A Side-channel Attack on HotSpot Heap Management. Xiaofeng Wu, Kun Suo, Yong Zhao, Jia Rao The University of Texas at Arlington

Similar documents
Dynamic Vertical Memory Scalability for OpenJDK Cloud Applications

JVM Memory Model and GC

Java Performance Tuning

Preserving I/O Prioritization in Virtualized OSes

Java Application Performance Tuning for AMD EPYC Processors

Optimising Multicore JVMs. Khaled Alnowaiser

NG2C: Pretenuring Garbage Collection with Dynamic Generations for HotSpot Big Data Applications

MEMORY MANAGEMENT HEAP, STACK AND GARBAGE COLLECTION

Performance Tuning ScrumWorks Pro Server

Fundamentals of GC Tuning. Charlie Hunt JVM & Performance Junkie

2011 Oracle Corporation and Affiliates. Do not re-distribute!

Typical Issues with Middleware

Runtime Application Self-Protection (RASP) Performance Metrics

HBase Practice At Xiaomi.

Oracle JRockit. Performance Tuning Guide Release R28 E

How to keep capacity predictions on target and cut CPU usage by 5x

Attila Szegedi, Software

Continuous Object Access Profiling and Optimizations to Overcome the Memory Wall and Bloat

JVM Troubleshooting MOOC: Troubleshooting Memory Issues in Java Applications

Efficient Runtime Tracking of Allocation Sites in Java

OS-caused Long JVM Pauses - Deep Dive and Solutions

IBM Cognos ReportNet and the Java Heap

Enabling Java-based VoIP backend platforms through JVM performance tuning

Java Performance Tuning From A Garbage Collection Perspective. Nagendra Nagarajayya MDE

JVM Performance Tuning with respect to Garbage Collection(GC) policies for WebSphere Application Server V6.1 - Part 1

The Fundamentals of JVM Tuning

Low latency & Mechanical Sympathy: Issues and solutions

Shenandoah An ultra-low pause time Garbage Collector for OpenJDK. Christine H. Flood Roman Kennke

JVM Performance Study Comparing Java HotSpot to Azul Zing Using Red Hat JBoss Data Grid

Part I Garbage Collection Modeling: Progress Report

Preemptive, Low Latency Datacenter Scheduling via Lightweight Virtualization

Java performance - not so scary after all

Limits of Parallel Marking Garbage Collection....how parallel can a GC become?

New Java performance developments: compilation and garbage collection

Java Platform, Standard Edition HotSpot Virtual Machine Garbage Collection Tuning Guide. Release 10

G1 Garbage Collector Details and Tuning. Simone Bordet

An Analysis and Empirical Study of Container Networks

Lesson 2 Dissecting Memory Problems

PERFORMANCE ANALYSIS AND OPTIMIZATION OF SKIP LISTS FOR MODERN MULTI-CORE ARCHITECTURES

Identifying the Sources of Cache Misses in Java Programs Without Relying on Hardware Counters. Hiroshi Inoue and Toshio Nakatani IBM Research - Tokyo

Version 6.x Deployment Note. Performance Tuning Guide

Exploiting the Behavior of Generational Garbage Collector

An Empirical Analysis of Java Performance Quality

Do Your GC Logs Speak To You

THE TROUBLE WITH MEMORY

Azul Systems, Inc.

JDK 9/10/11 and Garbage Collection

JAVA PERFORMANCE. PR SW2 S18 Dr. Prähofer DI Leopoldseder

Distributed caching for cloud computing

Garbage Collection. Hwansoo Han

The G1 GC in JDK 9. Erik Duveblad Senior Member of Technical Staf Oracle JVM GC Team October, 2017

Dynamic Selection of Application-Specific Garbage Collectors

Configuring the Heap and Garbage Collector for Real- Time Programming.

