Andrew

Finding UID 0 work on z/OS using SMF Data

February 17, 2022 by Andrew

Finding work running under UID 0 and understanding what it is is important for security on z/OS.

Some UID 0 processes run for hours and are easy to find with tools like SDSF. Other work might only run for a fraction of a second, and is virtually impossible to catch “in the act”.

SMF data can help. SMF type 30 records have Unix Process sections for z/OS unix work. The Unix Process section includes the UID so you can use it to find UID 0 work.

Here is an example of the EasySMF Unix Work report:

EasySMF Unix Work Report, filtered to show UID 0.

The UID field allows you to filter the report to include only work with UID 0.

The report builds a tree using the parent process information so you can see the relationship between different tasks. Information from SMF about the running program is included, which can help to understand what the work is doing.

The Elapsed column shows how long these tasks were running. Most of these tasks were part of system startup and many ran for less than half a second, so it would be very difficult to catch them in real time.

You can download a 30 day trial to see what the data from your system looks like here:

EasySMF 30 Day Trial

Apache Log4j CVE-2021-44228 Information

December 14, 2021 by Andrew

Black Hill Software does not use or distribute Apache Log4j in any of our products.

EasySMF:JE does use SLF4J which can be configured by the customer to use Log4j, if the customer provides the Log4j components. Even in this case EasySMF:JE does not log any information from untrusted sources so we do not believe it is vulnerable to this exploit.

However, if customers have configured logging to use Apache Log4j they should upgrade Log4j to a fixed version.

Java vs C++ : Drag Racing on z/OS

August 10, 2021 by Andrew

Which language is faster on z/OS, Java or C++? People will tell you C++ is fast and Java is slow, but does that stand up to a drag race?

Dave Plummer is a retired operating systems engineer from Microsoft. He has created an interesting series of videos “drag racing” different languages and different hardware with a small program searching for prime numbers. The initial video raced C++, Python, and C#. Then he raced an Apple M1 vs an AMD ThreadRipper 3970X vs a Raspberry Pi.

I thought it would be interesting to run the drag race on z/OS, putting C++ up against Java. z/OS people like to tell you that Java is slow – but is that really true?

The program uses the sieve of Eratosthenes to search for prime numbers. The program works through odd numbers starting at 3 and marks each multiple as “not prime”. Then it moves to the next number that has not already been marked as a multiple of another number and repeats the process. At the end, numbers that have not been marked are prime.

This is repeated for numbers up to 1,000,000 as many times as possible in 5 seconds, and the number of passes is the result.

The “drag race” description acknowledges that this isn’t a comprehensive benchmark, just a test of speed at a particular task like drag racing a car.

Setup

The C++ and Java programs had been developed and refined on other platforms. The Java code ran without modification, but the C++ code required a few changes:

I couldn’t find <chrono> on z/OS so I used gettimeofday for the timing
Some changes to initialization etc. were required due to unsupported syntax

The C++ code was compiled from the unix command line:

xlc -o PrimeCPP31 -O3 -Wl,xplink -Wc,xplink,-qlanglvl=extended0x PrimeCPP.cpp

I configured the zIIP offline for the tests so that the C++ and Java code were running on the same processor.

All source code is available here, if you want to try it out on your own system:

https://github.com/andrew890/Primes-zOS

Note: z/OS CPU speeds vary widely based on the capacity purchased. The z15 LSPR ratios list z15 systems with single CPU MSU ratings from 12 MSU to 253 MSU – a 20x difference! The numbers here should be a reasonable comparison between the languages tested, but be careful comparing them with a different system.

Round 1

Source code:

Results (higher number is better):

C++	Java
1295	4807

I was surprised – I expected Java to do well, but I didn’t expect C++ to do so badly.

There wasn’t anything I could see in the C++ code to make it slower than the Java code. However, marking and checking numbers is the majority of the work, and this processing is hidden inside a vector<bool> in the C++ code. Using vector<bool> was apparently a big gain on other platforms, but maybe not on z/OS?

I changed the C++ code to use bits in an unsigned char array, explicitly testing and setting bits. This was the method Dave used in his initial code. The Java code used a boolean array. To give the closest possible comparison between C++ and Java I also changed the Java code to use a byte array with the same bit testing/setting.

Round 2

Source Code:

Results (higher number is better):

C++	Java
4828	2715

This was a much better result for C++. It looks like the vector<bool> implementation on z/OS is not as good as other platforms. However in Java the original solution was much better. The improved C++ version didn’t significantly beat the original Java solution.

On other platforms C++ was faster than Java by 40-70%. The versions using the byte array showed a similar margin. I don’t doubt that you could write a C++ version to beat the fastest Java version on z/OS, but I don’t think it would be easy.

Bonus: COBOL

Someone contributed a COBOL version. I tried that out of interest, compiled with OPT(2):

Source Code:

https://github.com/andrew890/Primes-zOS/blob/main/PrimeCOBOL/solution_2/PRIMES

Result:

COBOL

2373

Better than the worst C++, but not as good as Java. To be fair, this program is a long way from the type of work COBOL was designed for. I don’t know COBOL well enough to judge if it could be improved.

