Tune your App Perf (and get fit for summer)

Transcript

1. Confidential & proprietary © Sqreen, 2015 Tune your app perf


   (and get fit for summer) We make products antifragile

2. © Sqreen sqreen.io Jean-Baptiste Aviat CTO @SqreenIO (https://sqreen.io) Former hacker

   at
 Apple (Red Team) @JbAviat [email protected]

3. Confidential & proprietary © Sqreen, 2015 – Donald Knuth “Premature

   optimization is the root of all evil.”

4. Confidential & proprietary © Sqreen, 2015 sqreen.io « We don’t

   have bugs. » « Or maybe one… » « Okay, beta are done for that! »

5. Confidential & proprietary © Sqreen, 2015 sqreen.io Sqreen behind the

   scenes Examine the environment Run code specific to the class of vulnerability Log security events Automatically check for Sqreen
 security rules updates
 While keeping the app fast.

6. Confidential & proprietary © Sqreen, 2015 sqreen.io HTTP request anatomy

   DB Cache Query Query JSON request response Services Rails server Client Rails app code

7. Confidential & proprietary © Sqreen, 2015 sqreen.io HTTP request with

   Sqreen Query Query DB Cache JSON Services Rails server Client Sqreen code request response Rails app code

8. Confidential & proprietary © Sqreen, 2015 sqreen.io Attack blocked by

   Sqreen Attack Error Query Sqreen backend Log
 event DB Cache Services Rails server Client Sqreen code Rails app code

9. Confidential & proprietary © Sqreen, 2015 sqreen.io Thanks early adopters,

   we owe you one! Our beta customers raised different concerns: 1. Average response time 2. CPU consumption (mostly machine facing APIs) 3. Memory usage 4. Bandwidth

10. Confidential & proprietary © Sqreen, 2015 sqreen.io Endless path to

    perf optimization Know what you are looking for Measure: understand precisely
 what need change Pareto law: 80% of execution time
 is spent in 20% of your code Change: just code it Evaluate: compare to previous measures Start over. Change Evaluate Measure

11. Confidential & proprietary © Sqreen, 2015 What about our Gem?

12. Confidential & proprietary © Sqreen, 2015 sqreen.io Sqreen code executed

    during a client request: doesn’t use network doesn’t interact with filesystem The decision to block is made in the application Back-end communication is performed in a dedicated thread Request processing Query

13. Confidential & proprietary © Sqreen, 2015 sqreen.io Asynchronous by design

    Sqreen worker Rails threads Sqreen thread request response Rails server Sqreen backend Sqreen code Rails / app code

14. Confidential & proprietary © Sqreen, 2015 sqreen.io 156ms Asynchronism benefits

    + X ms + XX % time 150ms 225ms + 0 % Default Dumb 0ms + 4 % Sqreen

15. Confidential & proprietary © Sqreen, 2015 sqreen.io Reduce I/O Bandwith

    Memory Requests Aggregate Strip Required? I/O

16. Confidential & proprietary © Sqreen, 2015 sqreen.io ExecJS call time

    ExecJS allows many runtimes: V8 (close to Pure Ruby) JSCore (OSX only) Node (ExecJS runs the Node binary) miliseconds 0 17,5 35 52,5 70 Pure Ruby V8 JSCore (OSX) Node

17. Confidential & proprietary © Sqreen, 2015 sqreen.io ExecJS memory usage

    Low memory usage But it leaks! @samsaffron helped a lot Can be solved using
 context recycling ExecJS should be 
 reset regularly memory (MB) 0 175 350 525 700 seconds 0 150 300 450 600

18. Confidential & proprietary © Sqreen, 2015 sqreen.io Optimize ExecJS use

    Reduce ExecJS spawn time Precompile everything Spawn ExecJS as less as possible We introduced pure Ruby pre-conditions Now the decision to call ExecJS is taken in Ruby

19. Confidential & proprietary © Sqreen, 2015 sqreen.io Minimize ExecJS overhead

    Perform analysis only on requests using a risky API Pick relevant methods The JS engine is spawned and performs further analysis Analyze Check if the API uses arguments that can be vulnerable Validate exposure If there is a security risk, we block the request and alert our back-end Alert & block if method.include?(watch_methods) if method_arg.include?(parameters) if ExecJS.is_an_attack? tell_thread_to_record_alert block_this_request end end end

20. Confidential & proprietary © Sqreen, 2015 sqreen.io Mem I/O CPU

    Band- width Reducing memory usage leads to smaller objects to be treated, faster garbage collection Memory Reducing CPU usage leads to overall faster process CPU Less bandwidth means less server occupation and leads to faster responses Bandwidth Reducing I/O reduces time needed for tasks I/O Virtuous circle of optimization

21. Confidential & proprietary © Sqreen, 2015 sqreen.io Benefits of multithreading

    144% (over dumb implementation)

22. Confidential & proprietary © Sqreen, 2015 sqreen.io -1000% Benefits of

    V8 (over Node runtime)

23. Confidential & proprietary © Sqreen, 2015 sqreen.io reduce leaks Benefits

    of recycling ExecJS context (garbage collection, overall memory usage…)

24. Confidential & proprietary © Sqreen, 2015 sqreen.io 
 just faster

    :) Benefits of pre-condition (less context recycling, less context switch…)

25. Confidential & proprietary © Sqreen, 2015 sqreen.io Client perf is

    not all about client How to reduce I/O time without changing the client? The exposed APIs need to respond faster We are applying the same method to our back-end

26. Confidential & proprietary © Sqreen, 2015 sqreen.io Set up your

    feedback loop Now, you should to monitor 
 your performances (automatically)! And do the same with Security ;) Keep on coding…