Java Garbage Collection Best Practices For Tuning GC

Ryan Sciampacone Senior Software Developer August 1 st Multitenant JVM. JVM Languages Summit IBM Corporation

Concurrent Garbage Collection

Towards Garbage Collection Modeling

Towards High Performance Processing in Modern Java-based Control Systems. Marek Misiowiec Wojciech Buczak, Mark Buttner CERN ICalepcs 2011

Garbage collection. The Old Way. Manual labor. JVM and other platforms. By: Timo Jantunen

Eleos: Exit-Less OS Services for SGX Enclaves

Diagnostics in Testing and Performance Engineering

Generational Garbage Collection Theory and Best Practices

Java Garbage Collector Performance Measurements

On The Limits of Modeling Generational Garbage Collector Performance

Java & Coherence Simon Cook - Sales Consultant, FMW for Financial Services

Page 2 of 6 SUT Model Form Factor CPU CPU Characteristics Number of Systems 1 Nodes Per System 1 Chips Per System 2 Hardware hw_1 Cores Per System 44

Algorithms for Dynamic Memory Management (236780) Lecture 4. Lecturer: Erez Petrank

Installing on WebLogic Server

Towards Parallel, Scalable VM Services

The C4 Collector. Or: the Application memory wall will remain until compaction is solved. Gil Tene Balaji Iyengar Michael Wolf

Vertical Profiling: Understanding the Behavior of Object-Oriented Applications

NUMA in High-Level Languages. Patrick Siegler Non-Uniform Memory Architectures Hasso-Plattner-Institut

High Performance Managed Languages. Martin Thompson

Task-Aware Garbage Collection in a Multi-Tasking Virtual Machine

JBoss Performance Tuning. Bill Meyer JBoss Sr. Solutions Architect

Running class Timing on Java HotSpot VM, 1

A JVM Does What? Eva Andreasson Product Manager, Azul Systems

JVM Performance Study Comparing Oracle HotSpot and Azul Zing Using Apache Cassandra

Habanero Extreme Scale Software Research Project

Cross-Layer Memory Management for Managed Language Applications

Heap Compression for Memory-Constrained Java

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

Hierarchical PLABs, CLABs, TLABs in Hotspot

CS533 Concepts of Operating Systems. Jonathan Walpole

Java Memory Management. Märt Bakhoff Java Fundamentals

Designing experiments Performing experiments in Java Intel s Manycore Testing Lab

Java Without the Jitter

Garbage Collection (aka Automatic Memory Management) Douglas Q. Hawkins. Why?

CS 345. Garbage Collection. Vitaly Shmatikov. slide 1

Toward SLO Complying SSDs Through OPS Isolation

AS-GC: An Efficient Generational Garbage Collector for Java Application Servers

Service Execution Platform WebOTX To Support Cloud Computing


Cross-Layer Memory Management to Reduce DRAM Power Consumption

Compiler construction 2009

Chapter 4. The Processor

Towards information-flow aware automatic memory management

Acknowledgements These slides are based on Kathryn McKinley s slides on garbage collection as well as E Christopher Lewis s slides

10/26/2017 Universal Java GC analysis tool - Java Garbage collection log analysis made easy

Exploiting FIFO Scheduler to Improve Parallel Garbage Collection Performance

Transcription:

A Side-channel Attack on HotSpot Heap Management Xiaofeng Wu, Kun Suo, Yong Zhao, Jia Rao The University of Texas at Arlington HotCloud 18 July 9, 2018 1

Side-Channel Attack Attack based on information gained from the implementation of a computer system Shared cache Timing Power consumption Acoustic measurement Steal or infer secrets Infer user activities to launch well-timedattack Attack shared clock in multi-tenant systems to manipulate users time measurement 2

Garbage Collection in HotSpot JVM Parallel Scavenge eden s0 s1 young gen old gen : Minor GC : Major GC Other threads Stop The World VM thread GC threads VM thread Other threads.......... Each individual GC shouldn t take too long large heap Total time spent in GC shouldn t be too much small heap, too frequent GC 3

