Decide if preloading AES encryption is important

[robgjansen]

For our Tor experiments, we used to preloading openssl encryption functions in Shadow version 1.x. This used to lead to a big performance boost (see Figure 2 in the original Shadow paper).

Since that, modern CPUs enable optimizations that can perform AES operations with very low latency. We are wondering if it still makes sense to maintain the code needed to preload the AES functions going forward.

To help us decide, we should run an experiment in Shadow 2.x both with and without preloading the AES functions, and test how performance is affected.

[robgjansen]

Initial results in a 5% Tor network indicate no noticeable performance change when performing the crypto or preloading the crypto. Note that this only tests skipping the AES symmetric encryption, not public key operations (which were never supported by the tor preload lib).

run_time.pdf

Note that we never counted how often the functions are called when preloading, to better understand how many cryptographic operations we are able to skip. Not sure that we need that, but it would help us be a bit more confident about the results.

[robgjansen]

We decided that we want to at the very least double check that the preloaded cipher functions are getting intercepted on the specific machine that was used to run this experiment.

We may also consider counting the frequency with which those functions are called to help us guess how much change in performance we should be expecting from skipping those calls.

[robgjansen]

I ran a 10% Tor network with 154a11d with and without the following code (taken from shadow-tor-preload) preloaded into the managed processes:

/*
 * The Shadow Simulator
 * Copyright (c) 2010-2011, Rob Jansen
 * See LICENSE for licensing information
 */

#include <stdio.h>
#include <string.h>

static unsigned long aes_e_cnt = 0;
static unsigned long aes_d_cnt = 0;
static unsigned long aes_ce_cnt = 0;
static unsigned long aes_cd_cnt = 0;
static unsigned long aes_evp_cnt = 0;

static void _aes_print_counters() {
    fprintf(stderr,
            "Counters: {AES_encrypt:%lu, AES_decrypt:%lu, AES_ctr128_encrypt:%lu, "
            "AES_ctr128_decrypt:%lu, EVP_Cipher:%lu}\n",
            aes_e_cnt, aes_d_cnt, aes_ce_cnt, aes_cd_cnt, aes_evp_cnt);
}

__attribute__((constructor)) void _aes_load() {
    fprintf(stderr, "Loading the preloaded aes interception lib\n");
    return;
}

__attribute__((destructor)) void _aes_unload() {
    fprintf(stderr, "Unloading the preloaded aes interception lib\n");
    _aes_print_counters();
    return;
}

void AES_encrypt(const unsigned char* in, unsigned char* out, const void* key) {
    aes_e_cnt++;
    return;
}
void AES_decrypt(const unsigned char* in, unsigned char* out, const void* key) {
    aes_d_cnt++;
    return;
}
void AES_ctr128_encrypt(const unsigned char* in, unsigned char* out, const void* key) {
    aes_ce_cnt++;
    return;
}
void AES_ctr128_decrypt(const unsigned char* in, unsigned char* out, const void* key) {
    aes_cd_cnt++;
    return;
}
int EVP_Cipher(void* ctx, unsigned char* out, const unsigned char* in, unsigned int inl) {
    aes_evp_cnt++;
    if((aes_evp_cnt % 10000) == 0) {
        _aes_print_counters();
    }
    memmove(out, in, (size_t)inl);
    return 1;
}

Here we can see that the performance difference for preloading these functions is minimal on my machine.

On my machine, I don't think the performance difference here is worth the extra work required to preload these functions (preloading them requires manually building both openssl and libevent, and linking those manually built libs to Tor).

---

With the preloading enabled, I'm counting the following total number of operations across all nodes:

{"AES_encrypt": 0, "AES_decrypt": 0, "AES_ctr128_encrypt": 0, "AES_ctr128_decrypt": 0, "EVP_Cipher": 5778460000}

I'm not sure if we should be expecting positive counts for the AES operations anymore in recent versions of Tor.

[robgjansen]

We found some additional functions to add:

• CRYPTO_ctr128_encrypt
• CRYPTO_ctr128_encrypt_ctr32

We found that when adding these functions, the counts for CRYPTO_ctr128_encrypt_ctr32 increases and the counts for EVP_Cipher goes to 0. So we think CRYPTO_ctr128_encrypt_ctr32 is the outer function that internally calls EVP_Cipher, and we may be able to save even more work by skipping CRYPTO_ctr128_encrypt_ctr32.

We also think this overhead only accounts for ~0.5% of the runtime and so it probably won't matter anyway.

[robgjansen]

Adding the new functions to the preload lib still resulted in positive interception counts only for EVP_Cipher:

{
  'AES_encrypt': 0,
  'AES_decrypt': 0,
  'AES_ctr128_encrypt': 0,
  'CRYPTO_ctr128_encrypt': 0,
  'CRYPTO_ctr128_encrypt_ctr32': 0,
  'EVP_Cipher': 5785261000
}

[robgjansen]

The performance change is no longer significant enough to warrant the complexity of building custom libevent and openssl libraries, at least not by default. If we find that the overhead is more significant in import use cases, feel free to comment or re-open.

[robgjansen]

We realized that skipping crypto ops may still be useful in some environments, particularly on older CPUs that do not support AES-NI crypto optimizations. We plan to test the effect of AES preloading in such an environment to re-evaluate the efficacy of this feature.