launch phosphor from a java program about phosphor HOT 8 CLOSED

Can you post more details (e.g. minimal code example) that show this? There should be no problem doing this with ProcessBuilder - it’s probably related to the arguments provided when launching (assuming that you have already deduced that this is not indeed the actual overhead that would be seen on this workload/configuration).

On Aug 4, 2016, at 8:10 PM, BihuanChen [email protected] wrote:

Hello,

I was trying to use phosphor from a java program to get the collected taint results.
Since phosphor needs to run with an instrumented jre, I ran phosphor via ProcessBuilder to setup a new JVM. However, this results in 20X performance overhead.

I am wondering if there is more efficient way to launch phosphor from a java program.

Thanks.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub https://github.com/Programming-Systems-Lab/phosphor/issues/23, or mute the thread https://github.com/notifications/unsubscribe-auth/ACCBCsr1S61FGrLuHj0AN2qcQuGl5tgXks5qctO_gaJpZM4JdYmh.

from phosphor.

Hi Jon,

I am using Phosphor with controlTrack enabled.

I ran the following program that needs the two jars in jar.zip with the instrumented jre. Here the performance overhead was around 4-5 ms.

package phosphor.test;

import replace.Replace;

public class TaintRunner {

    public static void main(String[] args) {
        long t = System.currentTimeMillis();
        new Replace().mainProcess('a', '2', '&', 'a', 'a');
        System.out.println(System.currentTimeMillis() - t);
    }

}

I also ran the previous example with ProcessBuilder with the normal jre. Here the performance overhead was more than 200 ms.

import java.io.BufferedInputStream;
import java.io.File;
import java.io.IOException;

public class StartNewJVM {

    public static void main(String[] args) throws IOException, InterruptedException, ClassNotFoundException {       
        long t1 = System.currentTimeMillis();

        String path = "/home/bhchen/Desktop/phosphor/jre-inst-p-cf/bin/java";
        String bootClassPath = "-Xbootclasspath/a:/home/bhchen/Desktop/phosphor/Phosphor-0.0.2-SNAPSHOT.jar:/home/bhchen/Desktop/phosphor/lib-inst-p-cf/melt-dummy.jar:/home/bhchen/Desktop/phosphor/lib-inst-p-cf/benchmark4.jar";
        String classPath = "/home/bhchen/Desktop/phosphor/phosphor-test.jar"; // TaintRunner

        ProcessBuilder processBuilder = new ProcessBuilder(path, bootClassPath, "-cp", classPath, "phosphor.test.TaintRunner");
        processBuilder.redirectErrorStream(true);
        processBuilder.redirectOutput(new File(System.getProperty("java.io.tmpdir") + "/output"));
        Process process = processBuilder.start();

        BufferedInputStream in = new BufferedInputStream(process.getInputStream());
        byte[] bytes = new byte[4096];
        while (in.read(bytes) != -1) {}
        in.close();

        long t2 = System.currentTimeMillis();

        process.waitFor();

        long t3 = System.currentTimeMillis();
        System.out.println(t2 - t1);
        System.out.println(t3 - t2);
    }

}

from phosphor.

Maybe I am not understanding. You are saying that the overhead of starting a new process on your machine regardless of phosphor is ~196ms? That is not really something that I am able to change with phosphor. If you are trying to start hundreds/thousands of new processes in rapid succession, yes, you will see a problem. Maybe a better approach would be to start up a JVM that is instrumented and communicate with it from your other process to kick off code running in it.

Sent from my iPhone

On Aug 6, 2016, at 10:39 PM, BihuanChen [email protected] wrote:

Hi Jon,

I am using Phosphor with controlTrack enabled.

I ran the following program that needs the two jars in jar.zip [ github.com/Programming-Systems-Lab/phosphor/files/405365/jar.zip ] with the instrumented jre. Here the performance overhead was around 4-5 ms.

package phosphor.test;

import replace.Replace;

public class TaintRunner {

public static void main(String[] args) {
    long t = System.currentTimeMillis();
    new Replace().mainProcess('a', '2', '&', 'a', 'a');
    System.out.println(System.currentTimeMillis() - t);
}

}
I also ran the previous example with ProcessBuilder with the normal jre. Here the performance overhead was more than 200 ms.

import java.io.BufferedInputStream;
import java.io.File;
import java.io.IOException;

public class StartNewJVM {

public static void main(String[] args) throws IOException, InterruptedException, ClassNotFoundException {       
    long t1 = System.currentTimeMillis();

    String path = "/home/bhchen/Desktop/phosphor/jre-inst-p-cf/bin/java";
    String bootClassPath = "-Xbootclasspath/a:/home/bhchen/Desktop/phosphor/Phosphor-0.0.2-SNAPSHOT.jar:/home/bhchen/Desktop/phosphor/lib-inst-p-cf/melt-dummy.jar:/home/bhchen/Desktop/phosphor/lib-inst-p-cf/benchmark4.jar";
    String classPath = "/home/bhchen/Desktop/phosphor/phosphor-test.jar"; // TaintRunner

    ProcessBuilder processBuilder = new ProcessBuilder(path, bootClassPath, "-cp", classPath, "phosphor.test.TaintRunner");
    processBuilder.redirectErrorStream(true);
    processBuilder.redirectOutput(new File(System.getProperty("java.io.tmpdir") + "/output"));
    Process process = processBuilder.start();

    BufferedInputStream in = new BufferedInputStream(process.getInputStream());
    byte[] bytes = new byte[4096];
    while (in.read(bytes) != -1) {}
    in.close();

    long t2 = System.currentTimeMillis();

    process.waitFor();

    long t3 = System.currentTimeMillis();
    System.out.println(t2 - t1);
    System.out.println(t3 - t2);
}

}
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

from phosphor.

Starting the process (t2 - t1) is pretty fast (less than 1 ms), while running the process, i.e., invoking phosphor with instrumented jre (t3 - t2), needs around 200 ms. This means, if we ran phosphor with ProcessBuilder, its overhead increased from 4 ms to 200 ms. This overhead may be related to the implementation of ProcessBuilder.

Anyway, to use phosphor to support some automated analysis (e.g., testing or security), an efficient mechanism to communicate with the normal JVM and the instrumented JVM is needed. ProcessBuilder seems not a good option here.

I also tried to run phosphor as a service (similar to your suggested solution), i.e., once I have a program to do taint analysis, I communicate with the instrumented JVM to run the program and get the taint result. The problem with this solution is that, the taint result of the same program with different input may interfere with each other. From my understanding, this is because the instrumented JVM is always running and taint info may accumulate along the way? Due to this accumulation, the overhead will also increase along the way?

For example, the taint result of the following program is Taint [lbl=null deps = [x y ]] Taint [lbl=null deps = [x y ]]. If we run test(-1, -1) and test(1, 1) separately, the taint result is Taint [lbl=null deps = [x y ]] and Taint [lbl=null deps = [y ]] respectively.

import edu.columbia.cs.psl.phosphor.runtime.MultiTainter;

public class Test {

    public static int test(int x, int y) {
        int result = 0;
        x = MultiTainter.taintedInt(x, "x");
        y = MultiTainter.taintedInt(y, "y");
        if (x > 0 || y > 0) {
            result += 1;
            if (y > 0) {
                result += 2;
            } else {
                result += 4;
            }
        } else {
            result += 8;
        }
        System.out.println(MultiTainter.getTaint(result));
        return result;
    }

    public static void main(String[] args) {
        test(-1, -1);
        test(1, 1);
    }

}

from phosphor.

I see. So, just as an FYI - the problem here has nothing to do with ProcessBuilder, and instead is rather just the overhead of starting up a new Phosphor-instrumented JRE (especially if it's control track enabled).

Your best bet might be to hack up some way to clear out all taints from the JVM and start fresh. A simple implementation would traverse all static fields of all loaded classes (using reflection) and clear out every single taint between experiments (note that to be complete, for every object field you encounter you would need to traverse all of its fields and clear those taint marks too). Assuming there are no bugs in the Phosphor reflection interception code, this should be pretty easy.

An alternative approach might be to try to maintain a master queue of all taints (e.g. whenever a new Taint() is created, add it to the queue), and then in between each experiment, clear the label and dependencies for each enqueued taint. Your performance between these two approaches would probably vary with the workload - the first has a higher cost between experiments but no additional work within each experiment, and the latter has probably a lower cost between experiments, but adds an overhead to taint creation.

from phosphor.

I'm closing this from inactivity.

from phosphor.

I use the second suggested approach, and it works well for multi-taint tracking.
For integer taint tags, it seems impossible to maintain such a queue of taints?

Also, multi-taint tracking cannot be used for data flow tracking, right?

public static boolean IMPLICIT_TRACKING = true; //must be set to TRUE for MULTI_TAINTING to work!

from phosphor.

No, you can not queue the taints like this in integer tagging. Also, I realize that in the second approach you might have a further performance hit because there are some optimizations done when the taint itself is null (which it wouldn't be - although the label and dependencies would be).

You do not need implicit tracking on for multi tainting - not sure what's going on with that comment.

from phosphor.