New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace ASM transient mechanism with WAF ephemeral addresses #6687
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.08 s) : 0, 1079726
Total [baseline] (9.18 s) : 0, 9180471
Agent [candidate] (1.082 s) : 0, 1082122
Total [candidate] (9.181 s) : 0, 9181031
section appsec
Agent [baseline] (1.2 s) : 0, 1200374
Total [baseline] (9.288 s) : 0, 9287764
Agent [candidate] (1.21 s) : 0, 1210408
Total [candidate] (9.41 s) : 0, 9409602
section iast
Agent [baseline] (1.207 s) : 0, 1207155
Total [baseline] (9.334 s) : 0, 9333620
Agent [candidate] (1.205 s) : 0, 1205191
Total [candidate] (9.348 s) : 0, 9347732
section profiling
Agent [baseline] (1.273 s) : 0, 1272961
Total [baseline] (9.412 s) : 0, 9412468
Agent [candidate] (1.275 s) : 0, 1274890
Total [candidate] (9.332 s) : 0, 9331979
gantt
title petclinic - break down per module: candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (696.255 ms) : 0, 696255
BytebuddyAgent [candidate] (697.05 ms) : 0, 697050
GlobalTracer [baseline] (291.506 ms) : 0, 291506
GlobalTracer [candidate] (292.997 ms) : 0, 292997
AppSec [baseline] (49.065 ms) : 0, 49065
AppSec [candidate] (49.138 ms) : 0, 49138
Remote Config [baseline] (733.319 µs) : 0, 733
Remote Config [candidate] (722.969 µs) : 0, 723
Telemetry [baseline] (7.815 ms) : 0, 7815
Telemetry [candidate] (7.782 ms) : 0, 7782
section appsec
BytebuddyAgent [baseline] (696.295 ms) : 0, 696295
BytebuddyAgent [candidate] (700.669 ms) : 0, 700669
GlobalTracer [baseline] (291.057 ms) : 0, 291057
GlobalTracer [candidate] (294.261 ms) : 0, 294261
AppSec [baseline] (153.297 ms) : 0, 153297
AppSec [candidate] (154.964 ms) : 0, 154964
IAST [baseline] (17.903 ms) : 0, 17903
IAST [candidate] (18.185 ms) : 0, 18185
Remote Config [baseline] (607.292 µs) : 0, 607
Remote Config [candidate] (619.126 µs) : 0, 619
Telemetry [baseline] (6.891 ms) : 0, 6891
Telemetry [candidate] (7.021 ms) : 0, 7021
section iast
BytebuddyAgent [baseline] (802.073 ms) : 0, 802073
BytebuddyAgent [candidate] (801.068 ms) : 0, 801068
GlobalTracer [baseline] (288.88 ms) : 0, 288880
GlobalTracer [candidate] (289.208 ms) : 0, 289208
AppSec [baseline] (48.292 ms) : 0, 48292
AppSec [candidate] (48.662 ms) : 0, 48662
IAST [baseline] (26.27 ms) : 0, 26270
IAST [candidate] (24.569 ms) : 0, 24569
Remote Config [baseline] (623.112 µs) : 0, 623
Remote Config [candidate] (608.38 µs) : 0, 608
Telemetry [baseline] (6.576 ms) : 0, 6576
Telemetry [candidate] (6.615 ms) : 0, 6615
section profiling
BytebuddyAgent [baseline] (689.091 ms) : 0, 689091
BytebuddyAgent [candidate] (688.874 ms) : 0, 688874
GlobalTracer [baseline] (375.339 ms) : 0, 375339
GlobalTracer [candidate] (376.624 ms) : 0, 376624
AppSec [baseline] (49.677 ms) : 0, 49677
AppSec [candidate] (49.803 ms) : 0, 49803
Remote Config [baseline] (749.875 µs) : 0, 750
Remote Config [candidate] (762.899 µs) : 0, 763
Telemetry [baseline] (7.535 ms) : 0, 7535
Telemetry [candidate] (7.441 ms) : 0, 7441
ProfilingAgent [baseline] (94.349 ms) : 0, 94349
ProfilingAgent [candidate] (95.188 ms) : 0, 95188
Profiling [baseline] (94.372 ms) : 0, 94372
Profiling [candidate] (95.212 ms) : 0, 95212
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.084 s) : 0, 1084414
Total [baseline] (8.58 s) : 0, 8579878
Agent [candidate] (1.089 s) : 0, 1089295
Total [candidate] (8.575 s) : 0, 8575287
section iast
Agent [baseline] (1.204 s) : 0, 1203551
