A Framework for the Implementation of Secure Bare-Based Web-Email System
Total Page:16
File Type:pdf, Size:1020Kb
GSTF Journal on Computing (JoC) Vol.4 No.3, October 2015 DOI 10.7603/s40601-014-0018-4 A Framework for the Implementation of Secure Bare-Based Web-Email System Patrick Appiah-Kubi, Anthony Tsetse, and Alae Loukili Received 29 Jun 2015 Accepted 27 Jul 2015 Abstract - Webmail systems have being developed for services to ensure email exchanges. Figure 1 presents a different OS-based platforms. These OS-based systems pictorial illustration of email exchanges between the present their own benefits and treats. Framework and white various email services. papers for developing these systems are available but there is no specific framework available for the implementation of user mail such systems on Bare PC. Implementation of such systems on agent a Bare PC poses daunting challenges and innovative HTTP/TLS server Request SMTP/POP3 opportunities that are revolutionary in server designs. Web server / Building such systems for security could even be more Mail Agent challenging. Secure Webmail systems are complex, large and require intricate components to develop. As a result, a lean system was developed for this research. The lean concept also SQL Queries helps to build small protocol suite, intertwining of protocols, limited requirement space, simple user interfaces and minimal design options. The paper provides a detail framework for the design and implementation, experimental setup and the results of experiments conducted. Performance Database is evaluated by measuring the processing time, throughput, the CPU Utilization and load distribution. The results show Figure 1: Conventional Email Exchanges that the performance of the Bare PC Webmail server is significantly better than that of the OS-based servers. In situations where dynamic HTTP requests are sent Keywords-Bare PC; Application Object; HTTP; PHP to the Webmail Server for processing/parsing coupled parser; TLS; SMTP; Operating system. with a secured request using static or dynamic TLS, the complexity of Webmail system increases significantly. The design of the Bare PC-based web-email system was I. INTRODUCTION as a result of experiences gained in developing the Bare PC TLS, HTTP, SMTP and POP3 protocols. A Bare PC Webmail is a web-based email service that allows Web server interfaces with any commercial client users to access their email through a web browser instead adhering to the client requests and their interfaces. It does of using desktop email clients (such as Microsoft Outlook, not have any control on the client user interfaces. The Pegasus Mail, Mozilla Thunderbird and Eudora). It allows Bare PC webmail system developed is user friendly to users to access their email account from any Internet Bare PC environment as the functionality and complexity enabled device located anywhere, unlike the application- can be dealt with at the server level. This is because; based email system. A conventional secure webmail webmail system servers generate and serve all Web pages system uses protocols such as simple mail transfer to the client thus allowing the designer to control the protocol (SMTP), post office protocol (POP3) or internet design of the system. message access protocol (IMAP), hypertext transfer The Bare PC webmail architecture is based on protocol (HTTP) and transport layer security (TLS), to threading techniques, delay/resume lists, and task stack exchange messages. These protocols provide independent DOI: 10.5176/2251-3043_4.3.333 ©The Author(s) 2015. This article is published with open access by the GSTF 71 GSTF Journal on Computing (JoC) Vol.4 No.3, October 2015 mechanisms to provide efficient memory utilization and the x86 systems[7] have extended OS kernels allowing process control. It contains its own data execution applications to run guest plug-ins on the host OS. However knowledge and control, and does not require any other none of the above proposed techniques propose a complete software support to run. Currently, the Bare PC Webmail elimination of all OS support except for the Bare PC system run on Intel Pentium 4 (or above) based PCs and paradigm. The strength of Bare PC applications is derived only requires common general-purpose hardware from its simplicity, smaller code, design by obscurity, including USB-based bootable devices, network interface design for longevity, and inherent security. The Bare box cards, and USB-based persistent storage. The system is can be used to run a variety of applications. The also not vulnerable to attacks targeting an underlying OS. Application Object (AO) is self-contained and it belongs Bare PC applications are built to be secure since all to an owner, which can be made secure at the AO level. underlying OS vulnerabilities are eliminated at design As the AOs are application centric, it does not require all level. The TLS protocol added to the design enhances OS components as needed in today’s OS. Only necessary security when sending and receiving messages. Since a hardware