rsbacl5s.gif (2243 Byte)  

Rule Set Based Access Control (RSBAC) for Linux - Benchmarks


Benchmark results

2.4.19-UP-RSBAC-v1.2.1-Celeron-333-256MB

These Linux kernel compile benchmarks have been run on an Celeron-333 UP system with kernel 2.4.19 and RSBAC version 1.2.1. Three runs each of  'make clean && time make bzImage' on the same plain 2.4.19 kernel source tree in single user mode after one untimed run produced the following average times in seconds:

Kernel type   Total time   Kernel/Sys + User  Kernel/Sys time   User/Process time
Clean kernel   747.97   745.85 34.68 711.17
Maint kernel (no modules) 753.09 (+0.68%) 750.94 (+0.67%) 38.61 (+11.33%) 712.33 (+0.16%)
RC + AUTH, no other options 758.62 (+1.42%) 756.55 (+1.43%) 44.89 (+29.44%) 711.66 (+0.07%)
RC + AUTH, network support, full log settings, no other options 765.18 (+2.30%) 761.47 (+2.08%) 49.60 (+43.02%) 711.87 (+0.10%)
RC + AUTH + ACL, network support, full log settings, no other options 773.22 (+3.38%) 769.85 (+3.20%) 59.12 (+70.47%) 710.73 (-0.06%)
Default config: REG, FF, AUTH, RC, ACL, CAP, JAIL, network support, full log settings, but nothing logged 779.46 (+4.21%) 777.25 (+4.19%) 63.28 (+82.47%) 713.97 (+0.39%)
All options and models 820.00 (+9.63%) 816.97 (+9.52%) 103.83 (+199.39%) 713.14 (+0.28%)

Numbers have not changed much from the previous benchmark. RC and AUTH are now with and without full network and logging options. Since the MS model was doing fine in the last benchmark, it had no extra runs this time.

With all models and options, 1.2.1 was a bit faster now than 1.2.0-pre6 was without MS and JAIL. Less than 10% overhead with all options sounds good enough to me.

2.4.18-UP-RSBAC-v1.2.0-pre6-Celeron-333-256MB

These Linux kernel compile benchmarks have been run on an Celeron-333 UP system with kernel 2.4.18 and RSBAC version 1.2.0-pre6. Three runs each of  'make clean && time make bzImage' on the same plain 2.4.18 kernel source tree in single user mode after one untimed run produced the following average times in seconds:

Kernel type   Total time   Kernel/Sys + User  Kernel/Sys time   User/Process time
Clean kernel   734.53   734.53   34.81 699.72
Maint kernel (no modules) 738.28 (+0.51%) 738.28 (+0.51%) 37.49 (+7.70%) 700.79 (+0.15%)
RC + AUTH, network support, no other options 747.52 (+1.77%) 747.52 (+1.77%) 43.59 (+25.22%) 703.93 (+0.60%)
AUTH + ACL, network support, no other options 749.28 (+2.01%) 749.28 (+2.01%) 47.34 (+36.00%) 701.94 (+0.32%)
Default config: REG, FF, AUTH, RC, ACL, CAP, network support, full log settings, but nothing logged 767.76 (+4.52%) 767.76 (+4.52%) 65.57 (+88.37%) 702.19 (+0.35%)
All options and models, except MS 813.44 (+10.74%) 813.44 (+10.74%) 104.53 (+200.28%) 708.91 (+1.31%)
Full MS, no other options 747.49 (+1.76%) 747.49 (+1.76%) 44.22 (+27.03%) 703.27 (+0.51%)

The significant kernel time increase with more models, compared to the previous v1.1.2 benchmark,  is probably related to the distribution of attributes over separate lists for each module, which results in more list lookups. Also, the RC changes from fixed size role and type arrays to lists slow this model down a bit.

In larger setups, the list separation should result in much shorter lists and thus speed things up again. You can see this and the internal list optimizations in the much better MS results, where large lists of scanning results are generated.

2.4.6-UP-RSBAC-v1.1.2-pre8-Celeron-333-256MB

These Linux kernel compile benchmarks have been run on an Celeron-333 UP system with kernel 2.4.6 and RSBAC version 1.1.2-pre8. Three runs each of  'time make bzImage' on a 2.4.6 kernel source tree in single user mode after one untimed run produced the following average times in seconds:

Kernel type   Total time   Kernel/Sys + User  Kernel/Sys time   User/Process time
Clean kernel   711.75   711.74   34.83   676.91
Maint kernel (no modules, no debug code) 719.09 (+1.03%)   719.09 (+1.03%) 41.02 (+17.77%) 678.07 (+0.17%)
Maint kernel (no modules) 719.20 (+1.05%) 719.19 (+1.05%) 39.04 (+12.09%) 680.15 (+0.48%)
RC + AUTH, no other options 719.36 (+1.07%) 719.35 (+1.07%) 45.41 (+30.38%) 673.94 (-0.44%)
AUTH + ACL, no other options 721.18 (+1.32%) 721.19 (+1.33%) 44.56 (+27.94%) 676.63 (-0.04%)
Default config: REG, FF, AUTH, RC, ACL modules, all log settings, but nothing logged 729.33 (+2.47%) 729.33 (+2.47%) 52.76 (+51.48%) 676.57 (-0.05%)
All options and models, except MS 763.35 (+7.25%) 763.07 (+7.21%) 81.63 (+134.37%) 681.44 (+0.67%)
All options and models 854.69 (+20.08%) 854.21 (+20.02%) 169.65 (+387.08%) 684.56 (+1.13%)

The significant kernel time increase with all models is mostly due to the MS model with read check enabled, which marks all files ever read as scanned and thus produces a huge amount of attribute objects in large lists. The list handling will be optimized for 1.2.0.

2.4.3-SMP-RSBAC-v1.1.1-PIII-866-1GB-Raid-5

These Linux kernel compile benchmarks have been run on an PIII-866 SMP Mylex Raid-5 system with kernel 2.4.3 and RSBAC version 1.1.1. Three runs each of  'time make bzImage -j 4' produced the following average times:

Kernel type   Total time   Kernel/Sys + User  Kernel/Sys time   User/Process time
Clean kernel   348.1s   347.5s   33.4s   314.1s
RSBAC without modules (maint kernel) 368.3s (+5.8%)   368s (+5.9%)   35.6s (+6.6%)  332.4s (+5.8%)
RSBAC with default config: REG, FF, AUTH, RC, ACL modules, full log settings, but nothing logged 372.6s (+7.0%)   372.2s (+7.1%)   36.4s (+9.0%) 335.8s (+6.9%)

2.2.18-UP-RSBAC-v1.1.0-P-100-64MB

These Linux kernel compile benchmarks have been run on a SuSE Linux 7.0 Pentium 100 system with kernel 2.2.18 and with RSBAC version 1.1.0. Three benchmark runs each, in single user mode right after boot, produced the following average times:

Kernel type   Total time   Kernel + User  Kernel time   User/Process time
Clean kernel   1858s   1857s   69s   1788s
RSBAC without modules   1884s (+1.3%)   1877s (+1.1%)   82s (+18.8%)  1795s (+0.4%)
RSBAC with FF, AUTH, RC, ACL modules   1967s (+5.9%)   1959s (+5.5%)   167s (+142%) 1792s (+0.2%)

Questions, tips, etc.

29-Nov-02, -ao