Total [baseline] (9.041 s) : 0, 9041482
Agent [candidate] (1.203 s) : 0, 1202824
Total [candidate] (9.039 s) : 0, 9038623
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.206 s) : 0, 1206008
Total [baseline] (9.036 s) : 0, 9035503
Agent [candidate] (1.205 s) : 0, 1205330
Total [candidate] (9.06 s) : 0, 9060022
section iast_TELEMETRY_OFF
Agent [baseline] (1.197 s) : 0, 1197056
Total [baseline] (9.031 s) : 0, 9031243
Agent [candidate] (1.199 s) : 0, 1199005
Total [candidate] (9.097 s) : 0, 9097047
gantt
title insecure-bank - break down per module: candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (699.294 ms) : 0, 699294
BytebuddyAgent [candidate] (702.622 ms) : 0, 702622
GlobalTracer [baseline] (292.922 ms) : 0, 292922
GlobalTracer [candidate] (294.236 ms) : 0, 294236
AppSec [baseline] (49.308 ms) : 0, 49308
AppSec [candidate] (49.345 ms) : 0, 49345
Remote Config [baseline] (743.087 µs) : 0, 743
Remote Config [candidate] (737.832 µs) : 0, 738
Telemetry [baseline] (7.735 ms) : 0, 7735
Telemetry [candidate] (7.771 ms) : 0, 7771
section iast
BytebuddyAgent [baseline] (799.806 ms) : 0, 799806
BytebuddyAgent [candidate] (798.865 ms) : 0, 798865
GlobalTracer [baseline] (288.287 ms) : 0, 288287
GlobalTracer [candidate] (288.855 ms) : 0, 288855
AppSec [baseline] (50.709 ms) : 0, 50709
AppSec [candidate] (48.232 ms) : 0, 48232
IAST [baseline] (23.128 ms) : 0, 23128
IAST [candidate] (25.279 ms) : 0, 25279
Remote Config [baseline] (611.791 µs) : 0, 612
Remote Config [candidate] (611.918 µs) : 0, 612
Telemetry [baseline] (6.607 ms) : 0, 6607
Telemetry [candidate] (6.581 ms) : 0, 6581
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (802.019 ms) : 0, 802019
BytebuddyAgent [candidate] (800.731 ms) : 0, 800731
GlobalTracer [baseline] (288.875 ms) : 0, 288875
GlobalTracer [candidate] (289.585 ms) : 0, 289585
AppSec [baseline] (51.253 ms) : 0, 51253
AppSec [candidate] (49.002 ms) : 0, 49002
IAST [baseline] (22.169 ms) : 0, 22169
IAST [candidate] (22.988 ms) : 0, 22988
Remote Config [baseline] (612.06 µs) : 0, 612
Remote Config [candidate] (610.84 µs) : 0, 611
Telemetry [baseline] (6.653 ms) : 0, 6653
Telemetry [candidate] (8.061 ms) : 0, 8061
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (793.105 ms) : 0, 793105
BytebuddyAgent [candidate] (794.153 ms) : 0, 794153
GlobalTracer [baseline] (288.663 ms) : 0, 288663
GlobalTracer [candidate] (290.065 ms) : 0, 290065
AppSec [baseline] (50.694 ms) : 0, 50694
AppSec [candidate] (50.539 ms) : 0, 50539
IAST [baseline] (22.523 ms) : 0, 22523
IAST [candidate] (21.964 ms) : 0, 21964
Remote Config [baseline] (589.795 µs) : 0, 590
Remote Config [candidate] (590.66 µs) : 0, 591
Telemetry [baseline] (7.274 ms) : 0, 7274
Telemetry [candidate] (7.363 ms) : 0, 7363
LoadRequest duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129
dateFormat X
axisFormat %s
section baseline
no_agent (1.346 ms) : 1327, 1365
. : milestone, 1346,
appsec (1.768 ms) : 1744, 1792
. : milestone, 1768,
iast (1.539 ms) : 1516, 1561
. : milestone, 1539,
profiling (1.531 ms) : 1507, 1555
. : milestone, 1531,
tracing (1.507 ms) : 1484, 1531
. : milestone, 1507,
section candidate
no_agent (1.348 ms) : 1329, 1367
. : milestone, 1348,
appsec (1.763 ms) : 1739, 1787
. : milestone, 1763,
iast (1.518 ms) : 1495, 1541
. : milestone, 1518,
profiling (1.55 ms) : 1526, 1573
. : milestone, 1550,
tracing (1.494 ms) : 1471, 1517
