Kafka support as IAST source #6465

manuel-alvarez-alvarez · 2024-01-10T18:10:56Z

What Does This Do

Instruments Kafka serializers in order to taint values coming over the wire.

Motivation

Data coming from Kafka topics can be considered as untrusted from the point of view of a single JVM.

Additional Notes

Jira ticket: APPSEC-10440

dd-trace-api/src/main/java/datadog/trace/api/internal/TraceSegment.java

pr-commenter · 2024-01-10T18:47:40Z

Kafka / producer-benchmark

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/iast-kafka-support
git_commit_date	1706704169	1706712856
git_commit_sha	`cc073db`	`99e3f5a`

See matching parameters

	Baseline	Candidate
ci_job_date	1706714042	1706714042
ci_job_id	422773907	422773907
ci_pipeline_id	27472501	27472501
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
jdkVersion	11.0.21	11.0.21
jmhVersion	1.36	1.36
jvm	/usr/lib/jvm/java-11-openjdk-amd64/bin/java	/usr/lib/jvm/java-11-openjdk-amd64/bin/java
jvmArgs	-Dfile.encoding=UTF-8 -Djava.io.tmpdir=/go/src/github.com/DataDog/apm-reliability/dd-trace-java/platform/src/producer-benchmark/build/tmp/jmh -Duser.country=US -Duser.language=en -Duser.variant	-Dfile.encoding=UTF-8 -Djava.io.tmpdir=/go/src/github.com/DataDog/apm-reliability/dd-trace-java/platform/src/producer-benchmark/build/tmp/jmh -Duser.country=US -Duser.language=en -Duser.variant
vmName	OpenJDK 64-Bit Server VM	OpenJDK 64-Bit Server VM
vmVersion	11.0.21+9-post-Ubuntu-0ubuntu122.04	11.0.21+9-post-Ubuntu-0ubuntu122.04

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 0 unstable metrics.

See unchanged results

scenario	Δ mean throughput
scenario:not-instrumented/KafkaProduceBenchmark.benchProduce	same
scenario:only-tracing-dsm-disabled-benchmarks/KafkaProduceBenchmark.benchProduce	same
scenario:only-tracing-dsm-enabled-benchmarks/KafkaProduceBenchmark.benchProduce	same

pr-commenter · 2024-01-10T18:58:30Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/iast-kafka-support
git_commit_date	1706704169	1706712856
git_commit_sha	`cc073db`	`99e3f5a`
release_version	1.29.0-SNAPSHOT~cc073db4cc	1.29.0-SNAPSHOT~99e3f5a87b

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1706715806	1706715806
ci_job_id	422773906	422773906
ci_pipeline_id	27472501	27472501
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 46 metrics, 8 unstable metrics.

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-01-31T15:19:32	2024-01-31T15:38:26
git_branch	master	malvarez/iast-kafka-support
git_commit_date	1706704169	1706712856
git_commit_sha	`cc073db`	`99e3f5a`
release_version	1.29.0-SNAPSHOT~cc073db4cc	1.29.0-SNAPSHOT~99e3f5a87b
start_time	2024-01-31T15:19:18	2024-01-31T15:38:12

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1706715806	1706715806
ci_job_id	422773906	422773906
ci_pipeline_id	27472501	27472501
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 15 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.29.0-SNAPSHOT~99e3f5a87b, baseline=1.29.0-SNAPSHOT~cc073db4cc
    dateFormat X
    axisFormat %s
section baseline
no_agent (367.008 µs) : 347, 387
.   : milestone, 367,
iast (478.768 µs) : 457, 500
.   : milestone, 479,
iast_FULL (529.794 µs) : 509, 550
.   : milestone, 530,
iast_GLOBAL (500.66 µs) : 479, 522
.   : milestone, 501,
iast_HARDCODED_SECRET_DISABLED (465.163 µs) : 445, 485
.   : milestone, 465,
iast_INACTIVE (444.93 µs) : 424, 465
.   : milestone, 445,
iast_TELEMETRY_OFF (463.026 µs) : 442, 484
.   : milestone, 463,
tracing (440.269 µs) : 419, 462
.   : milestone, 440,
section candidate
no_agent (367.597 µs) : 347, 388
.   : milestone, 368,
iast (477.609 µs) : 456, 499
.   : milestone, 478,
iast_FULL (537.924 µs) : 517, 559
.   : milestone, 538,
iast_GLOBAL (493.916 µs) : 473, 514
.   : milestone, 494,
iast_HARDCODED_SECRET_DISABLED (468.928 µs) : 448, 490
.   : milestone, 469,
iast_INACTIVE (444.503 µs) : 424, 465
.   : milestone, 445,
iast_TELEMETRY_OFF (468.854 µs) : 448, 490
.   : milestone, 469,
tracing (438.803 µs) : 418, 459
.   : milestone, 439,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	367.008 µs [346.944 µs, 387.072 µs]	-
iast	478.768 µs [457.262 µs, 500.274 µs]	111.76 µs (30.5%)
iast_FULL	529.794 µs [509.266 µs, 550.322 µs]	162.786 µs (44.4%)
iast_GLOBAL	500.66 µs [479.337 µs, 521.983 µs]	133.652 µs (36.4%)
iast_HARDCODED_SECRET_DISABLED	465.163 µs [445.066 µs, 485.26 µs]	98.155 µs (26.7%)
iast_INACTIVE	444.93 µs [424.478 µs, 465.382 µs]	77.922 µs (21.2%)
iast_TELEMETRY_OFF	463.026 µs [442.289 µs, 483.762 µs]	96.018 µs (26.2%)
tracing	440.269 µs [419.037 µs, 461.5 µs]	73.261 µs (20.0%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	367.597 µs [347.456 µs, 387.738 µs]	-
iast	477.609 µs [456.382 µs, 498.835 µs]	110.012 µs (29.9%)
iast_FULL	537.924 µs [517.304 µs, 558.545 µs]	170.328 µs (46.3%)
iast_GLOBAL	493.916 µs [473.464 µs, 514.368 µs]	126.319 µs (34.4%)
iast_HARDCODED_SECRET_DISABLED	468.928 µs [448.274 µs, 489.581 µs]	101.331 µs (27.6%)
iast_INACTIVE	444.503 µs [424.066 µs, 464.939 µs]	76.906 µs (20.9%)
iast_TELEMETRY_OFF	468.854 µs [448.092 µs, 489.616 µs]	101.257 µs (27.5%)
tracing	438.803 µs [418.33 µs, 459.277 µs]	71.207 µs (19.4%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.29.0-SNAPSHOT~99e3f5a87b, baseline=1.29.0-SNAPSHOT~cc073db4cc
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.375 ms) : 1356, 1395
.   : milestone, 1375,
appsec (1.761 ms) : 1736, 1787
.   : milestone, 1761,
iast (1.533 ms) : 1508, 1558
.   : milestone, 1533,
profiling (1.534 ms) : 1509, 1559
.   : milestone, 1534,
tracing (1.496 ms) : 1471, 1520
.   : milestone, 1496,
section candidate
no_agent (1.34 ms) : 1321, 1360
.   : milestone, 1340,
appsec (1.757 ms) : 1731, 1783
.   : milestone, 1757,
iast (1.515 ms) : 1491, 1540
.   : milestone, 1515,
profiling (1.512 ms) : 1487, 1537
.   : milestone, 1512,
tracing (1.497 ms) : 1472, 1521
.   : milestone, 1497,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.375 ms [1.356 ms, 1.395 ms]	-
appsec	1.761 ms [1.736 ms, 1.787 ms]	385.791 µs (28.1%)
iast	1.533 ms [1.508 ms, 1.558 ms]	157.775 µs (11.5%)
profiling	1.534 ms [1.509 ms, 1.559 ms]	158.53 µs (11.5%)
tracing	1.496 ms [1.471 ms, 1.52 ms]	120.622 µs (8.8%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.34 ms [1.321 ms, 1.36 ms]	-
appsec	1.757 ms [1.731 ms, 1.783 ms]	416.462 µs (31.1%)
iast	1.515 ms [1.491 ms, 1.54 ms]	174.997 µs (13.1%)
profiling	1.512 ms [1.487 ms, 1.537 ms]	171.69 µs (12.8%)
tracing	1.497 ms [1.472 ms, 1.521 ms]	156.234 µs (11.7%)

pr-commenter · 2024-01-10T19:00:03Z

Kafka / consumer-benchmark

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/iast-kafka-support
git_commit_date	1706704169	1706712856
git_commit_sha	`cc073db`	`99e3f5a`

See matching parameters

	Baseline	Candidate
ci_job_date	1706714087	1706714087
ci_job_id	422773908	422773908
ci_pipeline_id	27472501	27472501
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
jdkVersion	11.0.21	11.0.21
jmhVersion	1.36	1.36
jvm	/usr/lib/jvm/java-11-openjdk-amd64/bin/java	/usr/lib/jvm/java-11-openjdk-amd64/bin/java
jvmArgs	-Dfile.encoding=UTF-8 -Djava.io.tmpdir=/go/src/github.com/DataDog/apm-reliability/dd-trace-java/platform/src/consumer-benchmark/build/tmp/jmh -Duser.country=US -Duser.language=en -Duser.variant	-Dfile.encoding=UTF-8 -Djava.io.tmpdir=/go/src/github.com/DataDog/apm-reliability/dd-trace-java/platform/src/consumer-benchmark/build/tmp/jmh -Duser.country=US -Duser.language=en -Duser.variant
vmName	OpenJDK 64-Bit Server VM	OpenJDK 64-Bit Server VM
vmVersion	11.0.21+9-post-Ubuntu-0ubuntu122.04	11.0.21+9-post-Ubuntu-0ubuntu122.04

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 0 unstable metrics.

See unchanged results

scenario	Δ mean throughput
scenario:not-instrumented/KafkaConsumerBenchmark.benchConsume	same
scenario:only-tracing-dsm-disabled-benchmarks/KafkaConsumerBenchmark.benchConsume	same
scenario:only-tracing-dsm-enabled-benchmarks/KafkaConsumerBenchmark.benchConsume	unsure [+1172.156op/s; +11600.667op/s] or [+0.390%; +3.856%]

manuel-alvarez-alvarez added the comp: asm iast Application Security Management (IAST) label Jan 10, 2024

manuel-alvarez-alvarez changed the title ~~Malvarez/iast kafka support~~ Kafka support as IAST source Jan 10, 2024

manuel-alvarez-alvarez changed the base branch from master to malvarez/iast-global-tainted-objects January 10, 2024 18:11

manuel-alvarez-alvarez commented Jan 10, 2024

View reviewed changes

dd-trace-api/src/main/java/datadog/trace/api/internal/TraceSegment.java Outdated Show resolved Hide resolved

manuel-alvarez-alvarez force-pushed the malvarez/iast-global-tainted-objects branch 2 times, most recently from 1c9bc33 to 52a8307 Compare January 17, 2024 08:32

manuel-alvarez-alvarez force-pushed the malvarez/iast-global-tainted-objects branch 4 times, most recently from 180fd70 to e66d2bc Compare January 22, 2024 09:55

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from c2d3cfe to e463940 Compare January 22, 2024 09:58

manuel-alvarez-alvarez force-pushed the malvarez/iast-global-tainted-objects branch 2 times, most recently from eacf1c8 to a856f20 Compare January 22, 2024 12:09

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from e463940 to d0fd013 Compare January 22, 2024 13:14

manuel-alvarez-alvarez force-pushed the malvarez/iast-global-tainted-objects branch 3 times, most recently from 649c829 to e070b9d Compare January 24, 2024 15:46

Base automatically changed from malvarez/iast-global-tainted-objects to master January 24, 2024 18:40

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from d0fd013 to 55fe04c Compare January 26, 2024 09:12

manuel-alvarez-alvarez changed the base branch from master to malvarez/trace-segment-getters January 26, 2024 09:12

manuel-alvarez-alvarez marked this pull request as ready for review January 26, 2024 09:14

manuel-alvarez-alvarez requested review from a team as code owners January 26, 2024 09:14

manuel-alvarez-alvarez requested review from anderruiz, ValentinZakharov, mcculls and PerfectSlayer January 26, 2024 09:14

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from 55fe04c to e9d1aa9 Compare January 26, 2024 09:37

manuel-alvarez-alvarez force-pushed the malvarez/trace-segment-getters branch from b333e02 to 6730fbd Compare January 26, 2024 10:42

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from e9d1aa9 to 06cec2e Compare January 26, 2024 10:43

manuel-alvarez-alvarez mentioned this pull request Jan 26, 2024

Get access to tag values from the top of TraceSegments #6560

Merged

manuel-alvarez-alvarez force-pushed the malvarez/trace-segment-getters branch from 6730fbd to a397fb2 Compare January 26, 2024 12:03

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from 06cec2e to 7891c4b Compare January 26, 2024 12:05

manuel-alvarez-alvarez force-pushed the malvarez/trace-segment-getters branch from a397fb2 to 04cb62f Compare January 26, 2024 12:47

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from 7891c4b to d22b1ba Compare January 26, 2024 13:16

manuel-alvarez-alvarez force-pushed the malvarez/trace-segment-getters branch from 04cb62f to d39c525 Compare January 29, 2024 08:22

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from d22b1ba to 1b4a09b Compare January 29, 2024 08:23

manuel-alvarez-alvarez force-pushed the malvarez/trace-segment-getters branch from d39c525 to 5f675e2 Compare January 29, 2024 10:42

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch 2 times, most recently from 54aba8e to f7c23a4 Compare January 29, 2024 12:36

manuel-alvarez-alvarez force-pushed the malvarez/trace-segment-getters branch from 5f675e2 to 7c24e13 Compare January 29, 2024 16:21

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from f7c23a4 to 8a1825c Compare January 29, 2024 16:26

smola approved these changes Jan 30, 2024

View reviewed changes

manuel-alvarez-alvarez force-pushed the malvarez/trace-segment-getters branch from 7c24e13 to 5930032 Compare January 30, 2024 08:34

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from 8a1825c to c561e70 Compare January 30, 2024 08:35

Base automatically changed from malvarez/trace-segment-getters to master January 30, 2024 10:01

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch 5 times, most recently from dad2c63 to 5d070dd Compare January 31, 2024 11:40

Add Kafka support as a new IAST source

99e3f5a

manuel-alvarez-alvarez force-pushed the malvarez/iast-kafka-support branch from 43fdcae to 99e3f5a Compare January 31, 2024 14:54

manuel-alvarez-alvarez merged commit 1377296 into master Jan 31, 2024
80 of 82 checks passed

manuel-alvarez-alvarez deleted the malvarez/iast-kafka-support branch January 31, 2024 15:51

github-actions bot added this to the 1.29.0 milestone Jan 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kafka support as IAST source #6465

Kafka support as IAST source #6465

manuel-alvarez-alvarez commented Jan 10, 2024 •

edited

Loading

pr-commenter bot commented Jan 10, 2024 •

edited

Loading

pr-commenter bot commented Jan 10, 2024 •

edited

Loading

pr-commenter bot commented Jan 10, 2024 •

edited

Loading

Kafka support as IAST source #6465

Kafka support as IAST source #6465

Conversation

manuel-alvarez-alvarez commented Jan 10, 2024 • edited Loading

What Does This Do

Motivation

Additional Notes

pr-commenter bot commented Jan 10, 2024 • edited Loading

Kafka / producer-benchmark

Parameters

Summary

pr-commenter bot commented Jan 10, 2024 • edited Loading

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

pr-commenter bot commented Jan 10, 2024 • edited Loading

Kafka / consumer-benchmark

Parameters

Summary

manuel-alvarez-alvarez commented Jan 10, 2024 •

edited

Loading

pr-commenter bot commented Jan 10, 2024 •

edited

Loading

pr-commenter bot commented Jan 10, 2024 •

edited

Loading

pr-commenter bot commented Jan 10, 2024 •

edited

Loading