine to mount a first user application from the first administrative jail in to the first executive jail.
4. The machine readable medium of claim 1 storing further instructions which when executed by the machine cause the machine to password protect each of the individual administrative jails.
5. The machine readable medium of claim 1 storing further instructions which when executed by the machine cause the machine to store security related syslog data related to an executive jail in a location associated with the parent file structure of the parent operating system.
6. The machine readable medium of claim 1 storing further instructions which when executed by the machine cause the machine to store web log related syslog data related to an executive jail in a location associated with the corresponding administrative jail.
7. A web server comprising:
an interface with a wide area network;
a parent operating system;
a plurality of executive jails to be created in virtual roots associated therewith and within the parent operating system and to be disk read-only as accessed by users over the interface with the wide area network interface;
a plurality of administrative jails to correspond to the plurality of executive jails and to be created within virtual roots associated therewith and within the parent operating system and to be hidden from the executive jails, the parenting operating system to be hidden from the executive jails and from the administrative jails;
a user configuration information to be cross mounted from a first of the administrative jails in to a first of the executive jails to correspond to the first administrative jail.
8. The web server of claim 7 further comprising a parent file structure of the parenting operating system hidden from the executive jails and the administrative jails.
9. The web server of claim 7 further comprising a first user application to be cross mounted from the first administrative jail in to the first executive jail.
10. The web server of claim 7 wherein each of the administrative jails to be individually password protected.
11. The web server of claim 7 wherein the executive jails are restricted from initiating outbound communications via the interface to the wide area network.
12. The web server of claim 7 further comprising a location associated with a parent file structure of the parent operating system wherein security related syslog data related to a executive jail to be stored.
13. The web server of claim 7 further comprising a location associated with an administrative jail wherein web log related syslog data of a corresponding executive jail to be stored.
14. A method comprising:
creating virtual roots for a plurality of executive jails within a parent operating system;
setting privileges associated with each of the executive jails to disk read-only for users accessing the executive jails via an interface with a wide area network. creating virtual roots for a plurality of administrative jails corresponding to the plurality of executive jails within the parent operating system;
hiding the administrative jails from the executive jails;
hiding the parent operating system from the executive jails and from the administrative jails; and
cross mounting a user configuration information from a first of the administrative jails in to a first of the executive jails corresponding to the first administrative jail.
15. The method of claim 14 further comprising hiding a parent file structure of the parent operating system from the executive jails and the administrative jails.
16. The method of claim 14 further comprising mounting a first user application from the first administrative jail in to the first executive jail.
17. The method of claim 14 further comprising password protecting each of the individual administrative jails.
18. The method of claim 14 further comprising restricting the executive jails from initiating outbound communications over the interface to the wide area network.
19. The web server of claim 14 further comprising storing security related syslog data related to an executive jail in a location associated with a root directory of the parent operating system.
