Theoretically secure whitelisting

Discussion in 'sandboxing & virtualization' started by Gullible Jones, Mar 21, 2014.

  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    @Gullible Jones
    It's just using one object as a 'management' object. So instead of having 3 objects, a base, and 2 subclasses, you just have one management object, and it can hold two other objects in arrays - just one example. This is far more cache friendly, massive massive performance benefits. Threadpools are also singleton, as there's simply one object for management.

    My ThreadPool is open source though the one on Git is not complete. I'll be releasing it later on, when I do an extensive blogpost on valgrind, cache optimization, concurrency, etc. Similar to my sandboxing post recently.

    Threadpools let you avoid the overhead of creating and destroying threads (high), instead allowing you to simply have a constant group o fthreads that you allocate and send tasks to. They sit there waiting for tasks.
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Not sure I follow the example. I gathered only one singleton object can exist at any given time, you're talking about using that as a container for other objects so that memory allocation is more contiguous?

    Looking forward to reading it. :)

    Right, better to use the extra memory now than bog down in context switches later. Cool.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yeah, singleton objects are meant to be used one at a time, basically. So you'd have, for example, a threadpool object. You don't need two threadpools, you just have one, and it manages threads for you internally.

    In the case of OOP inheritance you lose a lot of performance, or at least you can. You aren't guaranteed contiguous memory, for example, which means your CPU cache is going to be wasted (since it grabs chunks of contiguous memory).

    If you have one singleton object that manages separate objects, managing them in a contiguous space, you gain cache locality back, which means you've just gotten a few hundred times faster.

    Definitely. My program used threads quite naively, which was fine as it was a learning experience, but the context switches and overhead were far greater than the benefits.

    I'm going to rerelease a completely rewritten version, ground up, with my threadpool library. It should be many orders of magnitude faster.
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @Hungry Man how much performance benefit can one expect in bytecode languages like Java, or even slower ones like Python? It is possible in all of those (from my Googling) butp I would imagine that maintaining cache locality is much more difficult in interpreted code.

    Also, what about for single-threaded programming?

    I will have to try this though.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but I see people saying that it's brilliant, see the quotes. Perhaps they can explain, how this compares to Sandboxie.

     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @Rasheed187 I thought it was brilliant because it avoids using any kernel hooks, drivers, etc. But it looks like I was wrong, and the method it uses is not actually secure in any real sense.

    Edit: Honestly though I'm not enough of a hardware geek to tell one way or the other. I should probably run some tests of the program against Metasploit, see how it compares to driver based sandboxes, but I don't feel like wasting time messing around with Windows this weekend. :p
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Gullible Jones

    OK, I see. The reason why I asked is because I was trying to figure out what type of kernel mode hooks SBIE is using, just for fun.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    @Gullible Jones

    Performance benefits should be the same across languages - avoiding hitting RAM means avoiding a 500x cost in execution. CPUs these days are not bottlenecked by computation, but by the need to hit RAM.

    With interpreted code it should be mostly the same, but I'm not sure. I would say that if the goal is performance you're not doing interpreted anyways, way too many areas of overhead.

    Single threaded is easier to handle for cache afaik, as any write to the cache invalidates it across all threads, forcing more swaps.
     
  9. 142395

    142395 Guest

    Sorry, I somehow missed your reply but thanks for explanation!
    Yeah, I was thinking about that...so AV or HIPS or even malware still can hook other kernel-mode things e.g. to intercept network packet if they install kernel-mode driver, as it has same privilege as other driver (e.g. network driver).
    It seems sandboxie do something like this. What reason you've never implemented that in meaningful way? Just for curiosity.

    And well, wow, things went much beyond my knowledge!
    So now C++ is no more just a C + OPP, that's interesting.
    And thanks GJ for warning option info, though I haven't actually used -Wextra.:isay:
    Also surprised about hearing that,
    So, the overhead made by interpreting code real time can be less than compiled bad code which spawn unnecessary threads thus causes unnecessary context switches (not saying about exact comparison, rather as a generally speaking)?
     
  10. 142395

    142395 Guest

    I think malware can bypass this type of HIPS by directly call native APIs, though not 100% sure.
    The reason I impressed is much more naive than GJ, simply because I haven't thought of that, while have a little experience of debugging.
    Just the same reason as I was very impressed by yogurt (who thought of fermentating milk!)
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    @142395
    They would need root privileges to install a driver, but yeah they can do a lot.


    Sandboxie started doing something similar once it got taken over.

    I never did, idk, it's a time consuming chore. One day I'll get to it, if MS doesn't make it even more annoying to develop for Windows.

    I did a bit of work on it this summer but nothing big.

    Definitely. If I use a quadratic algorithm in C and a logarithmic algorithm in Python I'll end up with faster Python code on most data.

    Bad code is bad code, language can only do so much.
     
    Last edited: Nov 23, 2014
  12. 142395

    142395 Guest

    Thanks for clarification again!:thumb:
    I'm truely appreciated it.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Any time.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.