Saving the World from Bad Beans

Dave Clarke, Utrecht

Michael Richmond, IBM ARC

James Noble, VUW

Enterprise Java Beans

• Component architecture for large-scale server-side computing

• Individual third-party components - Beans

• Large, complex environment - Server

• Server integrity depends upon beans being well-behaved, obeying coding guidelines

• What about Bad Beans?

EJB Lifecycle

EJB Structure and Containment

EJB Structure

• EJB Object (EJB)– Provides business functionality

• EJB Interface (EJBObject)– Mediates access to EJB

• Container– Offers server functions to Beans

• Helper — aggregate subsidiary object• Transfer — moves data between EJBs

EJB Interobject References

EJB Interface and Container

• EJB Interface and Container – Collaborate to provide services to beans– Security– Transactions– Persistence

• EJB Architectural Assumption– All access to EJB Object is via EJB Interface– EJB Object contained within EJB Interface– Confinement breach breaks architecture

Bad Bean Breaches Confinement

Bad Bean Breaches Confinement

public class CartBean implements SessionBean {

protected SessionContext context; // Called once by container during Bean

creation public void setSessionContext(SessionContext

_ctx) { this.context = ctx; }

Bad Bean Breaches Confinement

// correct way to return reference to Bean public CartEJBI goodReturn() { return(context.getEJBObject()); } // incorrect way to return reference to Bean public CartEJBI badReturn() { return(this); }

Bad Bean Breaches Confinement

• Naïve class verification is not enough!

class BadBean implements SessionBean { public Object exposeMyself() { return (Object) this; }

Mole OopsIDidItAgain() { return new Mole(this); }

Confinement Checking

Confinement Checkers Prevent Exposure• Unit of confinement: Bean Instance

– Inside: EJB Object, Helpers– Boundary: EJB Interface– Outside: everything else– Transfer objects may cross the boundary

• Subject to restrictions

• Server checks confinement during deployment

Confined Bean Constraints

• CB1 Classes implementing EnterpriseBean, and all Helper classes, are confined. Classes extending boundary interfaces are on the boundary.

• CB2 No confined type can appear in the signature of a boundary method, nor in static fields, nor as an exception.

• CB3 A confined type cannot be cast to a non-confined type.

• CB4 A non-confined type cannot be cast to a confined type.

Confined Bean Constraints

• CB5 Fields, methods, and statics of non-confined classes having confined type are not accessible in confined code. Exceptions cannot be caught at confined types.

• CB6 A confined class may only extend anotherconfined class or java.lang.Object

• Reflects guidelines in EJB specification• Reflection and native methods ignored

Checking Tool

• We built a tool based on SOOT

• Checks Bean class files at deployment time

[dc] Processing class: mar.basicfail.SampleEJBI[dc] Class is on boundary - proceeding with boundary checks[dc] Boundary class has confined in interface (CB2).[dc] Offending Method (in return type): returnAsSessionBean[dc] Boundary class has confined in interface (CB2).[dc] Offending Method (in return type): returnAsSampleEJB

[dc] Return statement violates CB3/4

[dc] Value type = mar.basicfail.SampleEJB

[dc] Return type = java.lang.Object

[dc] Offending statement: return r0

[dc][dc] Deployment failed!!!

Testing Existing Beans

But can you use this on real Beans?• We tested this on a range of sample Beans• Case study: 15 Beans

– All beans passed except one (see the paper)

But is this fast enough for production servers?– 1.3-6.5s per bean– Bean deployment is 10 times as expensive!– Our prototype implement does not share

effort with the server

Evaluation• Simple for developers and EJB architecture

– No change to development environment– No change to EJB architecture– No runtime costs

• Asymmetric — only checks confined code• Parametric Polymorphism (e.g. Collections)

– But need bytecode support (e.g. .Net)• More sophisticated analyses

– Harder for developers to understand– Bean correctness should not depend

upon strength of analysis

Confinement and Ownership

Per

Package

Per

Class

Per

Object

Per Object

Nested

Ad-hocConfined Types

SandwichTypes

ConfinedBeans

?

Types

OGJ Package

Universes,

OGJ Static

(Shallow)

AliasJava

(Deep)

Joe, OGJ

Boyapati et al

Conclusion

• EJBs are susceptible to confinement errors– Direct references bypass the EJBInterface

• Confinement checking prevents these errors– Check server side, at deployment time– Fast and efficient checker

• Empirical testing– Existing well-written EJBs will pass the test– Pragmatic customisation via Transfer objects

Credits

• Department of Computer Science, Purdue

• DARPA F33615-01-C-1894

• Royal Society of New Zealand Marsden Fund

• Ward 16 Wellington Hospital