HP-UX Whitelisting (WLI) Performance Whitepaper PDF
HP-UX Whitelisting (WLI) Performance Whitepaper PDF
HP-UX Whitelisting (WLI) Performance Whitepaper PDF
Table of contents
Introduction .................................................................................................................................................................................... 3
Overview .......................................................................................................................................................................................... 3
File Access Policies.................................................................................................................................................................... 3
Capabilities ................................................................................................................................................................................. 3
Security Modes .......................................................................................................................................................................... 3
WLI Architecture............................................................................................................................................................................. 4
Performance Testing Methodology .......................................................................................................................................... 4
Benchmark ...................................................................................................................................................................................... 4
Measures ......................................................................................................................................................................................... 5
System Configuration ................................................................................................................................................................... 5
WLI Performance Results ............................................................................................................................................................ 5
IOZone Results .......................................................................................................................................................................... 5
Throughput Analysis ................................................................................................................................................................ 6
10 MB File Size ....................................................................................................................................................................... 6
40 MB File Size ....................................................................................................................................................................... 7
CPU Utilization Analysis ........................................................................................................................................................... 8
200 MB File Size .................................................................................................................................................................... 8
400 MB File Size .................................................................................................................................................................... 9
RWTool Results ....................................................................................................................................................................... 10
Conclusion ..................................................................................................................................................................................... 10
Re-write performance analysis........................................................................................................................................ 10
Read performance analysis .............................................................................................................................................. 11
Reader CPU Utilization analysis ....................................................................................................................................... 11
Writer CPU Utilization analysis ......................................................................................................................................... 11
Sign up for updates
hp.com/go/getupdated Share with colleagues Rate this document
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for
HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Technical whitepaper | HP-UX Whitelisting (WLI) Performance Whitepaper
2
Technical white paper | HP-UX Whitelisting (WLI) Performance Whitepaper
Introduction
HP-UX Whitelisting (WLI) offers file and system resource protection, based on RSA encryption technology on HP Integrity
servers, running HP-UX 11iv3. WLI is complementary to the traditional UNIX discretionary access controls (DAC) based on
user, group, and file permissions. In contrast to user file ownership and user role assignment, WLI file and resource access is
based on, RSA key ownership. With WLI enforcement in effect, file and resource access is associated with RSA keys and user
ID is not a factor. WLI restrictions on file and resource access apply, equally to root and non-root users.
This whitepaper is aimed at measuring, the performance impact on the system due to HP-UX Whitelisting. This document
publishes the WLI performance results, in terms of impact on an application I/O throughput and CPU utilization.
Overview
HP-UX Whitelisting (WLI) is a PKI key-based policy enforcement product. Whitelisting policies are based on RSA key
ownership and encryption technology. WLI policies are imposed through RSA signatures and enforced through signature
verification. Therefore, regular files and directories may be protected from access by any user, including super user.
Whitelisting security features are divided into the following categories:
Capabilities
When WLI is installed, certain system resources, known to be security risks are prevented from access, by all applications. A
user owning an administrator key, can authorize a WLI-signed application to access these resources. Other users, as well as
the owner of the administrator key, can then execute the signed application and access the protected resource. In WLI
terminology, a capability is granted to an application, to permit access to a protected resource.
Security Modes
HP-UX Whitelisting offers two operational modes, namely maintenance and restricted. By default, WLI is set to maintenance
mode, where the security policies can be created. However, for enforcement of any file access policies and capabilities, WLI
mode should be set to restricted. Security downgrade from restricted to maintenance, is not allowed without a reboot,
providing a strong security controls.
3
Technical whitepaper | HP-UX Whitelisting (WLI) Performance Whitepaper
WLI Architecture
The above figure, depicts the architecture of HP-UX Whitelisting. WLI consists both user space and kernel space
components. Kernel space provide services to configure WLI, set/get/modify policies and sign the executables. Crypto
module delivered in kernel space, handles all the cryptographic requirements of WLI. HP-UX WLI delivers a stackable file
system module (WFS), which gets stacked between VFS and the physical file system layer (VxFS or HFS), when the module is
loaded into the kernel. System calls which operate on the vnodes like create, open, read, and write and so on, executed on
the system, will pass through the additional WLI file system (WFS), along with other stack in the file system. WFS module
intercepts such system calls and collects the information required. Policy enforcement manager, which is also delivered as
part of WFS, determines whether a particular access on a data file should be allowed or not. In user space, there are
commands delivered to execute WLI specific actions with the help of the underline kernel components.
Benchmark
To drive these tests, IOZone the de-facto file system benchmarking tool was used. IOZone is widely used as a quick and
effective way to drive I/O throughput, to infinitely configurable levels, and to accurately measure the throughput, on a
consistent scale. IOZone also captures and reports the CPU utilization, for a given test carrying read/write operations on/to a
file.