interfaces and controls are included in the AO Bare PC server application is self-supporting, it is unlike thus making the AO small in size, simple in design and its OS-based counterpart that relies on services provided development. An AO may constitute a single application by the OS. For example, a Bare PC server application such as Webmail server or it may consist of composite contains lean versions of the necessary protocols, manages applications including: Webmail server, Web Browser and memory, schedules tasks on the CPU, and directly a Text-editor. Applications like the Web server[8], Email accesses the underlying hardware. Furthermore, the Server[9][10] VoIP[11][12] and TLS on web server[13] application layer and transport layer protocol code is have been built on Bare PC and these applications intertwined within the code for the server application. demonstrated significant improvements in performance There is no socket interface for applications in a Bare PC compared to other commercial systems. These server, and the intertwined parts of the code and the applications uncovered the unique features of the Bare PC underlying task structure can differ from application to architecture and served as the bases for the design and application. Protocol intertwining reduces inter-layer implementation of the Bare PC Webmail Server. communication overhead compared to a conventional OS- Current Webmail systems such as Atmail[14], based TCP/IP protocol stack, but complicates the design Petmail[20], MailTraq[15], Axigen[16], Afterlogic[17], and implementation of the server. Bare PC applications do Squirrelmail[18], Facemail[19], icewarp[21], not use a local disk (they only require detachable mass Hexamail[22], all focus on OS-based systems. Some of storage). The application directly communicates with the these systems are designed for high performance, while hardware (in this case an X86-based CPU). This approach others such as Cisco’s Webex[23] are designed for high can be used to build pervasive devices, gateways, routers, reliability and availability. Techniques to improve or sensors that host small efficient bare PC applications. performance of the Open Webmail system are discussed in The paper is organized as follows, section I is the [24]. Email server architecture, which is based on a spam introduction, II covers related work, III covers architecture workload and optimized with respect to concurrency, I/O and design, IV covers experimental analysis and V is the and IP address lookups, is shown to significantly improve conclusion. performance and throughput. The design and implementation of an email pseudonym server providing anonymity to reduce server threats is capable of reducing II. RELATED WORK risks due to OS-based vulnerabilities. Some performance and design details of Webmail system is described in [24]. The first attempt to minimize Operating systems The security aspects of Webmail systems have been (OS) functionality was proposed in the Exokernel[1][2] studied by many authors [25][26]. Webmail systems use architecture where minimum OS functionality was used HTTPS/TLS protocol to protect email messages in transit. to obtain core processes such as kernel system processes. However, all existing TLS-capable Webmail systems are Studies such as Microkernel, OS-Kit[3], Bare-metal OS based, and there is no TLS-capable Webmail system Linux, IO-Lite[4], Tiny OS[5] and other approaches have that runs on a Bare PC. There are alternate approaches to tried to reduce the interaction of OS or bypass OS to gain email security. S/MIME [25] provides encryption, efficiency in the system. In [6], Linux is used to enable authentication, message integrity and non-repudiation for direct communication with the hardware by reducing the MIME messages exchanged between users (i.e., end-to- OS reliability. More recently, sandboxing techniques on end). The design and implementation of a secure email ©The Author(s) 2015. This article is published with open access by the GSTF 72 GSTF Journal on Computing (JoC) Vol.4 No.3, October 2015 system that provides encryption and signing, and 21 Resume ETH IP TCP additional features such as elimination of spam and prevention of harmful attachments is described. The 19 20 NIC RCV implementation of a secure Webmail system that uses Driver Task CallerID for access is discussed in [26]. Operating System 22 STD 5 (OS-based) systems are based on some sort of centralized POP3 Object resource manager or controller to provide hardware 18 6 SMTP abstractions to applications. The Bare PC previously Object N referred to as dispersed Operating Systems computing 7 I HTTP (DOSC)[27] proposes an extreme end of the spectrum in Network C Object 8 OS for building computer applications where there is no TLS centralized resource manager or controller running in the Object machine. Applications[28] in Bare PC directly TCP Table communicate with hardware (no need for abstraction (TCB) (Migratory layers) and the computer is made Bare (no hard disk, no Entries) 13 Running resident software, except BIOS).