0

I need to block java agents from modifying or reading the JVM. The reason for this is I have a secure launcher system that remotely downloads sensitive portions of the application. Unfortunately, someone used a class dumper of some sort to download the secure classes. I've done some searching and found -XX:+DisableAttachMechanism should disable them connecting. The issue is I can't restart the jvm, or modify the starting arguments. I do have access to the JNI, if that helps (still need windows, mac, and linux compatibility though).

I-C
  • 11
  • 4

1 Answers1

3

It's easy to disable HotSpot dynamic attach mechanism in runtime - you just need to remove the attach socket /tmp/.java_pidPID (where PID is the target process ID). If there is no such file, activate the attach mechanism first by running jcmd PID VM.version.

This is unlikely to help from dumping classes though.

If someone has access to the systems where JVM runs, he can probably access the memory of the process without JVM even knowing about it. For example, Serviceability Agent is able to read JVM memory with no cooperation from JVM at all. See this and this questions for details.

There is a trick to make using Serviceability Agent difficult, but it's still not bullet-proof, as long as a user has permissions to access the process on the OS level.

If you really want to secure your JVM process, you have to do this using OS security features, including user accounts, ACLs, capabilities, cgroups, etc.

apangin
  • 92,924
  • 10
  • 193
  • 247
  • In regards to removing the file, Where would I find this on windows and mac? Also how would I get the current PID? – I-C Apr 09 '20 at 01:50
  • 1
    Since the OP says they can't restart the jvm, I’m wondering if they can even prevent that there’s an Agent already running… – Holger Apr 09 '20 at 11:39
  • @I-C The same on macOS, except that it has a private temporary directory `$TMPDIR` instead of `/tmp`. Windows is more tricky. There you'll need to overwrite `JVM_EnqueueOperation` function. – apangin Apr 12 '20 at 21:03
  • @Holger A good point. One possible solution would be to replace pointers to all JVM TI functions (that's fairly easy to do). Most agents are helpless without JVM TI. But certainly this is not an ultimate solution, as there are other ways to access loaded classes when a hostile code is already running within the target process. – apangin Apr 12 '20 at 21:09