SSLStream broken due to heap fragmentation

Chris Mullins

We've been using the SSLStream class found in System.Net.Secu rity to build a
giant Sockets server that provides TLS encryption at the channel leve.
Before .Net 2.0, we used an open-source encryption channel from Mentalis,
and have even looked at the Mono implementation for doing this.

The problem comes from the SSLStream not doing any buffer management. None.
Zero. In the "no buffer management" case, each SSLStream allocates bufferes
whenevers it needs them, copies data into those buffers, and then calls
Socket.BeingRea d / Socket.BeginWri te. This causes pinning. Massive,
long-lived, horrible pins. This leads to horrendus non-recoverable
fragmentation.

The killer here is that both of these socket methods immediatly pin the
buffers, and pass the data off to unmanaged code. The BeginRead method may
not return for 10 seconds, 10 minutes, or 10 hours, leaving a hole in the
Managed Heap the entire time. BeginWrite causes the same problem, although
for a smaller length of time.

To get around this in the past, we've created a block of buffers ahead of
time, and cycled through them. This keeps all the pinned memory together in
a single spot. This technique is described in detail here:
http://blogs.msdn.com/yunjin/archive.../27/63642.aspx
http://www.coversant.net/dotnetnuke/...d=88&EntryID=9

In our last implementation (.Net 1.1), we put alot of work into managing
these buffer pools and really trying hard to eliminate heap fragmentation.
This worked great.
With the .Net 2.0 SSLStream, the BeginRead method ends up allocating
bufferes here:
BeginRead->ProcessRead->EnsureInternal BufferSize
That method allocates a buffer by:
this._InternalB uffer = new byte[addSize + curOffset];

Notice there's no fregging pool here? No attempt to eliminate fragmentation.
No attempt to be efficient.

This buffer gets passed to the NetworkStream, and in turn to the Socket,
which promptly pins it.

The BeginWrite case is the same thing:
BeginWrite->ProcessWrite->StartWriting->EncryptBuffe rs->EncryptData->Encrypt
This method allocates it's buffer:
buffer1 = new byte[(size + this.m_HeaderSi ze) + this.m_TrailerS ize];

Again, no fregging attempt to use a buffer pool. No attempt to eliminate
heap fragmentation.

Because the SSLStream is retarded, it only works on NetworkStreams - and
Network Streams only work on Sockets. This means there's nowhere in the
whole chain I can insert code prior to the Pin that would use a pooled
buffer. Ugh.

Now, .Net 2.0 is improved at managing pinning in the heap:
http://blogs.msdn.com/maoni/archive/...lr-2-0-gc.aspx

.... but I have it on VERY good authority that their technique isn't nearly
as effective as the BufferPool method. In fact, it's not even close.

This has runied my whole day. Ugh.

--
Chris Mullins, MCSD.NET, MCPD:Enterprise

Nov 9 '06 #1

Subscribe Reply

3614

Chris Mullins

We did figure out a way around this, in case anyone's interested.

By deriving a class from NetworkStream and overring the relevant methods, we
can swap out the buffers used by SSLStream with our own buffers. Because our
buffers come from a bufferpool that's allocated in a way to minimize heap
fragmentation, the heap stays unfragmented, and scalability is largely
unaffected.

We certainly end up doing number of buffer copies, but that's a much cheaper
price to pay than heap fragmentation.

--
Chris Mullins, MCSD.NET, MCPD:Enterprise
http://www.coversant.net/blogs/cmullins

"Chris Mullins" <cm******@yahoo .comwrote:

We've been using the SSLStream class found in System.Net.Secu rity to build
a giant Sockets server that provides TLS encryption at the channel leve.
Before .Net 2.0, we used an open-source encryption channel from Mentalis,
and have even looked at the Mono implementation for doing this.

The problem comes from the SSLStream not doing any buffer management.
None. Zero. In the "no buffer management" case, each SSLStream allocates
bufferes whenevers it needs them, copies data into those buffers, and then
calls Socket.BeingRea d / Socket.BeginWri te. This causes pinning. Massive,
long-lived, horrible pins. This leads to horrendus non-recoverable
fragmentation.

The killer here is that both of these socket methods immediatly pin the
buffers, and pass the data off to unmanaged code. The BeginRead method may
not return for 10 seconds, 10 minutes, or 10 hours, leaving a hole in the
Managed Heap the entire time. BeginWrite causes the same problem, although
for a smaller length of time.

To get around this in the past, we've created a block of buffers ahead of
time, and cycled through them. This keeps all the pinned memory together
in a single spot. This technique is described in detail here:
http://blogs.msdn.com/yunjin/archive.../27/63642.aspx
http://www.coversant.net/dotnetnuke/...d=88&EntryID=9

In our last implementation (.Net 1.1), we put alot of work into managing
these buffer pools and really trying hard to eliminate heap fragmentation.
This worked great.
With the .Net 2.0 SSLStream, the BeginRead method ends up allocating
bufferes here:
BeginRead->ProcessRead->EnsureInternal BufferSize
That method allocates a buffer by:
this._InternalB uffer = new byte[addSize + curOffset];

Notice there's no fregging pool here? No attempt to eliminate
fragmentation. No attempt to be efficient.

