saving the world from bad beans
Download
Skip this Video
Download Presentation
Saving the World from Bad Beans

Loading in 2 Seconds...

play fullscreen
1 / 20

Saving the World from Bad Beans - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

Saving the World from Bad Beans. Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW. Enterprise Java Beans. Component architecture for large-scale server-side computing Individual third-party components - Beans Large, complex environment - Server

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Saving the World from Bad Beans' - lanza


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
saving the world from bad beans

Saving the World from Bad Beans

Dave Clarke, Utrecht

Michael Richmond, IBM ARC

James Noble, VUW

enterprise java beans
Enterprise Java Beans
  • Component architecture for large-scale server-side computing
  • Individual third-party components - Beans
  • Large, complex environment - Server
  • Server integrity depends upon beans being well-behaved, obeying coding guidelines
  • What about Bad Beans?
ejb structure
EJB Structure
  • EJB Object (EJB)
    • Provides business functionality
  • EJB Interface (EJBObject)
    • Mediates access to EJB
  • Container
    • Offers server functions to Beans
  • Helper — aggregate subsidiary object
  • Transfer — moves data between EJBs
ejb interface and container
EJB Interface and Container
  • EJB Interface and Container
    • Collaborate to provide services to beans
    • Security
    • Transactions
    • Persistence
  • EJB Architectural Assumption
    • All access to EJB Object is via EJB Interface
    • EJB Object contained within EJB Interface
    • Confinement breach breaks architecture
bad bean breaches confinement1
Bad Bean Breaches Confinement

public class CartBean implements SessionBean {

protected SessionContext context;

// Called once by container during Bean creation

public void setSessionContext(SessionContext _ctx) {

this.context = ctx;

}

bad bean breaches confinement2
Bad Bean Breaches Confinement

// correct way to return reference to Bean

public CartEJBI goodReturn() {

return(context.getEJBObject());

}

// incorrect way to return reference to Bean

public CartEJBI badReturn() {

return(this);

}

bad bean breaches confinement3
Bad Bean Breaches Confinement
  • Naïve class verification is not enough!

class BadBean implements SessionBean {

public Object exposeMyself() {

return (Object) this;

}

Mole OopsIDidItAgain() {

return new Mole(this);

}

confinement checking
Confinement Checking

Confinement Checkers Prevent Exposure

  • Unit of confinement: Bean Instance
    • Inside: EJB Object, Helpers
    • Boundary: EJB Interface
    • Outside: everything else
    • Transfer objects may cross the boundary
      • Subject to restrictions
  • Server checks confinement during deployment
confined bean constraints
Confined Bean Constraints
  • CB1 Classes implementing EnterpriseBean, and all Helper classes, are confined. Classes extending boundary interfaces are on the boundary.
  • CB2 No confined type can appear in the signature of a boundary method, nor in static fields, nor as an exception.
  • CB3 A confined type cannot be cast to a non-confined type.
  • CB4 A non-confined type cannot be cast to a confined type.
confined bean constraints1
Confined Bean Constraints
  • CB5 Fields, methods, and statics of non-confined classes having confined type are not accessible in confined code. Exceptions cannot be caught at confined types.
  • CB6 A confined class may only extend anotherconfined class or java.lang.Object
  • Reflects guidelines in EJB specification
  • Reflection and native methods ignored
checking tool
Checking Tool
  • We built a tool based on SOOT
  • Checks Bean class files at deployment time

[dc] Processing class: mar.basicfail.SampleEJBI

[dc] Class is on boundary - proceeding with boundary

checks

[dc] Boundary class has confined in interface (CB2).

[dc] Offending Method (in return type):

returnAsSessionBean

[dc] Boundary class has confined in interface (CB2).

[dc] Offending Method (in return type):

returnAsSampleEJB

[dc] Return statement violates CB3/4

[dc] Value type = mar.basicfail.SampleEJB

[dc] Return type = java.lang.Object

[dc] Offending statement: return r0

[dc]

[dc] Deployment failed!!!

testing existing beans
Testing Existing Beans

But can you use this on real Beans?

  • We tested this on a range of sample Beans
  • Case study: 15 Beans
    • All beans passed except one (see the paper)

But is this fast enough for production servers?

    • 1.3-6.5s per bean
    • Bean deployment is 10 times as expensive!
    • Our prototype implement does not shareeffort with the server
evaluation
Evaluation
  • Simple for developers and EJB architecture
    • No change to development environment
    • No change to EJB architecture
    • No runtime costs
  • Asymmetric — only checks confined code
  • Parametric Polymorphism (e.g. Collections)
    • But need bytecode support (e.g. .Net)
  • More sophisticated analyses
    • Harder for developers to understand
    • Bean correctness should not depend upon strength of analysis
conclusion
Conclusion
  • EJBs are susceptible to confinement errors
    • Direct references bypass the EJBInterface
  • Confinement checking prevents these errors
    • Check server side, at deployment time
    • Fast and efficient checker
  • Empirical testing
    • Existing well-written EJBs will pass the test
    • Pragmatic customisation via Transfer objects
credits
Credits
  • Department of Computer Science, Purdue
  • DARPA F33615-01-C-1894
  • Royal Society of New Zealand Marsden Fund
  • Ward 16 Wellington Hospital
ad