. : milestone, 1494,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~3224607d3e, baseline=1.32.0-SNAPSHOT~a786410129
dateFormat X
axisFormat %s
section baseline
no_agent (360.347 µs) : 341, 380
. : milestone, 360,
iast (473.473 µs) : 453, 494
. : milestone, 473,
iast_FULL (537.436 µs) : 517, 558
. : milestone, 537,
iast_GLOBAL (502.601 µs) : 480, 526
. : milestone, 503,
iast_HARDCODED_SECRET_DISABLED (474.234 µs) : 454, 495
. : milestone, 474,
iast_INACTIVE (449.294 µs) : 429, 470
. : milestone, 449,
iast_TELEMETRY_OFF (481.674 µs) : 461, 503
. : milestone, 482,
tracing (442.273 µs) : 422, 463
. : milestone, 442,
section candidate
no_agent (365.995 µs) : 346, 386
. : milestone, 366,
iast (472.644 µs) : 451, 494
. : milestone, 473,
iast_FULL (539.959 µs) : 519, 561
. : milestone, 540,
iast_GLOBAL (494.664 µs) : 474, 516
. : milestone, 495,
iast_HARDCODED_SECRET_DISABLED (469.299 µs) : 449, 490
. : milestone, 469,
iast_INACTIVE (451.653 µs) : 430, 473
. : milestone, 452,
iast_TELEMETRY_OFF (469.173 µs) : 449, 490
. : milestone, 469,
tracing (444.52 µs) : 424, 465
. : milestone, 445,
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a big fan of this solution. You're combining ephemeral and persistent objects into an object and then you have to separate them again so that you submit them separately to the waf. In the way, you end up creating more objects and having more conditional logic.
A minimally viable solution would be to just change runPowerwafTransient
so that it does the correct call to the WAF. I think this would be enough for the foreseeable future, as we never submit transient and non-transient addresses at the same time.
An alternative would be to pass publishDataEvent
two data bundles, one for persistent and another for ephemeral addresses.
None of these solutions require changing Address
so that there are persistent and ephemeral addresses. I'm agnostic on whether that's a good change on itself or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to add one thing. If you want to keep a solution in this line, I think it would be better to:
- Keep the transient flag in addresses.
- Keep the removal of isTransient on
onDataAvailable
. - Act on the distinction between persistent/ephemeral addresses just at the time of serialization in the PowerwafModule. Right now, you will have only persistent xor ephemeral addresses, so as an optimization you don't need to separate the bundles. If you want to add support for mixed addresses, you can just create two instances of
DataBundleWrapper
, as long as you previously separatecom.datadog.appsec.powerwaf.PowerWAFModule.CtxAndAddresses#addressesOfInterest
into two collections of addresses of interest (transient and persistent).
28afe26
to
7d2e9bc
Compare
7d2e9bc
to
3224607
Compare
What Does This Do
This pull request signifies an important enhancement in ASM. Originally, we employed a transient mechanism to manage temporary data submissions to the WAF. The recent introduction of ephemeral addresses in
libddwaf
presents a native and more efficient implementation of this transient mechanism. Through this PR, we are transitioning from the older transient method to utilizing ephemeral addresses.Motivation
This improvement is required by #6375
Additional Notes
Upgrading WAF to version
1.16.0
made it possible to start using ephemeral addresses (see: #6658)Jira ticket: APPSEC-51774