This buffer gets passed to the NetworkStream, and in turn to the Socket,
which promptly pins it.

The BeginWrite case is the same thing:
BeginWrite->ProcessWrite->StartWriting->EncryptBuffe rs->EncryptData->Encrypt
This method allocates it's buffer:
buffer1 = new byte[(size + this.m_HeaderSi ze) + this.m_TrailerS ize];

Again, no fregging attempt to use a buffer pool. No attempt to eliminate
heap fragmentation.

Because the SSLStream is retarded, it only works on NetworkStreams - and
Network Streams only work on Sockets. This means there's nowhere in the
whole chain I can insert code prior to the Pin that would use a pooled
buffer. Ugh.

Now, .Net 2.0 is improved at managing pinning in the heap:
http://blogs.msdn.com/maoni/archive/...lr-2-0-gc.aspx

... but I have it on VERY good authority that their technique isn't nearly
as effective as the BufferPool method. In fact, it's not even close.

This has runied my whole day. Ugh.

--
Chris Mullins, MCSD.NET, MCPD:Enterprise

Nov 10 '06 #2

Similar topics

6681

Preventing memory fragmentation

by: Tron Thomas | last post by:

Given the following information about memory management in C++: ----- The c-runtime dynamic memory manager (and most other commercial memory managers) has issues with fragmentation similar to a hard drive file system. Over time, the more often use call new/delete or alloc/free, there will be gaps and fragments in the heap. This can lead to inefficient use of available memory, as well as cache-hit inefficiencies.

C / C++

808

Heap vs Stack allocations

by: MSG | last post by:

Hello void f1(int n) { vector<int> x(n); /* C++ */ } void f2(int n) { int x; /* C99 only */ } void f3(int n) { int* x = new int; /* C++ */ delete x; }

C / C++

5859

Defragment Heap Tables

by: kmounkhaty | last post by:

Hi guru, I've been new company for only a month and started analysing Index Fragmentation. After I ran DBCC DBREINDEX and capture data into permanent table, I 've seen lots of tables with no indexes. These tables showed: Very low scan density, High extent fragmentation

Microsoft SQL Server

2203

sslstream and certificates

by: Jakob Nielsen | last post by:

This is a question about partly .net sslStreams and partly about the certificates it uses. I can't seem to find a more specific group.. and since i am coding in c# :-) I try creating a sslStream from a regular networkstream as folows Socket clientSocket = serverSocket.EndAccept(result); clientSocket.Blocking = true; Stream clientStream = new NetworkStream(clientSocket); SslStream sslStream = new SslStream(clientStream);

C# / C Sharp

2171

auto_ptr always implies heap?

by: swengtoo | last post by:

My understanding is that an auto_ptr can never own an object that was created on the stack. This is because when auto_ptr goes out of scope, it calls 'delete' for the object it points to. Is my understanding correct? Or did I miss anything here? Thanks!

C / C++

2107

Large Object Heap Compaction in Framework 1.1/2.0?

by: Ben Lam | last post by:

I read on some message board that i can't find anymore saying that the Large Object Heap is compacted in Framework 1.1 or 2.0. Is this true? I can't seem to find any ms documentation that said this was fixed. Is large object heap fragmentation still going to be a problem in Framework 2.0? thanks

C# / C Sharp

4753

sslStream.Read() returns invalid data when socket times out from block/nonblock IO?

by: phplasma | last post by:

Hey, I am currently attempting to implement a multi-threaded C# socket, using SSL (.pem file/certification/private key combo) server using Visual Studio C# Express. I have successfully made the client application establish a connection, and send data, which appears in plain, de-crypted text on the server - this works.

C# / C Sharp

6212

Can array allocation cause memory fragmentation

by: Andreas Schmitt | last post by:

Hi, I recently worked on an open source project and tried to make on of the arrays they are using dynamically allocated to get rid of the max size. I used the realloc instead of the usual C++ new and delete because they asked me to stick to their "coding style" Well whatever..

C / C++

7644

tcp client and sslstream in .net

by: nevviin | last post by:

Hi, I have developed a VB.NET windows application to read mails from the server. I am using tcpclient object to read mail from mail server. I am uisng the IMAP and POP protocols for reading the mails. For this i used to send command using write command of ssl stream and read the response using the reader Dim sslstream As Net.Security.SslStream

.NET Framework

9632

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

10302

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

10136

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

10071

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

9925

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...

General

8958

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

5372

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

5501

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

2867

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General