Tune your App Perf (and get fit for summer)

Confidential & proprietary © Sqreen, 2015

Tune your app perf(and get fit for summer)

We make products antifragile

© Sqreen, 2015sqreen.io

Jean-Baptiste Aviat

CTO @SqreenIO (https://sqreen.io)

Former hacker atApple (Red Team)

@JbAviat

[email protected]

https://www.sqreen.io

https://sqreen.io


– Donald Knuth

“Premature optimization is the root of all evil.”

Confidential & proprietary © Sqreen, 2015sqreen.io

« We don’t have bugs. »

« Or maybe one… »

« Okay, beta are done for that! »



Sqreen behind the scenes

Examine the environment

Run code specific to the class of vulnerability

Log security events

Automatically check for Sqreen security rules updates

While keeping the app fast.



HTTP request anatomy

DB Cache

QueryQueryJSON

request response

Services

Rails server

ClientRails app code



HTTP request with Sqreen

QueryQuery

DB Cache

JSON

Services

Rails server

Client

Sqreen code

request response

Rails app code



Attack blocked by Sqreen

Attack Error

Query

Sqreen backend

Logevent

DB CacheServices

Rails server

Client

Sqreen code

Rails app code



Thanks early adopters, we owe you one!

Our beta customers raised different concerns:

1. Average response time

2. CPU consumption (mostly machine facing APIs)

3. Memory usage

4. Bandwidth



Endless path to perf optimization

Know what you are looking for

Measure: understand preciselywhat need change

Pareto law: 80% of execution time is spent in 20% of your code

Change: just code it

Evaluate: compare to previous measures

Start over.

ChangeEvaluate

Measure



What about our Gem?


Sqreen code executed during a client request:

doesn’t use network

doesn’t interact with filesystem

The decision to block is made in the application

Back-end communication is performed in a dedicated thread

Request processing

Query



Asynchronous by design

Sqreen worker

Rails threads Sqreen thread

request response

Rails server

Sqreen backend

Sqreen code

Rails / app code



156ms

Asynchronism benefits

+ X ms

+ XX %

time

150ms

225ms

+ 0 %

Default Dumb0ms

+ 4 %

Sqreen



Reduce I/O

Bandwith

Memory

Requests

AggregateStrip Required? I/O



ExecJS call time

ExecJS allows many runtimes:

V8 (close to Pure Ruby)

JSCore (OSX only)

Node (ExecJS runs the Node binary)

milis

econ

ds

0

17,5

35

52,5

70

Pure Ruby V8 JSCore(OSX)

Node



ExecJS memory usage

Low memory usage

But it leaks!

@samsaffron helped a lot

Can be solved usingcontext recycling

ExecJS should be reset regularly

mem

ory

(MB)

0

175

350

525

700

seconds0 150 300 450 600



Optimize ExecJS use

Reduce ExecJS spawn time

Precompile everything

Spawn ExecJS as less as possible

We introduced pure Ruby pre-conditions

Now the decision to call ExecJS is taken in Ruby



Minimize ExecJS overhead

Perform analysis only on requests using a risky API

Pick relevant methods

The JS engine is spawned and performs further analysis

Analyze

Check if the API uses arguments that can be

vulnerable

Validate exposure

If there is a security risk, we block the request and

alert our back-end

Alert & block

if method.include?(watch_methods) if method_arg.include?(parameters) if ExecJS.is_an_attack? tell_thread_to_record_alert block_this_request end endend



Mem

I/O

CPUBand-width

Reducing memory usage leads to smaller objects to be treated, faster garbage

collection

MemoryReducing CPU usage leads

to overall faster process

CPU

Less bandwidth means less server occupation and leads

to faster responses

BandwidthReducing I/O reduces time

needed for tasks

I/O

Virtuous circle of optimization



Benefits of multithreading

144%

(over dumb implementation)



-1000%

Benefits of V8

(over Node runtime)



reduce leaks

Benefits of recycling ExecJS context

(garbage collection, overall memory usage…)



just

faster :)

Benefits of pre-condition

(less context recycling, less context switch…)



Client perf is not all about client

How to reduce I/O time without changing the client?

The exposed APIs need to respond faster

We are applying the same method to our back-end



Set up your feedback loop

Now, you should to monitor your performances (automatically)!

And do the same with Security ;)

Keep on coding…


Software

Tune your App Perf (and get fit for summer)