Saving the World from Bad Beans

1
Saving the World from Bad Beans

• Dave Clarke, Utrecht
• Michael Richmond, IBM ARC
• James Noble, VUW

2
Enterprise Java Beans

• Component architecture for large-scale
  server-side computing
• Individual third-party components - Beans
• Large, complex environment - Server
• Server integrity depends upon beans being
  well-behaved, obeying coding guidelines
• What about Bad Beans?

3
EJB Lifecycle
4
EJB Structure and Containment
5
EJB Structure

• EJB Object (EJB)
• Provides business functionality
• EJB Interface (EJBObject)
• Mediates access to EJB
• Container
• Offers server functions to Beans
• Helper aggregate subsidiary object
• Transfer moves data between EJBs

6
EJB Interobject References
7
EJB Interface and Container

• EJB Interface and Container
• Collaborate to provide services to beans
• Security
• Transactions
• Persistence
• EJB Architectural Assumption
• All access to EJB Object is via EJB Interface
• EJB Object contained within EJB Interface
• Confinement breach breaks architecture

8
Bad Bean Breaches Confinement
9
Bad Bean Breaches Confinement

• public class CartBean implements SessionBean
• protected SessionContext context
• // Called once by container during Bean creation
• public void setSessionContext(SessionContext
  _ctx)
• this.context ctx

10
Bad Bean Breaches Confinement

• // correct way to return reference to Bean
• public CartEJBI goodReturn()
• return(context.getEJBObject())
• // incorrect way to return reference to Bean
• public CartEJBI badReturn()
• return(this)

11
Bad Bean Breaches Confinement

• Naïve class verification is not enough!
• class BadBean implements SessionBean
• public Object exposeMyself()
• return (Object) this
• Mole OopsIDidItAgain()
• return new Mole(this)

12
Confinement Checking

• Confinement Checkers Prevent Exposure
• Unit of confinement Bean Instance
• Inside EJB Object, Helpers
• Boundary EJB Interface
• Outside everything else
• Transfer objects may cross the boundary
• Subject to restrictions
• Server checks confinement during deployment

13
Confined Bean Constraints

• CB1 Classes implementing EnterpriseBean, and all
  Helper classes, are confined. Classes extending
  boundary interfaces are on the boundary.
• CB2 No confined type can appear in the signature
  of a boundary method, nor in static fields, nor
  as an exception.
• CB3 A confined type cannot be cast to a
  non-confined type.
• CB4 A non-confined type cannot be cast to a
  confined type.

14
Confined Bean Constraints

• CB5 Fields, methods, and statics of non-confined
  classes having confined type are not accessible
  in confined code. Exceptions cannot be caught at
  confined types.
• CB6 A confined class may only extend
  anotherconfined class or java.lang.Object
• Reflects guidelines in EJB specification
• Reflection and native methods ignored

15
Checking Tool

• We built a tool based on SOOT
• Checks Bean class files at deployment time
• dc Processing class mar.basicfail.SampleEJBI
• dc Class is on boundary - proceeding with
  boundary
• checks
• dc Boundary class has confined in interface
  (CB2).
• dc Offending Method (in return type)
• returnAsSessionBean
• dc Boundary class has confined in interface
  (CB2).
• dc Offending Method (in return type)
• returnAsSampleEJB

• dc Return statement violates CB3/4
• dc Value type mar.basicfail.SampleEJB
• dc Return type java.lang.Object
• dc Offending statement return r0
• dc
• dc Deployment failed!!!

16
Testing Existing Beans

• But can you use this on real Beans?
• We tested this on a range of sample Beans
• Case study 15 Beans
• All beans passed except one (see the paper)
• But is this fast enough for production servers?
• 1.3-6.5s per bean
• Bean deployment is 10 times as expensive!
• Our prototype implement does not shareeffort
  with the server

17
Evaluation

• Simple for developers and EJB architecture
• No change to development environment
• No change to EJB architecture
• No runtime costs
• Asymmetric only checks confined code
• Parametric Polymorphism (e.g. Collections)
• But need bytecode support (e.g. .Net)
• More sophisticated analyses
• Harder for developers to understand
• Bean correctness should not depend upon strength
  of analysis

18
Confinement and Ownership
Boyapati et al
19
Conclusion

• EJBs are susceptible to confinement errors
• Direct references bypass the EJBInterface
• Confinement checking prevents these errors
• Check server side, at deployment time
• Fast and efficient checker
• Empirical testing
• Existing well-written EJBs will pass the test
• Pragmatic customisation via Transfer objects

20
Credits

• Department of Computer Science, Purdue
• DARPA F33615-01-C-1894
• Royal Society of New Zealand Marsden Fund
• Ward 16 Wellington Hospital