Apart from IOZone, a tool named RWTool is designed and developed internally, supporting READ and WRITE modes, to read
continuously from a 2 GB file and to write to a file up to 1 GB data respectively. The time taken for these operations is
measured.
4
Technical white paper | HP-UX Whitelisting (WLI) Performance Whitepaper
IOZone and RWTool described above are highly I/O intensive, and is certainly not a representative of a typical customer
application. These tools generate extreme I/O loads that provide a contrast between the system performance with and
without WLI enabled on the system. Thus, these applications probably measure the WLI impact, in the “worst-case
scenario”.
Note:
These tests should not be construed as indicators of how an actual application would perform with WLI, but these provide a
sense of the performance impact, because of WLI in a high I/O (read and write) intensive programs.
Measures
The I/O throughput is measured using the following two approaches, to estimate the performance impact of the WLI
module, by running the tests with and without WLI.
• IOZone: Throughput is measured in kilobytes per second, versus the system resources (CPU) required.
• RWTool: Time taken for a fixed number of writes and reads is measured.
WLI impact on memory utilization is negligible, hence memory utilization will not be reported in the test case graphs.
System Configuration
Below are the specifications of the system used for these tests.
CPU info:
11 sockets
44 cores (4 per socket)
44 logical processors (4 per socket)
LCPU attribute is disabled
Memory:
Platform info:
OS info:
IOZone Results
All of IOZone tests were run with 4 K, 8 K and 16 K record sizes on files of size 10 MB, 40 MB, 200 MB and 400 MB. The
record size represents the size of the data, read for each read operation or written into the file for each write operation.
Each of these combination is run for four times and the results are averaged. Using IOZone, read and re-write performance
data is collected, as they represent the typical file system operations of reading from an existing file and writing into an
existing file respectively.
5
Technical whitepaper | HP-UX Whitelisting (WLI) Performance Whitepaper
IOZone does not provide the CPU utilization, when the file sizes are small. So for smaller file sizes (10 MB and 40 MB), the
throughput is captured for record sizes of 4K, 8K, 16K, and 32K; whereas, the CPU utilization is measured for file sizes of
200 MB and 400 MB. Graphs are plotted separately for each file size and the test type. Four types of results/graphs
displayed below.
In this test type, for a given file size, the throughputs of a reader program using different record sizes (4K, 8K, 16K, and 32K)
are measured. In the graph, x-axis represent the record size of every read operation and y-axis represents the read
throughput for a given record size for the fixed file size.
In this test type, write operations are carried on an existing file. For a given file size, the throughputs of a writer program
using different record sizes (4K, 8K, 16K, and 32K) are measured. In the graph, x-axis represent the record size of every
write operation and y-axis represents the write throughput for a given record size for the fixed file size.
In this test type, for a given file size, the CPU utilization of a reader program for different record sizes (4K, 8K,16K, and 32K)
are measured. In the graph, x-axis represent the record size of every read operation and y-axis represents the CPU
utilization for a given record size for the fixed file size.
Time taken is measured by an RWTool for fixed number of reads and writes from/into a file. The x-axis represent the
read/write operations and y-axis represent the time taken for a fixed number of reads and writes.
All the throughputs are measured in KB/per sec (KBps), CPU utilization is measured in percentage (%) and time taken is
measured in microseconds. IOZone is run as a single threaded application for this exercise.
Throughput Analysis
As mentioned above, the read and re-write throughputs are captured, for record sizes of 4K, 8K, 16K, and 32K for a given
file size of 10 MB and 40 MB.
10 MB File Size
The following graphs depict the performance impact, on the throughput on a 10 MB file for record sizes of 4K, 8K, 16K, and
32K.
1500000
1000000
500000 Without WLI
0 WLI Restricted
4 8 16 32
Without WLI 691789.5 1031429 1396304 1689064.5
WLI Restricted 679790.5 1024881.5 1390786.5 1696144.25
Record Length (KB)
6
Technical white paper | HP-UX Whitelisting (WLI) Performance Whitepaper
Throughput (KB/Sec)
1500000
1000000
500000
0
4 8 16 32
Without WLI 676237.75 991179.25 1314386.25 1546399.75
WLI Restricted 672322 984106 1318736.5 1550349.75
Record Length (KB)
40 MB File Size
The following graphs depict the performance impact, on the throughput on a 40 MB file for record sizes of 4K, 8K, 16K, and
32K.
