2

Let's say I'm running a program that contains sensitive information. An attacker decides it'd be the best move to attempt to access the JVM while it's running said program. He decides he wants to analyze the contents of the JVM's memory and change it to suit his nefarious desires. Is this even possible?

hagello
  • 2,843
  • 2
  • 27
  • 37
OrangeCalx01
  • 806
  • 2
  • 7
  • 21
  • Every application is vulnerable to memory injections, if the attacker is really determined and has lot of time. There is always some new inventive way nobody has thought of before. – The Law Nov 14 '15 at 06:48
  • Is it possible to detect a change to the bytecode (or at least certain sections) from within the program? – OrangeCalx01 Nov 14 '15 at 06:54
  • Most applications (so probably even JVM) have failsafes, that prevent memory tampering and when those failsafes trigger, the runtime is usually terminated with memory violation error or similar. But as I said, hackers are very inventive and always find a way to circumvent those failsafes. That is why working in IT security is a nightmare. – The Law Nov 14 '15 at 06:59
  • 4
    If a hacker has access to a machine that a program is running on, the hacker can, given enough time and perseverance, analyze what the program is doing. It doesn't have anything to do with whether it's running on the JVM or not. Even if the program has measures against this, the hacker could in principle always circumvent those measures. – Jesper Nov 14 '15 at 07:17
  • @TheLaw *"Most applications (so probably even JVM) have failsafes, that prevent memory tampering"*, no, they don't, not against an attacker who already can execute arbitrary code with the user's privileges. – the8472 Nov 14 '15 at 10:50
  • See the [related question](http://stackoverflow.com/questions/32605962/locate-and-read-objects-of-a-specific-type-from-memory-of-a-running-java-program) – apangin Nov 17 '15 at 23:29

2 Answers2

1

An attacker with the same privileges as the process in question will always be able, with sufficient effort, to extract or inject any data he wants.

This applies to all software running in a shared security context, not just a JVM.

If we're not talking about strong security but more about hurdles and obfuscation that might slow an attacker down, then the answer is still no, a generally JVM provides lots of introspection and instrumentation interfaces that make it easy to modify it in a safe manner at runtime if you already have access to it.

the8472
  • 40,999
  • 5
  • 70
  • 122
0

One possible concrete way: the attacker loads up a native agent via the JVM TI.

Agents run in the same process with and communicate directly with the virtual machine executing the application being examined. This communication is through a native interface (JVM TI). The native in-process interface allows maximal control with minimal intrusion on the part of a tool. Typically, agents are relatively compact. They can be controlled by a separate process which implements the bulk of a tool's function without interfering with the target application's normal execution.

coastalhacking
  • 307
  • 2
  • 13