Upload
octavia-may
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Security Architecture of qmail and Postfix
Authors: Munawar Hafiz Ralph E. Johnson
Prepared by Geoffrey FooteCSC 593 Secure Software Engineering
SeminarSpring Semester 2006Instructors: Dr. James Walden
Dr. Charles Frank
Overview
Introduction Architecture of qmail as a set of
Design Decisions Architecture of Postfix as a
parallel to qmail Similarities Differences
Conclusions/Comments
Introduction qmail was designed as sendmail’s replacement
Addressed Security issues Architecture made system easier to
understand and maintain Postfix used qmail’s architecture as reference
Design built towards performance Reduced redundancy Still achieved high level of security
Both systems hold unblemished security report Both use similar security patterns Both evidence that security doesn’t have to
come at the cost of performance`
Introduction
Architecture of Systems (qmail and Postfix) Key Principle: Defense in Depth
System does not depend on any single idea to achieve security
Modularity Decreases the damage caused by
security break-ins Ensures that many kinds of errors
are not possible Makes inspection easier
qmail Architecture sendmail runs as one process, if compromised an
attacker gains access to all processes TO AVOID: qmail follows Compartmentalization
Security Pattern – Compartmentalization Separate system into different security
domains Therefore, when one part of the system is
compromised the others remain secure sendmail runs as a super-user
Causes privilege issues TO AVOID: qmail follows the Distributed
Responsibility Security Pattern Partition responsibility across compartments
qmail Architecture Mail queue must avoid Race Condition
TO AVOID: qmail follows the Reliability Pattern, Unique Location for each Request
ensure ever write request is to a different location
Mailbox Management System crash leaves message in unreliable
state TO AVOID: qmail follows the Reliability
Pattern – Checkpointed System Design the system as a finite state machine.
Make the state information persistent
qmail Architecture Multithreading can exhaust resources
TO AVOID: qmail follows the Small Processes, Performance Pattern
Make processes small, single task, limit memory Inherent problems using standards – C Library
TO AVOID: qmail follows the Safe Data Structure, Security Pattern
Represent strings with a data structure sendmail, program could execute body of
message TO AVOID: qmail follows the Content Dependent
Processing, Security Pattern Treat the received contents as mail message
only
qmail Architecture Trust Partitioning – not trusting
communication Payload TO AVOID: qmail follows the Trust
Partitioning, Security Pattern Design the components to not trust inputs
from other groups and to validate inputs
Postfix Architecture Similarities between qmail and Postfix
Partitioning and responsibility distribution among processes
Neither have a configuration language, this was one of the main problems with sendmail
Postfix follow the qmail pattern Unique Location for Each Write Request
qmail implements mail queue as single dir Postfix as single dir
Postfix follows the Checkpointed System pattern to ensure that the system can restart gracefully from a crash
Postfix Architecture Differences
Postfix uses lookup tables Mail Queue
qmail uses one, Postfix has five Separate processes for sending mail using
different protocols Postfix uses only one user to simplify
configuration management. Qmail uses multiple user and group ids
Creates a security risk, since everything is running under one id
Introduces Security Pattern – chroot Jail Run processes under a separate least
privilege user ids in a controlled environment
Postfix Architecture Postfix uses pre-forking, qmail forks on
demand Security Pattern – Secure Preforking
Consequences of daemon process compromises are especially bad b/c of their long life
Solution – limit the lifetime of daemon processes and fork the again after a configurable, short life and run the daemons in a contained environment
Postfix uses a softupdate file system, while qmail uses an async file system.
Postfix Architecture Postfix uses a Single-Threaded Facade
Security Pattern Problem: multithreaded processes
communicating with the outside environment are more vulnerable. Therefore they should be made simple in architecture, how can his be achieved?
Solution: Processes on the perimeter should be single threaded and perform single tasks b/c multithreading involves complex resource management.
Postfix Architecture Postfix uses a Batch Transaction Performance
Pattern Batch transactions to eliminate overhead Group related task to avoid task switching
and process creation overhead Reliability Pattern – DoS Safety
Protecting against Denial of Service attacks by setting resource limits
Security Pattern – Policy Enforcement Point Channel all outside communication through
one point where security mechanisms can be applied by defining security policies
Postfix has spam filters, qmail does not
Conclusion/Questions While qmail’s and Postfix’s designs
are not the same they both use common security patterns
Both where designed with security as an original requirement
Both are evidence that security does not have to come at the cost of performance
Comments/Questions???