1500000
1000000
500000
0
4 8 16 32
Without WLI 693334 1044381.75 1407807 1698524.75
WLI Restricted 677433.75 1003599.25 1348054 1655864.75
Record Length (KB)
7
Technical whitepaper | HP-UX Whitelisting (WLI) Performance Whitepaper
Throughput (KB/Sec)
1400000
1200000
1000000
800000
600000
400000
200000
0
4 8 16 32
Without WLI 671256 1001081.5 1332300.75 1555921
WLI Restricted 665083.25 966090.25 1298339.25 1514974.75
Record Length (KB)
The following graphs depict the performance impact, on CPU utilization on a 200 MB file, for record sizes of 4K, 8K, 16K, and
32K.
100
98
96
94
92
4 8 16 32
Without WLI 100 95.2125 99.4375 97.9675
WLI Restricted 99.86 98.79 99.5575 97.9475
Record Length (KB)
8
Technical white paper | HP-UX Whitelisting (WLI) Performance Whitepaper
The following graphs depict the performance impact, on the CPU for a 400 MB file, for record sizes of 4K, 8K, 16K, and 32K.
99.5
99
98.5
98
97.5
97
96.5
96
95.5
4 8 16 32
Without WLI 99.395 100 99.65 99.1225
WLI Restricted 99.8875 99.68 99.475 97.1725
Record Length (KB)
9
Technical whitepaper | HP-UX Whitelisting (WLI) Performance Whitepaper
RWTool Results
Using RWTool the performance impact on read() and write() system calls, due to WLI is measured. The pseudo code of this
program is given in the Appendix section.
5000000
0
Write Read
Baseline 12343919.75 2269339
WLI 12401036.25 2304257.25
Read/Write Operation
Baseline WLI
Conclusion
The following tables list the average performance impact in percentages (%), for read and re-write operations for a
combination of file size and the record length.
10
Technical white paper | HP-UX Whitelisting (WLI) Performance Whitepaper
Values
Write 0.462709586
Read 1.538696951
The negative values displayed above, are almost close to 0 and can be ignored as anomalies.
With IOZone application, the impact of WLI on the re-write and read throughputs, are in the range of 0% to 3.5% and 0% to
4.2% respectively. The average impact of WLI on CPU utilization, is between 0% to 3.75%, for read system call and 0% to
1.95%, in the case of write system call.
With RWTool, the performance degradation, in the case of write system call is measured as 0.46% and in the case of read
system call it is 1.5%.
From the above results, we can draw to the conclusions that, overall performance impact due to WLI is ranging anywhere
from 0% to 4.2%, in the case of throughput and CPU utilization.
As mentioned earlier, these results are based on I/O intensive benchmark tools, which just read-from/write-into a file,
without any data processing. However, in real-life scenario, applications use significant CPU cycles for processing data,
after/before they read from or write into a file, in which case the performance impact on the overall application would be
even lesser than what is mentioned above.
If we extrapolate these results, in an application that consists of 20% I/O workload, then the performance impact on such
application, due to WLI can be anywhere between 0% to 0.84%, which is lesser than 1%.
11
Technical whitepaper | HP-UX Whitelisting (WLI) Performance Whitepaper
Summary
HP-UX Whitelisting (WLI) is a software which provides additional access controls on the critical files and system resources,
by intercepting the file I/O related system calls and validate the authenticity of the applications, accessing those
files/resources. In this process, WLI adds some performance impact in I/O, but the above test results suggest that,
performance impact is indeed minimal. Even the impact on the CPU utilization, seems minimal from the above test results
and probably will not have any impact on the systems, with existing CPU headroom.
Certainly, the best way to judge the effect that WLI will have on a system and application is, to run a pilot test, set up
measures, and collect metrics; as was done in these tests. IOZone or RWTool cannot accurately represent a true production
application; all it can do is provide a reasonable measurement method to report metrics objectively.
Given these variables, HP-UX customers can likely capitalize upon the opportunity to use WLI to protect critical files and
system resources, through WLI’s strong security features. HP-UX WLI is a no-cost feature, that is available for 11i v3
starting from AR0909 update release, and thus, every opportunity to evaluate it for production usage, should be taken to
strengthen security and minimize IT costs.
12
Technical white paper | HP-UX Whitelisting (WLI) Performance Whitepaper
Appendix
The reader and writer program’s pseudo code is given below:
Reader Program
Initialize Readcnt to 0
Initialize offset to 0
Initialize blocksize to 4K
Writer Program
Initialize Writecnt to 0
Open a file of size 2GB for write
Set begin time to current time
Begin loop; write until Writecnt is less than 2000000
Write 512 bytes of data
Increment Writecnt
End loop
Set end time to current time
References
HP-UX Whitelisting:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=WhiteListInf
IOzone:
http://www.iozone.org/
13