Scaling it up

The other interesting test is to scale up from 1,000,000 to larger numbers. I repeated the tests using the different solutions for primes up to 10,000,000, 100,000,000 and 1,000,000,000.

The most interesting result here is the Java boolean[] version. This version is as fast as the fastest C++ version for 1,000,000, but the speed declines much faster as the maximum increases. I guess Java is doing some optimizations that don’t work as well for 1 billion element arrays!

The trend was strong enough that it seemed interesting to try a smaller number as well, so I added a 100,000 run. Very interesting – for 100,000, the Java version using the boolean array was more than 20% faster than C++!

	100,000	1,000,000	10,000,000	100,000,000	1,000,000,000
C++ using vector<bool>	14,377	1,295	122	10	1 in 7.19 seconds
Java using boolean[]	64,423	4,807	271	13	1 in 9.06 seconds
C++ using unsigned char*	52,251	4,828	417	28	2 in 5.14 seconds
Java using byte[]	30,425	2,715	237	14	2 in 6.99 seconds
COBOL	19,270	2,373	86	5	1 in 21.0 seconds

Java Overhead

Java has some overhead starting the Java Virtual Machine. This can be seen in the SMF data.

The SMF data shows the C++ programs had about 4.95 seconds CPU time and 5.02 seconds elapsed time for the 5 second duration measured by the program.

The Java programs had about 5.24 seconds CPU time and 6.16 seconds elapsed. This presumably reflects the overhead of starting the JVM. There was only one CPU online, so any runtime overhead after the program records the start time will be reflected in the score. Java GC etc. threads could not run in parallel on another CPU and accumulate CPU time without slowing the main program. This startup overhead should be less significant for longer running programs.

Conclusion

Java on z/OS is not slow. It can match C++ for speed, to the point where the selection of algorithms and data structures is more important than the language itself. Java deserves to be considered a high performance language on z/OS, as much as C++ or COBOL. There is one caveat: there is significant overhead starting the JVM, so it might not be a good choice for small programs that run very frequently.

Java’s reputation for being slow probably comes from the ease of combining existing components into very large applications, where the programmer may not even be aware of the size of what they have built.

Many z/OS systems have general purpose CPs running less than full speed to reduce software bills. If you have zIIPs running full speed, Java might actually be the fastest language on your system by a fair margin, with the bonus that the Java work probably doesn’t contribute to software costs.

Dave’s Videos

Here are direct links to the first 2 of Dave Plummer’s Software Drag Racing videos:

Loading data 10 times faster using z/OSMF

March 23, 2021 by Andrew

EasySMF can now load SMF data using the z/OSMF Dataset and File REST API.

The z/OSMF REST API uses HTTPS instead of FTP so it is a good option for sites that don’t want to use FTP. HTTPS works better with firewalls because it uses a single port instead of separate control and data connections used by FTP.

z/OSMF will compress the data for transfer. If the connection is bandwidth-limited, that can make loading SMF data up to 10 times faster.

Limitations

z/OSMF cancels the REST API task if it hasn’t completed after approximately 15 minutes. This limits the amount of data that can be transferred. However, with 10 times faster data transfer, that could be the equivalent of over 2 hours transfer time using FTP.

Hopefully IBM will relax this limitation in the future.

The Easy Way to View zERT SMF Data

March 23, 2021 by Andrew

Are all my z/OS TCP/IP connections encrypted?
How do I know what level of TLS is being used?
Which TCP/IP clients or servers are using insecure ciphers?

zERT – the z/OS Encryption Readiness Technology is designed to answer these questions.

zERT is a function of TCP/IP on z/OS. It collects information about cryptographic security attributes of TCP/IP connections and writes it to SMF. IBM provides some free zERT reports in z/OSMF, but the data needs to be loaded into DB2 before you can view the reports.

EasySMF allows you to view zERT SMF reports without DB2.

zERT can produce 2 types of records – Connection Detail and Aggregation. Like z/OSMF, EasySMF reports on zERT Aggregation records: SMF type 119 subtype 12.

zERT Aggregation records contain similar information to the zERT Connection Detail records, but information for multiple connections with the same security characteristics are combined. This reduces the number of records generated.

The aggregation records still break the information down to the IP address and port level, but they combine information from multiple connections with the same security settings from the same client.

Finding the Important Information

Even using aggregation records, zERT reports have a lot of information. Records are produced for each client connecting to TCP/IP. Most of these records are not interesting. The entries you probably want to see are connections with specific security attributes, e.g. insecure ciphers or old TLS versions.

EasySMF makes it easy to find the important entries. EasySMF groups connections by security attributes and server port.

Here we can see there are multiple clients connecting to FTP and z/OSMF using TLS V1.0.

We can filter the report to show only the TLS 1.0 entries, and expand the groups to show the individual client addresses. To save the report data, you can export it to Excel or in CSV format.

Filtering and expanding groups to view individual clients

zERT is a very useful facility to help you secure your z/OS system. Download a 30 day trial of EasySMF and see how EasySMF can help you interpret your zERT data.