dd-trace-java icon indicating copy to clipboard operation
dd-trace-java copied to clipboard

Published 20 hours ago verified publisher icon DataDog

Report span metrics for Exploit Prevention

Open ValentinZakharov opened this issue 1 year ago • 1 comments

What Does This Do

Added new span metrics for Exploit prevention:

  • _dd.appsec.rasp.duration - cumulative runtime in nanoseconds of every call to libddwaf thought a RASP instrumentation with a request
  • _dd.appsec.rasp.duration_ext - cumulative runtime in nanoseconds of libddwaf call + binginds cost through RASP instrumentation with a request
  • _dd.appsec.rasp.rule.eval - counts the number of times libddwaf calls per request

Motivation

This is part of Exploit prevention to let collect useful metrics for future analysis of effectiveness.

Additional Notes

Jira ticket: APPSEC-47228

ValentinZakharov avatar Jul 03 '24 11:07 ValentinZakharov

Benchmarks

Startup

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-07-03T15:19:51 2024-07-03T15:26:41
git_branch master vzakharov/rasp_span_metrics2
git_commit_date 1720015951 1720018868
git_commit_sha 1496a6cfd7 176164bb57
release_version 1.37.0-SNAPSHOT~1496a6cfd7 1.37.0-SNAPSHOT~176164bb57
start_time 2024-07-03T15:19:37 2024-07-03T15:26:28
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1720020746 1720020746
ci_job_id 561392185 561392185
ci_pipeline_id 38266151 38266151
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.37.0-SNAPSHOT~176164bb57, baseline=1.37.0-SNAPSHOT~1496a6cfd7
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.339 ms) : 1319, 1360
.   : milestone, 1339,
appsec (1.731 ms) : 1709, 1754
.   : milestone, 1731,
appsec_no_iast (1.738 ms) : 1713, 1762
.   : milestone, 1738,
iast (1.488 ms) : 1466, 1511
.   : milestone, 1488,
profiling (1.508 ms) : 1482, 1535
.   : milestone, 1508,
tracing (1.485 ms) : 1461, 1509
.   : milestone, 1485,
section candidate
no_agent (1.352 ms) : 1332, 1371
.   : milestone, 1352,
appsec (1.728 ms) : 1704, 1753
.   : milestone, 1728,
appsec_no_iast (1.728 ms) : 1704, 1752
.   : milestone, 1728,
iast (1.464 ms) : 1442, 1487
.   : milestone, 1464,
profiling (1.499 ms) : 1476, 1523
.   : milestone, 1499,
tracing (1.458 ms) : 1434, 1483
.   : milestone, 1458,
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.339 ms [1.319 ms, 1.36 ms] -
appsec 1.731 ms [1.709 ms, 1.754 ms] 392.071 µs (29.3%)
appsec_no_iast 1.738 ms [1.713 ms, 1.762 ms] 398.081 µs (29.7%)
iast 1.488 ms [1.466 ms, 1.511 ms] 149.011 µs (11.1%)
profiling 1.508 ms [1.482 ms, 1.535 ms] 168.962 µs (12.6%)
tracing 1.485 ms [1.461 ms, 1.509 ms] 145.267 µs (10.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.352 ms [1.332 ms, 1.371 ms] -
appsec 1.728 ms [1.704 ms, 1.753 ms] 376.366 µs (27.8%)
appsec_no_iast 1.728 ms [1.704 ms, 1.752 ms] 376.662 µs (27.9%)
iast 1.464 ms [1.442 ms, 1.487 ms] 112.552 µs (8.3%)
profiling 1.499 ms [1.476 ms, 1.523 ms] 147.507 µs (10.9%)
tracing 1.458 ms [1.434 ms, 1.483 ms] 106.792 µs (7.9%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.37.0-SNAPSHOT~176164bb57, baseline=1.37.0-SNAPSHOT~1496a6cfd7
    dateFormat X
    axisFormat %s
section baseline
no_agent (370.469 µs) : 351, 390
.   : milestone, 370,
iast (489.819 µs) : 469, 511
.   : milestone, 490,
iast_FULL (553.771 µs) : 533, 575
.   : milestone, 554,
iast_GLOBAL (505.246 µs) : 483, 527
.   : milestone, 505,
iast_HARDCODED_SECRET_DISABLED (478.079 µs) : 457, 499
.   : milestone, 478,
iast_INACTIVE (456.285 µs) : 435, 478
.   : milestone, 456,
iast_TELEMETRY_OFF (476.801 µs) : 455, 498
.   : milestone, 477,
tracing (444.382 µs) : 424, 465
.   : milestone, 444,
section candidate
no_agent (366.486 µs) : 347, 386
.   : milestone, 366,
iast (475.816 µs) : 455, 497
.   : milestone, 476,
iast_FULL (551.899 µs) : 531, 573
.   : milestone, 552,
iast_GLOBAL (504.101 µs) : 483, 525
.   : milestone, 504,
iast_HARDCODED_SECRET_DISABLED (482.819 µs) : 461, 504
.   : milestone, 483,
iast_INACTIVE (459.12 µs) : 437, 481
.   : milestone, 459,
iast_TELEMETRY_OFF (468.948 µs) : 448, 490
.   : milestone, 469,
tracing (441.011 µs) : 420, 462
.   : milestone, 441,
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 370.469 µs [350.527 µs, 390.411 µs] -
iast 489.819 µs [468.719 µs, 510.919 µs] 119.35 µs (32.2%)
iast_FULL 553.771 µs [532.698 µs, 574.844 µs] 183.302 µs (49.5%)
iast_GLOBAL 505.246 µs [482.999 µs, 527.493 µs] 134.777 µs (36.4%)
iast_HARDCODED_SECRET_DISABLED 478.079 µs [456.859 µs, 499.3 µs] 107.61 µs (29.0%)
iast_INACTIVE 456.285 µs [434.585 µs, 477.985 µs] 85.816 µs (23.2%)
iast_TELEMETRY_OFF 476.801 µs [455.233 µs, 498.369 µs] 106.332 µs (28.7%)
tracing 444.382 µs [423.535 µs, 465.229 µs] 73.913 µs (20.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 366.486 µs [347.002 µs, 385.97 µs] -
iast 475.816 µs [454.751 µs, 496.88 µs] 109.329 µs (29.8%)
iast_FULL 551.899 µs [531.065 µs, 572.733 µs] 185.413 µs (50.6%)
iast_GLOBAL 504.101 µs [483.092 µs, 525.11 µs] 137.615 µs (37.5%)
iast_HARDCODED_SECRET_DISABLED 482.819 µs [461.395 µs, 504.243 µs] 116.333 µs (31.7%)
iast_INACTIVE 459.12 µs [436.949 µs, 481.29 µs] 92.634 µs (25.3%)
iast_TELEMETRY_OFF 468.948 µs [447.924 µs, 489.973 µs] 102.462 µs (28.0%)
tracing 441.011 µs [420.385 µs, 461.638 µs] 74.525 µs (20.3%)

Dacapo

pr-commenter[bot] avatar Jul 03 '24 13:07 pr-commenter[bot]