RFE: Use a cBPF binary tree for large seccomp filters

[drakenclimber]

Several in-house customers have identified that their large seccomp filters are slowing down their applications. Their filters largely consist of simple allow/deny logic for many syscalls (306 in one case) and for the most part don't utilize argument filtering.

After invaluable feedback from Paul Moore and Kees Cook, I have chosen to pursue a cBPF binary tree to improve performance for these customers. A cBPF binary tree requires no kernel changes and should be transparent for all libseccomp users.

I currently have a working prototype and the numbers are very promising. I modified gen_bpf.c and gen_pfc.c to utilize a cBPF binary tree if there are 16 or more syscalls being filtered. I then timed calling getppid() in a loop using one of my customer's seccomp filters. I ran this loop one million times and recorded the min, max, and mean times (in TSC ticks) to call getppid(). (I didn't disable interrupts, so the max time was often large.) I chose to report the minimum time because I feel it best represents the actual time to traverse the syscall.

Test Case                      minimum TSC ticks to make syscall
----------------------------------------------------------------
seccomp disabled                                             138
getppid() at the front of 306-syscall seccomp filter         256
getppid() in middle of 306-syscall seccomp filter            516
getppid() at the end of the 306-syscall filter              1942
getppid() in a binary tree                                   312

As shown in the table above, a binary tree can siginficantly improve syscall performance in the average and worst case scenario for these customers.

[pcmoore]

Just a heads-up, since this would be a pretty significant change, and I would really like to get a v2.4 release out this spring/summer, I'm marking this as v2.5 material. Please don't take this as a sign that I don't think the results are interesting, they are, I just want to keep focused in the near term on the things that are marked for v2.4.

[drakenclimber]

Sounds reasonable to me. Thanks for the heads up.

[jdstrand]

FYI, we were looking at this over in snapd (if interested, start at https://forum.snapcraft.io/t/concerns-about-performance/12194/8) and found cases where bintree was actually slower than 2.4.1 with a particular large syscall list (for and admittedly pathological case). I wonder if it would make sense to add an additional API call to opt out of/into bintree?

[drakenclimber]

FYI, we were looking at this over in snapd

Awesome!

and found cases where bintree was actually slower than 2.4.1 with a particular large syscall list (for and admittedly pathological case).

I agree for pathological cases, it's pretty easy to make the bintree slower. But I have yet to hit a real-world case where the binary tree is slower.

I wonder if it would make sense to add an additional API call to opt out of/into bintree?

Good question. I have considered such an option a few times and haven't been able to convince myself that it's needed (yet?). As you pointed out, contrived scenarios can cause the binary tree to be slower. But is there a real world scenario?

I also considered an on/off switch for the binary tree in case it introduced a regression, but in that case, we should just fix the bug and roll a new version of libseccomp.

Thoughts?

[drakenclimber]

if interested, start at https://forum.snapcraft.io/t/concerns-about-performance/12194/8

I looked through the thread you cited above. Really nice work! It seems to match the results I have been seeing. Artificial tests that skew toward syscalls 0, 1, 2, etc. do worse with a binary tree, but once a "real" test case is used, overall performance tends to go up.

Your idea of adding an on/off switch for the bintree is starting to grow on me. Is there a real-world scenario that has a really large filter yet for the vast majority of the time only calls a couple syscalls? Hmmm....

[jdstrand]

I agree for pathological cases, it's pretty easy to make the bintree slower. But I have yet to hit a real-world case where the binary tree is slower.

Note that while the case was pathological, it was in a real world application, 'volatility' (https://github.com/volatilityfoundation/volatility). Note I am neither a user nor a developer of volatility. I was just involved in the investigation of why it was slower than expected.

[jdstrand]

Your idea of adding an on/off switch for the bintree is starting to grow on me. Is there a real-world scenario that has a really large filter yet for the vast majority of the time only calls a couple syscalls? Hmmm....

Yes, snapd is a system for containerizing applications and part of its job is to setup a seccomp filter via a templated policy system. The default policy has a large number of syscalls (we do arg-filtering and I'm including different arguments to the same syscall in the total). A developer 'snapped' the volatility application and it used a lot of syscalls, but in our debugging we found lseek and read dominated the number with 1.2 million calls between them, putting those at ~95% of all its syscall usage. Definitely pathological and I suspect we'll have really nice gains for the more typical evenly distributed set, so to be clear, thank you for your work! :)

Considering the volatility use case (I suspect that similar applications might behave the same or ones that use lseek/read heavily on large files would not be unheard of), I was thinking maybe it would be nice to add some sort of a knob if previous behavior (perhaps with seccomp_syscall_priority()) could do better than bintree, so brought it up here.

[pcmoore]

Sorry for the late reply, was off on vacation and trying not to spend too much time on my laptop ;)

FWIW, the current approach towards organizing the seccomp BPF filters, assuming no explicit priorities are provided, is to put the shortest/simplest filters at the top and the longest/complex filters at the end. The idea is that we want a higher "return density" near the top of the BPF code to better leverage caching, reduce jump lengths, etc.

However, as pointed out, no one optimization scheme is going to be "ideal" for all workloads and filter configurations. My initial thinking is that we may want to initially support multiple optimization approaches (e.g. "classic" and "syscall tree") and the application could select one at runtime (probably via a libseccomp attribute, defaulting to the current "classic" behavior).

Thoughts?