Adaptive Heap Sizing in PS GC Three objectives Meet pause time target Meet throughput goal Minimize memory footprint JVM automatically determines the heap size in the range of the initial (-Xms) and the maximum (-Xmx) heap sizes Pause time Throughput Footprint Shrink heap Expand heap Shrink heap Time is used as an indirect measure for memory efficiency 4

Minor and Major GC T1 Vulnerability T2 Mem alloc failure Minor GC Fail Check free space in Old Gen Not enough Major GC Fail 1st Alloc in Young Gen Fail Minor GC Major GC Minor GC T3 Major GC T4 step must be performed 2nd Alloc in Young Gen Fail 3rd Alloc in Old Gen Fail Major GC Major GC Minor GC cost = T2 / ( T1+T2 ) Major GC cost = T4 / ( T3+T4 ) Minor time Major time Minor GC time Major GC time step may be performed 5th Alloc in Old Gen Fail Fail 4th Alloc in Young Gen Out of Memory JVM infers heap efficiency based on measured lengths of minor and major GCs, and adjusts heap size accordingly JVM throws an out-of-memory (OOM) error if five GCs fail to resolve the memory allocation failure 5

Shared Clock GC starts JVM is running 1 2 3 JVM is not running JVM is running GC ends 1 + 2 + 3 = wall-clock time 1 + 3 = virtual time Measured GC time gettimeofday() gettimeofday() Time measurement can be inaccurate in the presenceof CPUmultiplexing 6

Three Types of Attacks Cause OOM errors Prevent JVM from expanding the heap in 5 GCs Cause excessive GC Cause bloated heap 7

OOM Attack Attack pausetime target When there is a spike in memory demand and allocation failure, attack major GC measurement Dilated major GC time cause the heap to shrink, missing the opportunity to avoid OOMerrors Pause time Throughput Shrink heap Expand heap Footprint Shrink heap 8

Excessive GC Attack T1 T2 T5 Minor GC Major GC Minor GC Minor GC Major GC T3 T4 T6 T1 T2 T5 Minor GC Major GC Minor GC Minor GC Major GC T3 T4 T6 Similar to OOM attack but more general Targetmajor GC, dilate its time Old generation have a tendency to drop quickly, and the decrement of heap size results in more GCs 9

