Saving the world from bad beans
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Saving the World from Bad Beans PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on
  • Presentation posted in: General

Saving the World from Bad Beans. Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW. Enterprise Java Beans. Component architecture for large-scale server-side computing Individual third-party components - Beans Large, complex environment - Server

Download Presentation

Saving the World from Bad Beans

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Saving the world from bad beans

Saving the World from Bad Beans

Dave Clarke, Utrecht

Michael Richmond, IBM ARC

James Noble, VUW


Enterprise java beans

Enterprise Java Beans

  • Component architecture for large-scale server-side computing

  • Individual third-party components - Beans

  • Large, complex environment - Server

  • Server integrity depends upon beans being well-behaved, obeying coding guidelines

  • What about Bad Beans?


Ejb lifecycle

EJB Lifecycle


Ejb structure and containment

EJB Structure and Containment


Ejb structure

EJB Structure

  • EJB Object (EJB)

    • Provides business functionality

  • EJB Interface (EJBObject)

    • Mediates access to EJB

  • Container

    • Offers server functions to Beans

  • Helper — aggregate subsidiary object

  • Transfer — moves data between EJBs


Ejb interobject references

EJB Interobject References


Ejb interface and container

EJB Interface and Container

  • EJB Interface and Container

    • Collaborate to provide services to beans

    • Security

    • Transactions

    • Persistence

  • EJB Architectural Assumption

    • All access to EJB Object is via EJB Interface

    • EJB Object contained within EJB Interface

    • Confinement breach breaks architecture


Bad bean breaches confinement

Bad Bean Breaches Confinement


Bad bean breaches confinement1

Bad Bean Breaches Confinement

public class CartBean implements SessionBean {

protected SessionContext context;

// Called once by container during Bean creation

public void setSessionContext(SessionContext _ctx) {

this.context = ctx;

}


Bad bean breaches confinement2

Bad Bean Breaches Confinement

// correct way to return reference to Bean

public CartEJBI goodReturn() {

return(context.getEJBObject());

}

// incorrect way to return reference to Bean

public CartEJBI badReturn() {

return(this);

}


Bad bean breaches confinement3

Bad Bean Breaches Confinement

  • Naïve class verification is not enough!

    class BadBean implements SessionBean {

    public Object exposeMyself() {

    return (Object) this;

    }

    Mole OopsIDidItAgain() {

    return new Mole(this);

    }


Confinement checking

Confinement Checking

Confinement Checkers Prevent Exposure

  • Unit of confinement: Bean Instance

    • Inside: EJB Object, Helpers

    • Boundary: EJB Interface

    • Outside: everything else

    • Transfer objects may cross the boundary

      • Subject to restrictions

  • Server checks confinement during deployment


Confined bean constraints

Confined Bean Constraints

  • CB1 Classes implementing EnterpriseBean, and all Helper classes, are confined. Classes extending boundary interfaces are on the boundary.

  • CB2 No confined type can appear in the signature of a boundary method, nor in static fields, nor as an exception.

  • CB3 A confined type cannot be cast to a non-confined type.

  • CB4 A non-confined type cannot be cast to a confined type.


Confined bean constraints1

Confined Bean Constraints

  • CB5 Fields, methods, and statics of non-confined classes having confined type are not accessible in confined code. Exceptions cannot be caught at confined types.

  • CB6 A confined class may only extend anotherconfined class or java.lang.Object

  • Reflects guidelines in EJB specification

  • Reflection and native methods ignored


Checking tool

Checking Tool

  • We built a tool based on SOOT

  • Checks Bean class files at deployment time

    [dc] Processing class: mar.basicfail.SampleEJBI

    [dc] Class is on boundary - proceeding with boundary

    checks

    [dc] Boundary class has confined in interface (CB2).

    [dc] Offending Method (in return type):

    returnAsSessionBean

    [dc] Boundary class has confined in interface (CB2).

    [dc] Offending Method (in return type):

    returnAsSampleEJB

[dc] Return statement violates CB3/4

[dc] Value type = mar.basicfail.SampleEJB

[dc] Return type = java.lang.Object

[dc] Offending statement: return r0

[dc]

[dc] Deployment failed!!!


Testing existing beans

Testing Existing Beans

But can you use this on real Beans?

  • We tested this on a range of sample Beans

  • Case study: 15 Beans

    • All beans passed except one (see the paper)

      But is this fast enough for production servers?

    • 1.3-6.5s per bean

    • Bean deployment is 10 times as expensive!

    • Our prototype implement does not shareeffort with the server


Evaluation

Evaluation

  • Simple for developers and EJB architecture

    • No change to development environment

    • No change to EJB architecture

    • No runtime costs

  • Asymmetric — only checks confined code

  • Parametric Polymorphism (e.g. Collections)

    • But need bytecode support (e.g. .Net)

  • More sophisticated analyses

    • Harder for developers to understand

    • Bean correctness should not depend upon strength of analysis


Confinement and ownership

Confinement and Ownership

Boyapati et al


Conclusion

Conclusion

  • EJBs are susceptible to confinement errors

    • Direct references bypass the EJBInterface

  • Confinement checking prevents these errors

    • Check server side, at deployment time

    • Fast and efficient checker

  • Empirical testing

    • Existing well-written EJBs will pass the test

    • Pragmatic customisation via Transfer objects


Credits

Credits

  • Department of Computer Science, Purdue

  • DARPA F33615-01-C-1894

  • Royal Society of New Zealand Marsden Fund

  • Ward 16 Wellington Hospital


  • Login