Post on 19-Jan-2016
Saving the World from Bad Beans
Dave Clarke, Utrecht
Michael Richmond, IBM ARC
James Noble, VUW
Enterprise Java Beans
• Component architecture for large-scale server-side computing
• Individual third-party components - Beans
• Large, complex environment - Server
• Server integrity depends upon beans being well-behaved, obeying coding guidelines
• What about Bad Beans?
EJB Lifecycle
EJB Structure and Containment
EJB Structure
• EJB Object (EJB)– Provides business functionality
• EJB Interface (EJBObject)– Mediates access to EJB
• Container– Offers server functions to Beans
• Helper — aggregate subsidiary object• Transfer — moves data between EJBs
EJB Interobject References
EJB Interface and Container
• EJB Interface and Container – Collaborate to provide services to beans– Security– Transactions– Persistence
• EJB Architectural Assumption– All access to EJB Object is via EJB Interface– EJB Object contained within EJB Interface– Confinement breach breaks architecture
Bad Bean Breaches Confinement
Bad Bean Breaches Confinement
public class CartBean implements SessionBean {
protected SessionContext context; // Called once by container during Bean
creation public void setSessionContext(SessionContext
_ctx) { this.context = ctx; }
Bad Bean Breaches Confinement
// correct way to return reference to Bean public CartEJBI goodReturn() { return(context.getEJBObject()); } // incorrect way to return reference to Bean public CartEJBI badReturn() { return(this); }
Bad Bean Breaches Confinement
• Naïve class verification is not enough!
class BadBean implements SessionBean { public Object exposeMyself() { return (Object) this; }
Mole OopsIDidItAgain() { return new Mole(this); }
Confinement Checking
Confinement Checkers Prevent Exposure• Unit of confinement: Bean Instance
– Inside: EJB Object, Helpers– Boundary: EJB Interface– Outside: everything else– Transfer objects may cross the boundary
• Subject to restrictions
• Server checks confinement during deployment
Confined Bean Constraints
• CB1 Classes implementing EnterpriseBean, and all Helper classes, are confined. Classes extending boundary interfaces are on the boundary.
• CB2 No confined type can appear in the signature of a boundary method, nor in static fields, nor as an exception.
• CB3 A confined type cannot be cast to a non-confined type.
• CB4 A non-confined type cannot be cast to a confined type.
Confined Bean Constraints
• CB5 Fields, methods, and statics of non-confined classes having confined type are not accessible in confined code. Exceptions cannot be caught at confined types.
• CB6 A confined class may only extend anotherconfined class or java.lang.Object
• Reflects guidelines in EJB specification• Reflection and native methods ignored
Checking Tool
• We built a tool based on SOOT
• Checks Bean class files at deployment time
[dc] Processing class: mar.basicfail.SampleEJBI[dc] Class is on boundary - proceeding with boundary checks[dc] Boundary class has confined in interface (CB2).[dc] Offending Method (in return type): returnAsSessionBean[dc] Boundary class has confined in interface (CB2).[dc] Offending Method (in return type): returnAsSampleEJB
[dc] Return statement violates CB3/4
[dc] Value type = mar.basicfail.SampleEJB
[dc] Return type = java.lang.Object
[dc] Offending statement: return r0
[dc][dc] Deployment failed!!!
Testing Existing Beans
But can you use this on real Beans?• We tested this on a range of sample Beans• Case study: 15 Beans
– All beans passed except one (see the paper)
But is this fast enough for production servers?– 1.3-6.5s per bean– Bean deployment is 10 times as expensive!– Our prototype implement does not share
effort with the server
Evaluation• Simple for developers and EJB architecture
– No change to development environment– No change to EJB architecture– No runtime costs
• Asymmetric — only checks confined code• Parametric Polymorphism (e.g. Collections)
– But need bytecode support (e.g. .Net)• More sophisticated analyses
– Harder for developers to understand– Bean correctness should not depend
upon strength of analysis
Confinement and Ownership
Per
Package
Per
Class
Per
Object
Per Object
Nested
Ad-hocConfined Types
SandwichTypes
ConfinedBeans
?
Types
OGJ Package
Universes,
OGJ Static
(Shallow)
AliasJava
(Deep)
Joe, OGJ
Boyapati et al
Conclusion
• EJBs are susceptible to confinement errors– Direct references bypass the EJBInterface
• Confinement checking prevents these errors– Check server side, at deployment time– Fast and efficient checker
• Empirical testing– Existing well-written EJBs will pass the test– Pragmatic customisation via Transfer objects
Credits
• Department of Computer Science, Purdue
• DARPA F33615-01-C-1894
• Royal Society of New Zealand Marsden Fund
• Ward 16 Wellington Hospital