tune your app perf (and get fit for summer)
TRANSCRIPT
Confidential & proprietary © Sqreen, 2015
Tune your app perf(and get fit for summer)
We make products antifragile
© Sqreen, 2015sqreen.io
Jean-Baptiste Aviat
CTO @SqreenIO (https://sqreen.io)
Former hacker atApple (Red Team)
@JbAviat
Confidential & proprietary © Sqreen, 2015
– Donald Knuth
“Premature optimization is the root of all evil.”
Confidential & proprietary © Sqreen, 2015sqreen.io
« We don’t have bugs. »
« Or maybe one… »
« Okay, beta are done for that! »
Confidential & proprietary © Sqreen, 2015sqreen.io
Sqreen behind the scenes
Examine the environment
Run code specific to the class of vulnerability
Log security events
Automatically check for Sqreen security rules updates
While keeping the app fast.
Confidential & proprietary © Sqreen, 2015sqreen.io
HTTP request anatomy
DB Cache
QueryQueryJSON
request response
Services
Rails server
ClientRails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
HTTP request with Sqreen
QueryQuery
DB Cache
JSON
Services
Rails server
Client
Sqreen code
request response
Rails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
Attack blocked by Sqreen
Attack Error
Query
Sqreen backend
Logevent
DB CacheServices
Rails server
Client
Sqreen code
Rails app code
Confidential & proprietary © Sqreen, 2015sqreen.io
Thanks early adopters, we owe you one!
Our beta customers raised different concerns:
1. Average response time
2. CPU consumption (mostly machine facing APIs)
3. Memory usage
4. Bandwidth
Confidential & proprietary © Sqreen, 2015sqreen.io
Endless path to perf optimization
Know what you are looking for
Measure: understand preciselywhat need change
Pareto law: 80% of execution time is spent in 20% of your code
Change: just code it
Evaluate: compare to previous measures
Start over.
ChangeEvaluate
Measure
Confidential & proprietary © Sqreen, 2015
What about our Gem?
Confidential & proprietary © Sqreen, 2015sqreen.io
Sqreen code executed during a client request:
doesn’t use network
doesn’t interact with filesystem
The decision to block is made in the application
Back-end communication is performed in a dedicated thread
Request processing
Query
Confidential & proprietary © Sqreen, 2015sqreen.io
Asynchronous by design
Sqreen worker
Rails threads Sqreen thread
request response
Rails server
Sqreen backend
Sqreen code
Rails / app code
Confidential & proprietary © Sqreen, 2015sqreen.io
156ms
Asynchronism benefits
+ X ms
+ XX %
time
150ms
225ms
+ 0 %
Default Dumb0ms
+ 4 %
Sqreen
Confidential & proprietary © Sqreen, 2015sqreen.io
Reduce I/O
Bandwith
Memory
Requests
AggregateStrip Required? I/O
Confidential & proprietary © Sqreen, 2015sqreen.io
ExecJS call time
ExecJS allows many runtimes:
V8 (close to Pure Ruby)
JSCore (OSX only)
Node (ExecJS runs the Node binary)
milis
econ
ds
0
17,5
35
52,5
70
Pure Ruby V8 JSCore(OSX)
Node
Confidential & proprietary © Sqreen, 2015sqreen.io
ExecJS memory usage
Low memory usage
But it leaks!
@samsaffron helped a lot
Can be solved usingcontext recycling
ExecJS should be reset regularly
mem
ory
(MB)
0
175
350
525
700
seconds0 150 300 450 600
Confidential & proprietary © Sqreen, 2015sqreen.io
Optimize ExecJS use
Reduce ExecJS spawn time
Precompile everything
Spawn ExecJS as less as possible
We introduced pure Ruby pre-conditions
Now the decision to call ExecJS is taken in Ruby
Confidential & proprietary © Sqreen, 2015sqreen.io
Minimize ExecJS overhead
Perform analysis only on requests using a risky API
Pick relevant methods
The JS engine is spawned and performs further analysis
Analyze
Check if the API uses arguments that can be
vulnerable
Validate exposure
If there is a security risk, we block the request and
alert our back-end
Alert & block
if method.include?(watch_methods) if method_arg.include?(parameters) if ExecJS.is_an_attack? tell_thread_to_record_alert block_this_request end endend
Confidential & proprietary © Sqreen, 2015sqreen.io
Mem
I/O
CPUBand-width
Reducing memory usage leads to smaller objects to be treated, faster garbage
collection
MemoryReducing CPU usage leads
to overall faster process
CPU
Less bandwidth means less server occupation and leads
to faster responses
BandwidthReducing I/O reduces time
needed for tasks
I/O
Virtuous circle of optimization
Confidential & proprietary © Sqreen, 2015sqreen.io
Benefits of multithreading
144%
(over dumb implementation)
Confidential & proprietary © Sqreen, 2015sqreen.io
-1000%
Benefits of V8
(over Node runtime)
Confidential & proprietary © Sqreen, 2015sqreen.io
reduce leaks
Benefits of recycling ExecJS context
(garbage collection, overall memory usage…)
Confidential & proprietary © Sqreen, 2015sqreen.io
just
faster :)
Benefits of pre-condition
(less context recycling, less context switch…)
Confidential & proprietary © Sqreen, 2015sqreen.io
Client perf is not all about client
How to reduce I/O time without changing the client?
The exposed APIs need to respond faster
We are applying the same method to our back-end
Confidential & proprietary © Sqreen, 2015sqreen.io
Set up your feedback loop
Now, you should to monitor your performances (automatically)!
And do the same with Security ;)
Keep on coding…