20. The web server of claim 14 further comprising storing web log related syslog data related to a executive jail in a location associated with the corresponding administrative jail.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/073,290 US20140068786A1 (en) | 2011-12-14 | 2013-11-06 | Securing Operating System/Web Server Systems and Methods |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/325,347 US8601580B2 (en) | 2011-12-14 | 2011-12-14 | Secure operating system/web server systems and methods |
US14/073,290 US20140068786A1 (en) | 2011-12-14 | 2013-11-06 | Securing Operating System/Web Server Systems and Methods |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/325,347 Continuation US8601580B2 (en) | 2011-12-14 | 2011-12-14 | Secure operating system/web server systems and methods |
Publications (1)
Publication Number | Publication Date |
---|---|
US20140068786A1 true US20140068786A1 (en) | 2014-03-06 |
Family
ID=48611658
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/325,347 Expired - Fee Related US8601580B2 (en) | 2011-12-14 | 2011-12-14 | Secure operating system/web server systems and methods |
US14/073,290 Abandoned US20140068786A1 (en) | 2011-12-14 | 2013-11-06 | Securing Operating System/Web Server Systems and Methods |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/325,347 Expired - Fee Related US8601580B2 (en) | 2011-12-14 | 2011-12-14 | Secure operating system/web server systems and methods |
Country Status (2)
Country | Link |
---|---|
US (2) | US8601580B2 (en) |
WO (1) | WO2013090314A1 (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9401904B1 (en) * | 2012-03-15 | 2016-07-26 | Motio, Inc. | Security migration in a business intelligence environment |
DE202012013193U1 (en) * | 2012-06-26 | 2015-05-06 | INTER CONTROL Hermann Köhler Elektrik GmbH & Co KG | Device for a safety-critical application |
US9448888B2 (en) * | 2013-11-15 | 2016-09-20 | Lenovo Enterprise Solutions (Singapore) Pte. Ltd. | Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank |
CN103645982B (en) * | 2013-11-29 | 2017-11-14 | 北京奇虎科技有限公司 | Log processing method and client |
EP3281143A4 (en) | 2015-04-10 | 2018-11-21 | Entit Software LLC | Modifying web page code to include code to protect output |
US9767285B2 (en) * | 2015-06-04 | 2017-09-19 | Accenture Global Services Limited | Process categorization using crowdsourcing |
EP3566169B1 (en) * | 2017-01-04 | 2021-06-30 | SCHWARTZ, Gerhard | Asymmetrical system and network architecture |
CN109726041B (en) * | 2017-10-27 | 2023-09-08 | 伊姆西Ip控股有限责任公司 | Method, apparatus and computer readable medium for restoring files in a virtual machine disk |
EP3725755A2 (en) | 2019-04-18 | 2020-10-21 | Basf Se | Compositions with improved urease-inhibiting effect comprising aromatic alcohols, or amines, or amides, and an adduct of the three compounds n-(n-butyl) thiophosphoric acid triamide (nbpt), urea, and formaldehyde |
EP3725756A2 (en) | 2019-04-18 | 2020-10-21 | Basf Se | Compositions with improved urease-inhibiting effect comprising amines, or colorants, and an adduct of the three compounds n-(n-butyl) thiophosphoric acid triamide (nbpt), urea, and formaldehyde |
US11563765B2 (en) * | 2020-04-10 | 2023-01-24 | AttackIQ, Inc. | Method for emulating a known attack on a target computer network |
US11991150B2 (en) * | 2020-09-25 | 2024-05-21 | Electronics And Telecommunications Research Institute | Apparatus and method for providing remote work environment |
US11790084B2 (en) * | 2021-11-08 | 2023-10-17 | Cloud Linux Software, Inc. | Systems and methods for protecting core files in a content management systems |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040226019A1 (en) * | 2003-05-09 | 2004-11-11 | Tucker Andrew G. | Fine-grained privileges in operating system partitions |
US20070180509A1 (en) * | 2005-12-07 | 2007-08-02 | Swartz Alon R | Practical platform for high risk applications |
US20070283147A1 (en) * | 2006-05-30 | 2007-12-06 | Fried Eric P | System and method to manage device access in a software partition |
US20100118324A1 (en) * | 2008-11-13 | 2010-05-13 | Fuji Xerox Co., Ltd. | Information processor and computer readable medium |
US20120216281A1 (en) * | 2011-02-22 | 2012-08-23 | PCTEL Secure LLC | Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel |
US8353031B1 (en) * | 2006-09-25 | 2013-01-08 | Symantec Corporation | Virtual security appliance |