<latexit sha1_base64="rjym03mwzs1hdtq10uc/ee8jsga=">aaacbnicbvdlsgmxfm3uv62vuzcibisgcgwmclorim5cvpg+ob1kjs10qjpjkgsemszkjb/ixouibv0gd/6natslbt1w4xdovstnbamjsjvot1vawv1b3yhvvra2d3b37p2dthkpxksfbroygybfgowkpalmpjtigukaku4wvp36nqcifrxc05oe+deacrpsjlsrbvaxf0mrjqik1faa9kojcoa5uzlzr54p7kptc2aay8qtsbuuaa7sr/5q4dqmxgogloq5tql9delnmsn5pz8qkia8ripsm5sjmcg/m8xi4alrhjau0gzxckb+vshqrnqkdsxmjhskfr2p+j/xs3v45weum5ce4/ldycqgfndacrxssbbme0mqltt8feiimsq0aa5isnaxiy+tdr3mojx3/qlaucnqkimjcalogasuqqpcgszoaqwewtn4bw/wk/vivvsf89wsvdwcgj+wpn8a/xqyjw==</latexit> <latexit sha1_base64="rjym03mwzs1hdtq10uc/ee8jsga=">aaacbnicbvdlsgmxfm3uv62vuzcibisgcgwmclorim5cvpg+ob1kjs10qjpjkgsemszkjb/ixouibv0gd/6natslbt1w4xdovstnbamjsjvot1vawv1b3yhvvra2d3b37p2dthkpxksfbroygybfgowkpalmpjtigukaku4wvp36nqcifrxc05oe+deacrpsjlsrbvaxf0mrjqik1faa9kojcoa5uzlzr54p7kptc2aay8qtsbuuaa7sr/5q4dqmxgogloq5tql9delnmsn5pz8qkia8ripsm5sjmcg/m8xi4alrhjau0gzxckb+vshqrnqkdsxmjhskfr2p+j/xs3v45weum5ce4/ldycqgfndacrxssbbme0mqltt8feiimsq0aa5isnaxiy+tdr3mojx3/qlaucnqkimjcalogasuqqpcgszoaqwewtn4bw/wk/vivvsf89wsvdwcgj+wpn8a/xqyjw==</latexit> <latexit sha1_base64="rjym03mwzs1hdtq10uc/ee8jsga=">aaacbnicbvdlsgmxfm3uv62vuzcibisgcgwmclorim5cvpg+ob1kjs10qjpjkgsemszkjb/ixouibv0gd/6natslbt1w4xdovstnbamjsjvot1vawv1b3yhvvra2d3b37p2dthkpxksfbroygybfgowkpalmpjtigukaku4wvp36nqcifrxc05oe+deacrpsjlsrbvaxf0mrjqik1faa9kojcoa5uzlzr54p7kptc2aay8qtsbuuaa7sr/5q4dqmxgogloq5tql9delnmsn5pz8qkia8ripsm5sjmcg/m8xi4alrhjau0gzxckb+vshqrnqkdsxmjhskfr2p+j/xs3v45weum5ce4/ldycqgfndacrxssbbme0mqltt8feiimsq0aa5isnaxiy+tdr3mojx3/qlaucnqkimjcalogasuqqpcgszoaqwewtn4bw/wk/vivvsf89wsvdwcgj+wpn8a/xqyjw==</latexit> <latexit sha1_base64="rjym03mwzs1hdtq10uc/ee8jsga=">aaacbnicbvdlsgmxfm3uv62vuzcibisgcgwmclorim5cvpg+ob1kjs10qjpjkgsemszkjb/ixouibv0gd/6natslbt1w4xdovstnbamjsjvot1vawv1b3yhvvra2d3b37p2dthkpxksfbroygybfgowkpalmpjtigukaku4wvp36nqcifrxc05oe+deacrpsjlsrbvaxf0mrjqik1faa9kojcoa5uzlzr54p7kptc2aay8qtsbuuaa7sr/5q4dqmxgogloq5tql9delnmsn5pz8qkia8ripsm5sjmcg/m8xi4alrhjau0gzxckb+vshqrnqkdsxmjhskfr2p+j/xs3v45weum5ce4/ldycqgfndacrxssbbme0mqltt8feiimsq0aa5isnaxiy+tdr3mojx3/qlaucnqkimjcalogasuqqpcgszoaqwewtn4bw/wk/vivvsf89wsvdwcgj+wpn8a/xqyjw==</latexit> <latexit