Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report span metrics for Exploit Prevention #7273

Merged
merged 4 commits into from
Jul 8, 2024
Merged

Report span metrics for Exploit Prevention #7273

merged 4 commits into from
Jul 8, 2024

Conversation

ValentinZakharov
Copy link
Contributor

@ValentinZakharov ValentinZakharov commented Jul 3, 2024
edited by jira bot
Loading

What Does This Do

Added new span metrics for Exploit prevention:

  • _dd.appsec.rasp.duration - cumulative runtime in nanoseconds of every call to libddwaf thought a RASP instrumentation with a request
  • _dd.appsec.rasp.duration_ext - cumulative runtime in nanoseconds of libddwaf call + binginds cost through RASP instrumentation with a request
  • _dd.appsec.rasp.rule.eval - counts the number of times libddwaf calls per request

Motivation

This is part of Exploit prevention to let collect useful metrics for future analysis of effectiveness.

Additional Notes

Jira ticket: APPSEC-47228

@ValentinZakharov ValentinZakharov added the comp: asm waf Application Security Management (WAF) label Jul 3, 2024
@ValentinZakharov ValentinZakharov self-assigned this Jul 3, 2024
@pr-commenter
Copy link

pr-commenter bot commented Jul 3, 2024
edited
Loading

Benchmarks

Startup

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-07-03T15:19:51 2024-07-03T15:26:41
git_branch master vzakharov/rasp_span_metrics2
git_commit_date 1720015951 1720018868
git_commit_sha 1496a6c 176164b
release_version 1.37.0-SNAPSHOT~1496a6cfd7 1.37.0-SNAPSHOT~176164bb57
start_time 2024-07-03T15:19:37 2024-07-03T15:26:28
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1720020746 1720020746
ci_job_id 561392185 561392185
ci_pipeline_id 38266151 38266151
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.37.0-SNAPSHOT~176164bb57, baseline=1.37.0-SNAPSHOT~1496a6cfd7
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.339 ms) : 1319, 1360
.   : milestone, 1339,
appsec (1.731 ms) : 1709, 1754
.   : milestone, 1731,
appsec_no_iast (1.738 ms) : 1713, 1762
.   : milestone, 1738,
iast (1.488 ms) : 1466, 1511
.   : milestone, 1488,
profiling (1.508 ms) : 1482, 1535
.   : milestone, 1508,
tracing (1.485 ms) : 1461, 1509
.   : milestone, 1485,
section candidate
no_agent (1.352 ms) : 1332, 1371
.   : milestone, 1352,
appsec (1.728 ms) : 1704, 1753
.   : milestone, 1728,
appsec_no_iast (1.728 ms) : 1704, 1752
.   : milestone, 1728,
iast (1.464 ms) : 1442, 1487
.   : milestone, 1464,
profiling (1.499 ms) : 1476, 1523
.   : milestone, 1499,
tracing (1.458 ms) : 1434, 1483
.   : milestone, 1458,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.339 ms [1.319 ms, 1.36 ms] -
appsec 1.731 ms [1.709 ms, 1.754 ms] 392.071 µs (29.3%)
appsec_no_iast 1.738 ms [1.713 ms, 1.762 ms] 398.081 µs (29.7%)
iast 1.488 ms [1.466 ms, 1.511 ms] 149.011 µs (11.1%)
profiling 1.508 ms [1.482 ms, 1.535 ms] 168.962 µs (12.6%)
tracing 1.485 ms [1.461 ms, 1.509 ms] 145.267 µs (10.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.352 ms [1.332 ms, 1.371 ms] -
appsec 1.728 ms [1.704 ms, 1.753 ms] 376.366 µs (27.8%)
appsec_no_iast 1.728 ms [1.704 ms, 1.752 ms] 376.662 µs (27.9%)
iast 1.464 ms [1.442 ms, 1.487 ms] 112.552 µs (8.3%)
profiling 1.499 ms [1.476 ms, 1.523 ms] 147.507 µs (10.9%)
tracing 1.458 ms [1.434 ms, 1.483 ms] 106.792 µs (7.9%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.37.0-SNAPSHOT~176164bb57, baseline=1.37.0-SNAPSHOT~1496a6cfd7
    dateFormat X
    axisFormat %s
section baseline
no_agent (370.469 µs) : 351, 390
.   : milestone, 370,
iast (489.819 µs) : 469, 511
.   : milestone, 490,
iast_FULL (553.771 µs) : 533, 575
.   : milestone, 554,
iast_GLOBAL (505.246 µs) : 483, 527
.   : milestone, 505,
iast_HARDCODED_SECRET_DISABLED (478.079 µs) : 457, 499
.   : milestone, 478,
iast_INACTIVE (456.285 µs) : 435, 478
.   : milestone, 456,
iast_TELEMETRY_OFF (476.801 µs) : 455, 498
.   : milestone, 477,
tracing (444.382 µs) : 424, 465
.   : milestone, 444,
section candidate
no_agent (366.486 µs) : 347, 386
.   : milestone, 366,
iast (475.816 µs) : 455, 497
.   : milestone, 476,
iast_FULL (551.899 µs) : 531, 573
.   : milestone, 552,
iast_GLOBAL (504.101 µs) : 483, 525
.   : milestone, 504,
iast_HARDCODED_SECRET_DISABLED (482.819 µs) : 461, 504
.   : milestone, 483,
iast_INACTIVE (459.12 µs) : 437, 481
.   : milestone, 459,
iast_TELEMETRY_OFF (468.948 µs) : 448, 490
.   : milestone, 469,
tracing (441.011 µs) : 420, 462
.   : milestone, 441,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 370.469 µs [350.527 µs, 390.411 µs] -
iast 489.819 µs [468.719 µs, 510.919 µs] 119.35 µs (32.2%)
iast_FULL 553.771 µs [532.698 µs, 574.844 µs] 183.302 µs (49.5%)
iast_GLOBAL 505.246 µs [482.999 µs, 527.493 µs] 134.777 µs (36.4%)
iast_HARDCODED_SECRET_DISABLED 478.079 µs [456.859 µs, 499.3 µs] 107.61 µs (29.0%)
iast_INACTIVE 456.285 µs [434.585 µs, 477.985 µs] 85.816 µs (23.2%)
iast_TELEMETRY_OFF 476.801 µs [455.233 µs, 498.369 µs] 106.332 µs (28.7%)
tracing 444.382 µs [423.535 µs, 465.229 µs] 73.913 µs (20.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 366.486 µs [347.002 µs, 385.97 µs] -
iast 475.816 µs [454.751 µs, 496.88 µs] 109.329 µs (29.8%)
iast_FULL 551.899 µs [531.065 µs, 572.733 µs] 185.413 µs (50.6%)
iast_GLOBAL 504.101 µs [483.092 µs, 525.11 µs] 137.615 µs (37.5%)
iast_HARDCODED_SECRET_DISABLED 482.819 µs [461.395 µs, 504.243 µs] 116.333 µs (31.7%)
iast_INACTIVE 459.12 µs [436.949 µs, 481.29 µs] 92.634 µs (25.3%)
iast_TELEMETRY_OFF 468.948 µs [447.924 µs, 489.973 µs] 102.462 µs (28.0%)
tracing 441.011 µs [420.385 µs, 461.638 µs] 74.525 µs (20.3%)

Dacapo

@ValentinZakharov ValentinZakharov marked this pull request as ready for review July 3, 2024 15:25
@ValentinZakharov ValentinZakharov requested a review from a team as a code owner July 3, 2024 15:25
smola
smola requested changes Jul 4, 2024
View reviewed changes
Copy link
Member

@smola smola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The overall idea looks good to me. Just a minor comment, and a request for tests.

dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFStatsReporter.java Outdated Show resolved Hide resolved
...appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFStatsReporterSpecification.groovy Outdated Show resolved Hide resolved
...appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFStatsReporterSpecification.groovy Outdated Show resolved Hide resolved
@ValentinZakharov ValentinZakharov requested review from a team as code owners July 5, 2024 09:31
Base automatically changed from vzakharov/rasp_sqli_blocking to master July 5, 2024 11:25
@amarziali amarziali removed the request for review from a team July 8, 2024 08:35
@ValentinZakharov ValentinZakharov merged commit 5809b1d into master Jul 8, 2024
78 checks passed
@ValentinZakharov ValentinZakharov deleted the vzakharov/rasp_span_metrics2 branch July 8, 2024 09:50
@github-actions github-actions bot added this to the 1.38.0 milestone Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smola smola smola approved these changes

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@dougqh dougqh Awaiting requested review from dougqh dougqh was automatically assigned from DataDog/apm-java

Assignees

@ValentinZakharov ValentinZakharov

Labels
comp: asm waf Application Security Management (WAF)
Projects
None yet
Milestone
1.38.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ValentinZakharov @smola @PerfectSlayer