US8424078B2 (en) * | 2007-11-06 | 2013-04-16 | International Business Machines Corporation | Methodology for secure application partitioning enablement |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7783665B1 (en) * | 2002-03-27 | 2010-08-24 | Parallels Holdings, Ltd. | Effective file-sharing among virtual environments |
US7328225B1 (en) * | 2002-03-27 | 2008-02-05 | Swsoft Holdings, Ltd. | System, method and computer program product for multi-level file-sharing by concurrent users |
US8539481B2 (en) * | 2005-12-12 | 2013-09-17 | Microsoft Corporation | Using virtual hierarchies to build alternative namespaces |
-
2011
- 2011-12-14 US US13/325,347 patent/US8601580B2/en not_active Expired - Fee Related
-
2012
- 2012-12-12 WO PCT/US2012/069062 patent/WO2013090314A1/en active Application Filing
-
2013
- 2013-11-06 US US14/073,290 patent/US20140068786A1/en not_active Abandoned
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040226019A1 (en) * | 2003-05-09 | 2004-11-11 | Tucker Andrew G. | Fine-grained privileges in operating system partitions |
US20070180509A1 (en) * | 2005-12-07 | 2007-08-02 | Swartz Alon R | Practical platform for high risk applications |
US20070283147A1 (en) * | 2006-05-30 | 2007-12-06 | Fried Eric P | System and method to manage device access in a software partition |
US8353031B1 (en) * | 2006-09-25 | 2013-01-08 | Symantec Corporation | Virtual security appliance |
US8424078B2 (en) * | 2007-11-06 | 2013-04-16 | International Business Machines Corporation | Methodology for secure application partitioning enablement |
US20100118324A1 (en) * | 2008-11-13 | 2010-05-13 | Fuji Xerox Co., Ltd. | Information processor and computer readable medium |
US20120216281A1 (en) * | 2011-02-22 | 2012-08-23 | PCTEL Secure LLC | Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel |
Non-Patent Citations (2)
Title |
---|
Kamp, "Jails: Confining the omnipotent root", 2000, The FreeBSD Project, Pages 1-15. * |
Noordende, "A Secure Jailing System For Confining Untrusted Applications", 2007, Security and Cryptography - SECRYPT, Pages 414-423. * |
Also Published As
Publication number | Publication date |
---|---|
WO2013090314A1 (en) | 2013-06-20 |
US20130160084A1 (en) | 2013-06-20 |
US8601580B2 (en) | 2013-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8601580B2 (en) | Secure operating system/web server systems and methods | |
Hong et al. | Systematic identification of threats in the cloud: A survey | |
Achar | Cloud computing security for multi-cloud service providers: Controls and techniques in our modern threat landscape | |
Modi et al. | A survey on security issues and solutions at different layers of Cloud computing | |
Yunus et al. | Review of SQL injection: problems and prevention | |
Mishra et al. | Security threats and recent countermeasures in cloud computing | |
Hassan et al. | Latest trends, challenges and solutions in security in the era of cloud computing and software defined networks | |
ACHAR et al. | Data security in cloud: A review | |
Aljabri et al. | Testing and exploiting tools to improve owasp top ten security vulnerabilities detection | |
Rose et al. | System hardening for infrastructure as a service (IaaS) | |
Lakhe | Practical Hadoop Security | |
Shyam et al. | Achieving Cloud Security Solutions through Machine and Non-Machine Learning Techniques: A Survey. | |
Rao et al. | A Three-Pronged Approach to Mitigate Web Attacks | |
KR20100067383A (en) | Server security system and server security method | |
Bhatia et al. | Vulnerability Assessment and Penetration Testing | |
Goyal et al. | Cloud Computing and Security | |
Ruha | Cybersecurity of computer networks | |
Brandao | Integrated security framework for private cloud computing on-premise | |
Khan et al. | Cybersecurity attacks: Common vulnerabilities in the critical infrastructure | |
Salim et al. | A Literature Review of Challenges and Solutions in Cloud Security | |
Panagiotakopoulos | Assessing open and closed EDRs | |
ullah Qureshi | Cyber Security Analysis Using Policies & Procedures | |
Hossain et al. | The pros and cons of modern web application security flaws and possible solutions | |
Morales Rocha | A systematic review of security threats and countermeasures in SaaS | |
Patil et al. | A Review of the OW ASP Top 10 Web Application Security Risks and Best Practices for Mitigating These Risks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE |