Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace ASM transient mechanism with WAF ephemeral addresses #6687

Merged
merged 1 commit into from Mar 13, 2024
Merged

Replace ASM transient mechanism with WAF ephemeral addresses #6687

merged 1 commit into from Mar 13, 2024

Conversation

ValentinZakharov
Copy link
Contributor

@ValentinZakharov ValentinZakharov commented Feb 15, 2024
edited by jira bot

What Does This Do

This pull request signifies an important enhancement in ASM. Originally, we employed a transient mechanism to manage temporary data submissions to the WAF. The recent introduction of ephemeral addresses in libddwaf presents a native and more efficient implementation of this transient mechanism. Through this PR, we are transitioning from the older transient method to utilizing ephemeral addresses.

Motivation

This improvement is required by #6375

Additional Notes

Upgrading WAF to version 1.16.0 made it possible to start using ephemeral addresses (see: #6658)

Jira ticket: APPSEC-51774

@ValentinZakharov ValentinZakharov added the comp: asm waf Application Security Management (WAF) label Feb 15, 2024
@ValentinZakharov ValentinZakharov self-assigned this Feb 15, 2024
@ValentinZakharov ValentinZakharov changed the title Replace ASM transient mechanism to ephemeral addresses Replace ASM transient mechanism with ephemeral addresses Feb 15, 2024
@ValentinZakharov ValentinZakharov changed the title Replace ASM transient mechanism with ephemeral addresses Replace ASM transient mechanism with WAF ephemeral addresses Feb 15, 2024
@pr-commenter
Copy link

pr-commenter bot commented Feb 15, 2024
edited

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master vzakharov/transient-to-ephemeral
git_commit_date 1710236254 1710248821
git_commit_sha a786410 3224607
release_version 1.32.0-SNAPSHOT~a786410129 1.32.0-SNAPSHOT~3224607d3e
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1710251998 1710251998
ci_job_id 457496102 457496102
ci_pipeline_id 29954557 29954557
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.08 s) : 0, 1079726
Total [baseline] (9.18 s) : 0, 9180471
Agent [candidate] (1.082 s) : 0, 1082122
Total [candidate] (9.181 s) : 0, 9181031
section appsec
Agent [baseline] (1.2 s) : 0, 1200374
Total [baseline] (9.288 s) : 0, 9287764
Agent [candidate] (1.21 s) : 0, 1210408
Total [candidate] (9.41 s) : 0, 9409602
section iast
Agent [baseline] (1.207 s) : 0, 1207155
Total [baseline] (9.334 s) : 0, 9333620
Agent [candidate] (1.205 s) : 0, 1205191
Total [candidate] (9.348 s) : 0, 9347732
section profiling
Agent [baseline] (1.273 s) : 0, 1272961
Total [baseline] (9.412 s) : 0, 9412468
Agent [candidate] (1.275 s) : 0, 1274890
Total [candidate] (9.332 s) : 0, 9331979
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.08 s -
Agent appsec 1.2 s 120.649 ms (11.2%)
Agent iast 1.207 s 127.429 ms (11.8%)
Agent profiling 1.273 s 193.236 ms (17.9%)
Total tracing 9.18 s -
Total appsec 9.288 s 107.294 ms (1.2%)
Total iast 9.334 s 153.15 ms (1.7%)
Total profiling 9.412 s 231.997 ms (2.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.082 s -
Agent appsec 1.21 s 128.287 ms (11.9%)
Agent iast 1.205 s 123.069 ms (11.4%)
Agent profiling 1.275 s 192.769 ms (17.8%)
Total tracing 9.181 s -
Total appsec 9.41 s 228.571 ms (2.5%)
Total iast 9.348 s 166.701 ms (1.8%)
Total profiling 9.332 s 150.947 ms (1.6%) 
gantt
    title petclinic - break down per module: candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (696.255 ms) : 0, 696255
BytebuddyAgent [candidate] (697.05 ms) : 0, 697050
GlobalTracer [baseline] (291.506 ms) : 0, 291506
GlobalTracer [candidate] (292.997 ms) : 0, 292997
AppSec [baseline] (49.065 ms) : 0, 49065
AppSec [candidate] (49.138 ms) : 0, 49138
Remote Config [baseline] (733.319 µs) : 0, 733
Remote Config [candidate] (722.969 µs) : 0, 723
Telemetry [baseline] (7.815 ms) : 0, 7815
Telemetry [candidate] (7.782 ms) : 0, 7782
section appsec
BytebuddyAgent [baseline] (696.295 ms) : 0, 696295
BytebuddyAgent [candidate] (700.669 ms) : 0, 700669
GlobalTracer [baseline] (291.057 ms) : 0, 291057
GlobalTracer [candidate] (294.261 ms) : 0, 294261
AppSec [baseline] (153.297 ms) : 0, 153297
AppSec [candidate] (154.964 ms) : 0, 154964
IAST [baseline] (17.903 ms) : 0, 17903
IAST [candidate] (18.185 ms) : 0, 18185
Remote Config [baseline] (607.292 µs) : 0, 607
Remote Config [candidate] (619.126 µs) : 0, 619
Telemetry [baseline] (6.891 ms) : 0, 6891
Telemetry [candidate] (7.021 ms) : 0, 7021
section iast
BytebuddyAgent [baseline] (802.073 ms) : 0, 802073
BytebuddyAgent [candidate] (801.068 ms) : 0, 801068
GlobalTracer [baseline] (288.88 ms) : 0, 288880
GlobalTracer [candidate] (289.208 ms) : 0, 289208
AppSec [baseline] (48.292 ms) : 0, 48292
AppSec [candidate] (48.662 ms) : 0, 48662
IAST [baseline] (26.27 ms) : 0, 26270
IAST [candidate] (24.569 ms) : 0, 24569
Remote Config [baseline] (623.112 µs) : 0, 623
Remote Config [candidate] (608.38 µs) : 0, 608
Telemetry [baseline] (6.576 ms) : 0, 6576
Telemetry [candidate] (6.615 ms) : 0, 6615
section profiling
BytebuddyAgent [baseline] (689.091 ms) : 0, 689091
BytebuddyAgent [candidate] (688.874 ms) : 0, 688874
GlobalTracer [baseline] (375.339 ms) : 0, 375339
GlobalTracer [candidate] (376.624 ms) : 0, 376624
AppSec [baseline] (49.677 ms) : 0, 49677
AppSec [candidate] (49.803 ms) : 0, 49803
Remote Config [baseline] (749.875 µs) : 0, 750
Remote Config [candidate] (762.899 µs) : 0, 763
Telemetry [baseline] (7.535 ms) : 0, 7535
Telemetry [candidate] (7.441 ms) : 0, 7441
ProfilingAgent [baseline] (94.349 ms) : 0, 94349
ProfilingAgent [candidate] (95.188 ms) : 0, 95188
Profiling [baseline] (94.372 ms) : 0, 94372
Profiling [candidate] (95.212 ms) : 0, 95212
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.084 s) : 0, 1084414
Total [baseline] (8.58 s) : 0, 8579878
Agent [candidate] (1.089 s) : 0, 1089295
Total [candidate] (8.575 s) : 0, 8575287
section iast
Agent [baseline] (1.204 s) : 0, 1203551
Total [baseline] (9.041 s) : 0, 9041482
Agent [candidate] (1.203 s) : 0, 1202824
Total [candidate] (9.039 s) : 0, 9038623
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.206 s) : 0, 1206008
Total [baseline] (9.036 s) : 0, 9035503
Agent [candidate] (1.205 s) : 0, 1205330
Total [candidate] (9.06 s) : 0, 9060022
section iast_TELEMETRY_OFF
Agent [baseline] (1.197 s) : 0, 1197056
Total [baseline] (9.031 s) : 0, 9031243
Agent [candidate] (1.199 s) : 0, 1199005
Total [candidate] (9.097 s) : 0, 9097047
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.084 s -
Agent iast 1.204 s 119.137 ms (11.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.206 s 121.594 ms (11.2%)
Agent iast_TELEMETRY_OFF 1.197 s 112.641 ms (10.4%)
Total tracing 8.58 s -
Total iast 9.041 s 461.604 ms (5.4%)
Total iast_HARDCODED_SECRET_DISABLED 9.036 s 455.625 ms (5.3%)
Total iast_TELEMETRY_OFF 9.031 s 451.365 ms (5.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.089 s -
Agent iast 1.203 s 113.529 ms (10.4%)
Agent iast_HARDCODED_SECRET_DISABLED 1.205 s 116.035 ms (10.7%)
Agent iast_TELEMETRY_OFF 1.199 s 109.709 ms (10.1%)
Total tracing 8.575 s -
Total iast 9.039 s 463.336 ms (5.4%)
Total iast_HARDCODED_SECRET_DISABLED 9.06 s 484.735 ms (5.7%)
Total iast_TELEMETRY_OFF 9.097 s 521.76 ms (6.1%) 
gantt
    title insecure-bank - break down per module: candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (699.294 ms) : 0, 699294
BytebuddyAgent [candidate] (702.622 ms) : 0, 702622
GlobalTracer [baseline] (292.922 ms) : 0, 292922
GlobalTracer [candidate] (294.236 ms) : 0, 294236
AppSec [baseline] (49.308 ms) : 0, 49308
AppSec [candidate] (49.345 ms) : 0, 49345
Remote Config [baseline] (743.087 µs) : 0, 743
Remote Config [candidate] (737.832 µs) : 0, 738
Telemetry [baseline] (7.735 ms) : 0, 7735
Telemetry [candidate] (7.771 ms) : 0, 7771
section iast
BytebuddyAgent [baseline] (799.806 ms) : 0, 799806
BytebuddyAgent [candidate] (798.865 ms) : 0, 798865
GlobalTracer [baseline] (288.287 ms) : 0, 288287
GlobalTracer [candidate] (288.855 ms) : 0, 288855
AppSec [baseline] (50.709 ms) : 0, 50709
AppSec [candidate] (48.232 ms) : 0, 48232
IAST [baseline] (23.128 ms) : 0, 23128
IAST [candidate] (25.279 ms) : 0, 25279
Remote Config [baseline] (611.791 µs) : 0, 612
Remote Config [candidate] (611.918 µs) : 0, 612
Telemetry [baseline] (6.607 ms) : 0, 6607
Telemetry [candidate] (6.581 ms) : 0, 6581
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (802.019 ms) : 0, 802019
BytebuddyAgent [candidate] (800.731 ms) : 0, 800731
GlobalTracer [baseline] (288.875 ms) : 0, 288875
GlobalTracer [candidate] (289.585 ms) : 0, 289585
AppSec [baseline] (51.253 ms) : 0, 51253
AppSec [candidate] (49.002 ms) : 0, 49002
IAST [baseline] (22.169 ms) : 0, 22169
IAST [candidate] (22.988 ms) : 0, 22988
Remote Config [baseline] (612.06 µs) : 0, 612
Remote Config [candidate] (610.84 µs) : 0, 611
Telemetry [baseline] (6.653 ms) : 0, 6653
Telemetry [candidate] (8.061 ms) : 0, 8061
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (793.105 ms) : 0, 793105
BytebuddyAgent [candidate] (794.153 ms) : 0, 794153
GlobalTracer [baseline] (288.663 ms) : 0, 288663
GlobalTracer [candidate] (290.065 ms) : 0, 290065
AppSec [baseline] (50.694 ms) : 0, 50694
AppSec [candidate] (50.539 ms) : 0, 50539
IAST [baseline] (22.523 ms) : 0, 22523
IAST [candidate] (21.964 ms) : 0, 21964
Remote Config [baseline] (589.795 µs) : 0, 590
Remote Config [candidate] (590.66 µs) : 0, 591
Telemetry [baseline] (7.274 ms) : 0, 7274
Telemetry [candidate] (7.363 ms) : 0, 7363

Load

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.346 ms) : 1327, 1365
.   : milestone, 1346,
appsec (1.768 ms) : 1744, 1792
.   : milestone, 1768,
iast (1.539 ms) : 1516, 1561
.   : milestone, 1539,
profiling (1.531 ms) : 1507, 1555
.   : milestone, 1531,
tracing (1.507 ms) : 1484, 1531
.   : milestone, 1507,
section candidate
no_agent (1.348 ms) : 1329, 1367
.   : milestone, 1348,
appsec (1.763 ms) : 1739, 1787
.   : milestone, 1763,
iast (1.518 ms) : 1495, 1541
.   : milestone, 1518,
profiling (1.55 ms) : 1526, 1573
.   : milestone, 1550,
tracing (1.494 ms) : 1471, 1517
.   : milestone, 1494,
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.346 ms [1.327 ms, 1.365 ms] -
appsec 1.768 ms [1.744 ms, 1.792 ms] 422.389 µs (31.4%)
iast 1.539 ms [1.516 ms, 1.561 ms] 192.723 µs (14.3%)
profiling 1.531 ms [1.507 ms, 1.555 ms] 185.026 µs (13.7%)
tracing 1.507 ms [1.484 ms, 1.531 ms] 161.596 µs (12.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.348 ms [1.329 ms, 1.367 ms] -
appsec 1.763 ms [1.739 ms, 1.787 ms] 415.012 µs (30.8%)
iast 1.518 ms [1.495 ms, 1.541 ms] 169.93 µs (12.6%)
profiling 1.55 ms [1.526 ms, 1.573 ms] 201.694 µs (15.0%)
tracing 1.494 ms [1.471 ms, 1.517 ms] 146.084 µs (10.8%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129
    dateFormat X
    axisFormat %s
section baseline
no_agent (360.347 µs) : 341, 380
.   : milestone, 360,
iast (473.473 µs) : 453, 494
.   : milestone, 473,
iast_FULL (537.436 µs) : 517, 558
.   : milestone, 537,
iast_GLOBAL (502.601 µs) : 480, 526
.   : milestone, 503,
iast_HARDCODED_SECRET_DISABLED (474.234 µs) : 454, 495
.   : milestone, 474,
iast_INACTIVE (449.294 µs) : 429, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (481.674 µs) : 461, 503
.   : milestone, 482,
tracing (442.273 µs) : 422, 463
.   : milestone, 442,
section candidate
no_agent (365.995 µs) : 346, 386
.   : milestone, 366,
iast (472.644 µs) : 451, 494
.   : milestone, 473,
iast_FULL (539.959 µs) : 519, 561
.   : milestone, 540,
iast_GLOBAL (494.664 µs) : 474, 516
.   : milestone, 495,
iast_HARDCODED_SECRET_DISABLED (469.299 µs) : 449, 490
.   : milestone, 469,
iast_INACTIVE (451.653 µs) : 430, 473
.   : milestone, 452,
iast_TELEMETRY_OFF (469.173 µs) : 449, 490
.   : milestone, 469,
tracing (444.52 µs) : 424, 465
.   : milestone, 445,
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 360.347 µs [340.886 µs, 379.809 µs] -
iast 473.473 µs [452.876 µs, 494.069 µs] 113.126 µs (31.4%)
iast_FULL 537.436 µs [516.959 µs, 557.913 µs] 177.089 µs (49.1%)
iast_GLOBAL 502.601 µs [479.6 µs, 525.603 µs] 142.254 µs (39.5%)
iast_HARDCODED_SECRET_DISABLED 474.234 µs [453.546 µs, 494.923 µs] 113.887 µs (31.6%)
iast_INACTIVE 449.294 µs [428.712 µs, 469.877 µs] 88.947 µs (24.7%)
iast_TELEMETRY_OFF 481.674 µs [460.61 µs, 502.738 µs] 121.327 µs (33.7%)
tracing 442.273 µs [421.813 µs, 462.733 µs] 81.926 µs (22.7%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 365.995 µs [346.034 µs, 385.956 µs] -
iast 472.644 µs [451.249 µs, 494.039 µs] 106.649 µs (29.1%)
iast_FULL 539.959 µs [519.256 µs, 560.661 µs] 173.964 µs (47.5%)
iast_GLOBAL 494.664 µs [473.63 µs, 515.697 µs] 128.669 µs (35.2%)
iast_HARDCODED_SECRET_DISABLED 469.299 µs [449.086 µs, 489.512 µs] 103.304 µs (28.2%)
iast_INACTIVE 451.653 µs [430.421 µs, 472.886 µs] 85.658 µs (23.4%)
iast_TELEMETRY_OFF 469.173 µs [448.571 µs, 489.776 µs] 103.178 µs (28.2%)
tracing 444.52 µs [424.291 µs, 464.748 µs] 78.525 µs (21.5%)

@ValentinZakharov ValentinZakharov marked this pull request as ready for review February 16, 2024 11:50
@ValentinZakharov ValentinZakharov requested a review from a team as a code owner February 16, 2024 11:50
cataphract
cataphract reviewed Feb 19, 2024
View reviewed changes
Copy link
Contributor

@cataphract cataphract left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a big fan of this solution. You're combining ephemeral and persistent objects into an object and then you have to separate them again so that you submit them separately to the waf. In the way, you end up creating more objects and having more conditional logic.

A minimally viable solution would be to just change runPowerwafTransient so that it does the correct call to the WAF. I think this would be enough for the foreseeable future, as we never submit transient and non-transient addresses at the same time.

An alternative would be to pass publishDataEvent two data bundles, one for persistent and another for ephemeral addresses.

None of these solutions require changing Address so that there are persistent and ephemeral addresses. I'm agnostic on whether that's a good change on itself or not.

cataphract
cataphract reviewed Feb 19, 2024
View reviewed changes
Copy link
Contributor

@cataphract cataphract left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to add one thing. If you want to keep a solution in this line, I think it would be better to:

  1. Keep the transient flag in addresses.
  2. Keep the removal of isTransient on onDataAvailable.
  3. Act on the distinction between persistent/ephemeral addresses just at the time of serialization in the PowerwafModule. Right now, you will have only persistent xor ephemeral addresses, so as an optimization you don't need to separate the bundles. If you want to add support for mixed addresses, you can just create two instances of DataBundleWrapper, as long as you previously separate com.datadog.appsec.powerwaf.PowerWAFModule.CtxAndAddresses#addressesOfInterest into two collections of addresses of interest (transient and persistent).

@ValentinZakharov ValentinZakharov force-pushed the vzakharov/transient-to-ephemeral branch 2 times, most recently from 28afe26 to 7d2e9bc Compare February 23, 2024 14:07
@ValentinZakharov ValentinZakharov merged commit 8f6b8c3 into master Mar 13, 2024
79 of 80 checks passed
@ValentinZakharov ValentinZakharov deleted the vzakharov/transient-to-ephemeral branch March 13, 2024 13:11
@github-actions github-actions bot added this to the 1.32.0 milestone Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smola smola smola approved these changes

@cataphract cataphract cataphract approved these changes

@anderruiz anderruiz Awaiting requested review from anderruiz anderruiz is a code owner automatically assigned from DataDog/asm-java

Assignees

@ValentinZakharov ValentinZakharov

Labels
comp: asm waf Application Security Management (WAF)
Projects
None yet
Milestone
1.32.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ValentinZakharov @smola @cataphract