sha1_base64="iz8fzpfeaeztvvcsmzjyvjlopic=">aaacdnicbvdlssnafj3uv62vqes3g6uoccupgm6eohuxfdihtlfmppnm6gqszizccfkcn/6kgxekuhxtzr9x0mahrqcuhm65l5lzvjhrqszr2yitrk6tb5q3k1vbo7t75v5br0ajwksnixajnockyzsttqkkkv4scao9rrre5cb3uw9esbpxr01j4ozozklpmvjagpo1jxbrmg7irn2njxm8ggnfijw6dqbnzgnkajy0q1bdmgeue7sgvvcgnts/bqmijyhhcjmkzd+2yuwmscikgckqg0ssgoejgpo+phyfrlrple4ga1ozqt8sericm/x3rypckaehpzddpak56oxif14/uf6lm1kuwxko5w/5cymqgnk3ceqfwypnnufyup1xiaok61c6wyouwv6mvew6jbpt1e2782rzuqijdi7amtgfnrgatxalwqanmhgez+avvblpxovxbnzmv0tgcxmi/sd4/aem/ztx</latexit> <latexit sha1_base64="iz8fzpfeaeztvvcsmzjyvjlopic=">aaacdnicbvdlssnafj3uv62vqes3g6uoccupgm6eohuxfdihtlfmppnm6gqszizccfkcn/6kgxekuhxtzr9x0mahrqcuhm65l5lzvjhrqszr2yitrk6tb5q3k1vbo7t75v5br0ajwksnixajnockyzsttqkkkv4scao9rrre5cb3uw9esbpxr01j4ozozklpmvjagpo1jxbrmg7irn2njxm8ggnfijw6dqbnzgnkajy0q1bdmgeue7sgvvcgnts/bqmijyhhcjmkzd+2yuwmscikgckqg0ssgoejgpo+phyfrlrple4ga1ozqt8sericm/x3rypckaehpzddpak56oxif14/uf6lm1kuwxko5w/5cymqgnk3ceqfwypnnufyup1xiaok61c6wyouwv6mvew6jbpt1e2782rzuqijdi7amtgfnrgatxalwqanmhgez+avvblpxovxbnzmv0tgcxmi/sd4/aem/ztx</latexit> <latexit sha1_base64="iz8fzpfeaeztvvcsmzjyvjlopic=">aaacdnicbvdlssnafj3uv62vqes3g6uoccupgm6eohuxfdihtlfmppnm6gqszizccfkcn/6kgxekuhxtzr9x0mahrqcuhm65l5lzvjhrqszr2yitrk6tb5q3k1vbo7t75v5br0ajwksnixajnockyzsttqkkkv4scao9rrre5cb3uw9esbpxr01j4ozozklpmvjagpo1jxbrmg7irn2njxm8ggnfijw6dqbnzgnkajy0q1bdmgeue7sgvvcgnts/bqmijyhhcjmkzd+2yuwmscikgckqg0ssgoejgpo+phyfrlrple4ga1ozqt8sericm/x3rypckaehpzddpak56oxif14/uf6lm1kuwxko5w/5cymqgnk3ceqfwypnnufyup1xiaok61c6wyouwv6mvew6jbpt1e2782rzuqijdi7amtgfnrgatxalwqanmhgez+avvblpxovxbnzmv0tgcxmi/sd4/aem/ztx</latexit> <latexit sha1_base64="iz8fzpfeaeztvvcsmzjyvjlopic=">aaacdnicbvdlssnafj3uv62vqes3g6uoccupgm6eohuxfdihtlfmppnm6gqszizccfkcn/6kgxekuhxtzr9x0mahrqcuhm65l5lzvjhrqszr2yitrk6tb5q3k1vbo7t75v5br0ajwksnixajnockyzsttqkkkv4scao9rrre5cb3uw9esbpxr01j4ozozklpmvjagpo1jxbrmg7irn2njxm8ggnfijw6dqbnzgnkajy0q1bdmgeue7sgvvcgnts/bqmijyhhcjmkzd+2yuwmscikgckqg0ssgoejgpo+phyfrlrple4ga1ozqt8sericm/x3rypckaehpzddpak56oxif14/uf6lm1kuwxko5w/5cymqgnk3ceqfwypnnufyup1xiaok61c6wyouwv6mvew6jbpt1e2782rzuqijdi7amtgfnrgatxalwqanmhgez+avvblpxovxbnzmv0tgcxmi/sd4/aem/ztx</latexit> Memory Bloat Attack T1 T2 Minor GC T5 Major GC Minor GC Minor GC Major GC Violatethroughput target T3 T4 T6 Pause time Shrink heap T1 T2 T5 Minor GC Major GC Minor GC Minor GC Major GC Throughput Footprint Expand heap Shrink heap X T3 T4 T6 Throughput = T 1 T 1+T 2 Throughput 0 = T 1 T 1+T 2 0 Attack minor GC to prevent the heap from shrinking evenmemory demand drops 10

