Kernel mode web servers: A clever optimization or a security nightmare?
-
06-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I was reading a Hacker News thread where one user posts a link from 2011 explaining that IIS is much faster than most other (*nix) web servers. Another user replies, explaining that IIS gets that advantage by having a kernel module called HTTP.sys. To my knowledge, most other popular web servers in 2015 do not do this.
I would never want to write a kernel mode web server, because I could never trust myself to make it free of security exploits (which would be less serious running in a lower protection ring).
From the perspective of the software engineer (as opposed to a customer for web servers), is running in kernel mode a smart performance decision? Can security concerns be mitigated in application development to the point of making a kernel mode server a net profit for the consumer?
Solution
Http.sys is not so much a web server as a proxy-forwarder. Its designed to allow many web servers co-exist on a Windows box, so you can have IIS running a web site, but also several WCF services running with http/REST or SOAP interfaces, all on standard port 80. (this is why you can't run Apache on Windows without a bit of jiggling, Apache hasn't been modified to work with this registration system, shame it wasn't made more transparent to applications and require some quite complex modifications to hook into it).
The way it works is that you register a URL with it and the corresponding application, ans when a http request is made on port 80, http.sys accepts it but then passes the request on to whichever application is registered to handle that URL target.
I doubt a kernel mode webserver makes any sense - even if socket performance can be improved in this way, in order to perform any useful work, the application logic is still going to be executed in user space, so there's always a transition - you've just shifted it along the callstack a little.
OTHER TIPS
Http.sys is not the only kernel-mode web server available: under Linux there is also tux. As you have correctly identified, security is a concern with these kinds of servers, which has lead to tux not being included in the mainline linux kernel (and I believe not updated for more recent kernel versions).
A better solution would be the use of an operating system that does not rely on hardware protection to enforce process security, e.g. Microsoft's singularity: such a system would allow the efficiency gains of a kernel mode server without the security risks. Unfortunately, no production ready operating systems based on this principle are available as of 2015, and AFAIK nobody is seriously working on one either (the Singularity project was canceled).
Http.sys is low risk, as it can’t run any code provided by a third-party.
Http.sys does a few tasks:
It acts as a proxy-forwarder, so allowing multiple processes to respond to request to different parts of the HTTP name space. @gbjbaanb's answer covers this well.
It serves static files, directly from the Windows files cache. This provides a great speedup for small files static files, as there are no context switches.
It will cache the output from any application it forward a HTTP request to, and return the cashed result. The application is in complete control over how long (if any) the caching lasts.
Http.sys is designed to do the simple tasks VERY fast, while passing everything else to a process in user space.
In response to the comment
"low risk, as it can’t run any code provided by a 3rd party" - That's what they always say, and it's almost never true.
The issue is that you must trust Microsoft to write complex kernel code to be asking this question, otherwise you decide not to use Windows for web hosting at all. Http.sys adds very little to the risk of kernel bugs, given how complex the kernel is anyway.
If anything Http.sys reduces the risk, as there is such a clear separation below “low level” web serving and application code.
In a well designed setup, the machine (or virtual server) that runs the web server has very limited access to the rest of the network, as it is a high risk target. It makes very little different if the kernel or a user mode web server is hacked, as the server should not have any more “rights” on the network, then the web-server user mode process needs to do its work.
