阻止 Java 代理程序而无需重新启动 JVM。

huangapple go评论70阅读模式
英文:

Block java agents without restarting jvm

问题

我需要阻止 Java 代理程序修改或读取 JVM。原因是我有一个安全的启动器系统,用于远程下载应用程序的敏感部分。不幸的是,有人使用了某种类转储工具来下载安全类。我已经进行了一些搜索,发现-XX:+DisableAttachMechanism可以禁止它们连接。问题是我不能重新启动 JVM,或修改启动参数。如果有必要,我可以通过 JNI 进行访问(但仍需要在 Windows、Mac 和 Linux 上兼容)。

英文:

I need to block java agents from modifying or reading the JVM. The reason for this is I have a secure launcher system that remotely downloads sensitive portions of the application. Unfortunately, someone used a class dumper of some sort to download the secure classes. I've done some searching and found -XX:+DisableAttachMechanism should disable them connecting. The issue is I can't restart the jvm, or modify the starting arguments. I do have access to the JNI, if that helps (still need windows, mac, and linux compatibility though).

答案1

得分: 3

很容易在运行时禁用HotSpot动态附加机制 - 您只需删除附加套接字/tmp/.java_pidPID(其中PID是目标进程ID)。如果没有这样的文件,可以通过运行jcmd PID VM.version来首先激活附加机制。

然而,这不太可能有助于防止类被转储。

如果有人可以访问JVM运行的系统,他可能可以在JVM甚至不知情的情况下访问进程的内存。例如,可服务性代理能够在完全不需要JVM协作的情况下读取JVM内存。有关详细信息,请参见这个链接这个链接

这里有一个技巧,可以使使用可服务性代理变得困难,但这仍然不是绝对安全的,只要用户有权限在操作系统级别上访问该进程。

如果您真的想保护好您的JVM进程,您必须使用操作系统的安全功能,包括用户帐户、ACL、权限、cgroups等等。

英文:

It's easy to disable HotSpot dynamic attach mechanism in runtime - you just need to remove the attach socket /tmp/.java_pidPID (where PID is the target process ID). If there is no such file, activate the attach mechanism first by running jcmd PID VM.version.

This is unlikely to help from dumping classes though.

If someone has access to the systems where JVM runs, he can probably access the memory of the process without JVM even knowing about it. For example, Serviceability Agent is able to read JVM memory with no cooperation from JVM at all. See this and this questions for details.

There is a trick to make using Serviceability Agent difficult, but it's still not bullet-proof, as long as a user has permissions to access the process on the OS level.

If you really want to secure your JVM process, you have to do this using OS security features, including user accounts, ACLs, capabilities, cgroups, etc.

huangapple
  • 本文由 发表于 2020年4月9日 03:21:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/61108405.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定