Launch Attacks Proof-of-concept attacks Modify JVM source code to manipulate GC time in the adaptive sizing algorithm Realistic attacks Use ebpf to monitor libjvm.so to obtain GC thread ID and slowdown a specific type of GC Use cgroup to limit the CPU usage of GC threads and hence dilate GC time Results Crash a Java-based micro-benchmark with OOM errors Cause ~65% more GC time in DaCapo Inflict up to ~400% memory bloat in SPECjvm2008 11

OOM Attack Attack major GC measurement JAVA_OPTION= -XX:+UseAdaptiveSizePolicy -XX:+UseParallelGC -XX:+UseParallelOldGC -XX:ParallelGCThreads=10 -Xms = 32m -Xmx = 2g Both proof-of-concept and realistic attacks crash the micro-benchmark ArrayDeque 50 Bytes 20 MB A micro-benchmark with a sudden spike in memory demand Pause time Throughput Shrink heap Expand heap Footprint Shrink heap 12

Discussion Essence of the problem Heap size should be determined by the characteristics of a Java program But heap efficiency is measured by GC time, an indirect measure ExternalCPU contention can affect internal heap management Many programs designed for dedicated systems are vulnerable to similarattacks in multi-tenant systems CPU multiplexing à wall-clock time or virtual time? VMs, containers, conventional processes Linux jiffies and userspace gettimeofday track wall-clock time Linux CFS usessteal_clock to track virtual time for thread scheduling See our [Suo-SoCC17] paper for another issuecausedby time discontinuity 13

Is this a real problem? No No evidence that many applications suffer from inaccurate time measurement. Even so, the effect is random and universally distributed among applications. Ourattack is sophisticated and needs to target a specific type of GC, not easy. Should we devise a completely isolated virtual time interface for individual programs/vms/containers? Yes In theory, if not measuring absolute latency, time measurement that is only relevant to a particular program or to measure the relative progress of program threads, should usevirtual time This could be the source of erroneous program behavior, unpredictability and inefficiency 14

Thank you! Questions? xiaofeng.wu@mavs.uta.edu 15

Backup Slides 16

A Realistic Attack All experiments were conducted on a 64-core machine using OpenJDK 1.8 and Linux 4.15.0. The JVM was configured with 10 GC threads. Benchmark Dacapo: h2 SPECjvm2008: mpegaudio 17

Pause time-oriented Attack (excessive GC) A realistic attack usingebpf Benchmark: h2 from Dacapo The initial and maximum heap sizes: 16 MB and 900 MB The maximum pause time is set to 100 ms The attack shrinks the heap, causing 88% more GC time 18

Cont d - Pause time-oriented We choose h2 from Dacapo-9.12-MR1-bach as a case study execute a number of transactions set the maximum pause time as 100 ms The overhead induced by the pause time-oriented attack to the micro-benchmark. 19

Cont d - Throughput-oriented (a) Changes of heap size without attack ArrayDeque 50 Bytes -Xms32m -Xmx32g Heap size is 1.61 larger Size (MB) 1600 1400 1200 1000 800 600 400 200 0 Used heap before GC Used heap after GC Heap size 0 2 4 6 8 10 12 14 Time (s) (b) Changes of heap size under attack pause time throughput footprint reduce generation increase generation reduce generation Size (MB) 1600 1400 1200 1000 800 600 400 200 0 0 2 4 6 8 10 12 14 20 Time (s)

Throughput-oriented Attack (memory bloat) w/o attack (a) Changes of heap size without attack Size (MB) 900 800 700 600 500 400 300 200 100 0 Used heap before GC Used heap after GC Heap size 50 100 150 200 250 300 350 400 A realistic attack usingebpf mpegaudio from SPECjvm2008 The initial and maximum heap sizes: 32 MB and 2.5GB Time (s) under attack (b) Changes of heap size under attack Size (MB) 900 800 700 600 500 400 300 200 100 0 50 100 150 200 250 300 350 400 Time (s) The attack prevents the heap fromshrinking when memory demand drops, causing more than 400% waste of memory 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback