You are encouraged to work in groups (up to 3 people) for the labs and collaborate through version control (e.g., gitlab.cs). It is okay to use open-source code in your implementation. The labs are intended to be open-ended. Feel free to add interesting features.

For Lab 1, your job is to implement a web server using C/C++ on Linux. You may reuse code from 550’s project 1 if you have done that before. Then, enhance your web server with better security.

Part 1

For this part, implement a single-threaded event-driven web server. The executable, 551ws, takes one command-line argument, the configuration filename. You may design the configuration file format (see bonus part below). The configuration file should allow an admin to specify an address and a port number (IPv4/v6) on which the web server listens. You may use getaddrinfo() to convert the address and port number in either IPv4 or IPv6 string form.

$ ./551ws ws.conf

The web server should be event-driven. In particular, it should use epoll() to manage file descriptors; it should use non-blocking network I/O and blocking disk I/O.

For the HTTP protocol, we recommend you use the HTTP parser library, which is based on nginx’s code and used in Node.js.

One should be able to use a browser to retrieve a file via your web server, such as You may use either sendfile() or other system calls to send HTTP responses.

Use the ApacheBench tool ab to measure the performance of your server.

Part 2

The simple single-threaded architecture is not good for security—a single bug may allow an attacker to take control of the server. Your job in this part is to improve that with a better web server architecture. Read the OKWS paper. You may choose one design from Figure 2 of the paper, or implement your own architecture. In the file README, describe your design, as well as what kind of vulnerabilities your design can and cannot prevent.

Implement your design and use ab to measure the performance of your new server. Document the difference (if any) in README, along with your tests.


Lua is a good embedded language and has a simple C API (see Lua’s and LuaJIT’s documentations). Try to use Lua to simplify your web server and make it more reliable (hopefully, with “less” C/C++ code). One way to implement the configuration file is to use a Lua script (see Apache’s mod_lua). In addition, you may also implement the web server’s logic in Lua. Use ab to measure the performance impact if you choose to do so.

What to submit

Submit a tar file of the source code of your web server and the README file that contains your security analysis and performance numbers from running ab. If you have done the bonus part, make a note in a file called BONUS.