Tune your App Perf (and get fit for summer)

Confidential & proprietary © Sqreen, 2015

Tune your app perf(and get fit for summer)

We make products antifragile

Jean-Baptiste Aviat

CTO @SqreenIO (https://sqreen.io)

Former hacker atApple (Red Team)

@JbAviat

jb@sqreen.io

– Donald Knuth

“Premature optimization is the root of all evil.”

Confidential & proprietary © Sqreen, 2015sqreen.io

« We don’t have bugs. »

« Or maybe one… »

« Okay, beta are done for that! »

Sqreen behind the scenes

Examine the environment

Run code specific to the class of vulnerability

Log security events

Automatically check for Sqreen security rules updates

While keeping the app fast.

HTTP request anatomy

DB Cache

QueryQueryJSON

request response

Services

Rails server

ClientRails app code

HTTP request with Sqreen

QueryQuery

DB Cache

Services

Rails server

Client

Sqreen code

request response

Rails app code

Attack blocked by Sqreen

Attack Error

Sqreen backend

Logevent

DB CacheServices

Rails server

Client

Sqreen code

Rails app code

Thanks early adopters, we owe you one!

Our beta customers raised different concerns:

1. Average response time

2. CPU consumption (mostly machine facing APIs)

3. Memory usage

4. Bandwidth

Endless path to perf optimization

Know what you are looking for

Measure: understand preciselywhat need change

Pareto law: 80% of execution time is spent in 20% of your code

Change: just code it

Evaluate: compare to previous measures

Start over.

ChangeEvaluate

Measure

What about our Gem?

Sqreen code executed during a client request:

doesn’t use network

doesn’t interact with filesystem

The decision to block is made in the application

Back-end communication is performed in a dedicated thread

Request processing

Asynchronous by design

Sqreen worker

Rails threads Sqreen thread

request response

Rails server

Sqreen backend

Sqreen code

Rails / app code

Asynchronism benefits

+ X ms

+ XX %

Default Dumb0ms

Sqreen

Reduce I/O

Bandwith

Memory

Requests

AggregateStrip Required? I/O

ExecJS call time

ExecJS allows many runtimes:

V8 (close to Pure Ruby)

JSCore (OSX only)

Node (ExecJS runs the Node binary)

Pure Ruby V8 JSCore(OSX)

ExecJS memory usage

Low memory usage

But it leaks!

@samsaffron helped a lot

Can be solved usingcontext recycling

ExecJS should be reset regularly

seconds0 150 300 450 600

Optimize ExecJS use

Reduce ExecJS spawn time

Precompile everything

Spawn ExecJS as less as possible

We introduced pure Ruby pre-conditions

Now the decision to call ExecJS is taken in Ruby

Minimize ExecJS overhead

Perform analysis only on requests using a risky API

Pick relevant methods

The JS engine is spawned and performs further analysis

Analyze

Check if the API uses arguments that can be

vulnerable

Validate exposure

If there is a security risk, we block the request and

alert our back-end

Alert & block

if method.include?(watch_methods) if method_arg.include?(parameters) if ExecJS.is_an_attack? tell_thread_to_record_alert block_this_request end endend

CPUBand-width

Reducing memory usage leads to smaller objects to be treated, faster garbage

collection

MemoryReducing CPU usage leads

to overall faster process

Less bandwidth means less server occupation and leads

to faster responses

BandwidthReducing I/O reduces time

needed for tasks

Virtuous circle of optimization

Benefits of multithreading

(over dumb implementation)

-1000%

Benefits of V8

(over Node runtime)

reduce leaks

Benefits of recycling ExecJS context

(garbage collection, overall memory usage…)

faster :)

Benefits of pre-condition

(less context recycling, less context switch…)

Client perf is not all about client

How to reduce I/O time without changing the client?

The exposed APIs need to respond faster

We are applying the same method to our back-end

Set up your feedback loop

Now, you should to monitor your performances (automatically)!

And do the same with Security ;)

Keep on coding…

Tune your App Perf (and get fit for summer)

Software

Perf Tools

Practice Perf Comp

So we just need another tune to fit the data, don’t we?

Perf Pozos - Copia

Network Perf

Oracle Perf Tune - Intro

Perf Diamantina

Salary Schedule 4/1/05 - 3/31/06...Salary Schedule 4/1/05 - 3/31/06 Long Max. Perf. Perf. Perf. Perf. Perf. 10 Yr. 15 Yr. 20 Yr. 25 Yr. Hiring Advance Advance Advance Advance Advance

Matlab Perf

brazil banking perf

perf scripts jiri olsa - events.static.linuxfound.org3 PERF SCRIPTS | JIRI OLSA perf stat COUNTING WORKLOAD WORKLOAD WORKLOAD WORKLOAD WORKLOAD CPU 0 CPU 1 CPU 2 $ perf stat e 'cycles,instructions

Perf. Mgmt.vs Perf. Appra

J2EE Perf Tune

Perf Counters

Ashawr perf kscope

Predicting Tractor Perf

2012-January-perf-dispatch 2 2012-August-perf-dispatch 13 ...2012-February-perf-dispatch 4 2012-March-perf-dispatch 6 2012-April-perf-dispatch 8 2012-June-perf-dispatch 9 2012-August-perf-dispatch

Pres. Perf. vs. Pres. Perf. Continuous Past Perf. vs. Past Perf. Continuous 2º Bachillerato

Perf tuning2

Perf Appraisal