Sunday, March 25, 2007
Cohen on Howard: Chapter 17
Chapter 17 covers preventing denial of service attacks against common resources.
Cohen:
In the context of the quote, it is clear that they're discussing how to improve CPU performance issues on a specific codebase, not how to detect and fix CPU denial of service attacks. Asymptotic algorithm complexity analysis is costly and leaves out a lot of context that is needed when determining how to improve performance (e.g., how often is this code path executed). The pragmatic programmer in me has no problem with using a profiler against a system running under a broad set of expected loads to figure out where the low-hanging fruit is.
Cohen:
It also gives us a really bad example of using software performance profiling instead of complexity analysis to find possible denial of service exploits. This is the worst example yet of ignoring academic results in favor of inferior industry methods. In particular, a junior programmer is told to ignore all that complexity theory he was taught in the University and simply test each of the routines under different inputs, find the slow routines, and speed them up. Of course in a denial of service scenario, if there is a high complexity function that is fast in almost all cases, a good attacker will find the worst case input sequences and exploit them while the testing scheme will almost certainly miss these cases unless they do complexity analysis.
In the context of the quote, it is clear that they're discussing how to improve CPU performance issues on a specific codebase, not how to detect and fix CPU denial of service attacks. Asymptotic algorithm complexity analysis is costly and leaves out a lot of context that is needed when determining how to improve performance (e.g., how often is this code path executed). The pragmatic programmer in me has no problem with using a profiler against a system running under a broad set of expected loads to figure out where the low-hanging fruit is.
