Wiki Markup |
---|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>ENV01-J. Be aware of the JVM Tool Interface - CERT Secure Coding Standards</title>
<meta id="confluence-context-path" name="confluence-context-path" content="/confluence">
<meta id="atlassian-token" name="atlassian-token" content="3UIncFJ_LX">
<meta id="confluence-space-key" name="confluence-space-key" content="java">
<script type="text/javascript">
// Deprecated global variables. To be removed in a future version of Confluence.
var contextPath = '/confluence';
var i18n = [];
</script>
<!-- include system resources -->
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:prototype/confluence.web.resources:prototype.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:scriptaculous/confluence.web.resources:scriptaculous.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:jquery/com.atlassian.auiplugin:jquery.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:jquery-base/com.atlassian.auiplugin:jquery-base.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:ajs/com.atlassian.auiplugin:ajs.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:dwr/engine.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:dwr/util.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-editor/confluence.web.resources:page-editor.css" media="all"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-editor/dwr-wysiwyg-converter.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-editor/dwr-user-profile-editor.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-editor/dwr-draft.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-editor/dwr-heartbeat.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-editor/confluence.web.resources:page-editor.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:jquery-selection/com.atlassian.auiplugin:jquery-selection.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:raphael/confluence.web.resources:raphael.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.editor.actions:editor-macro-browser/confluence.editor.actions:editor-macro-browser.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.editor.actions:editor-macro-browser/confluence.editor.actions:editor-macro-browser.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.editor.actions:editor-macro-browser/confluence.editor.actions:editor-macro-browser.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:jquery-ui-draggable/com.atlassian.auiplugin:jquery-ui-draggable.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-ordering-tree/confluence.web.resources:page-ordering-tree.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-ordering-tree/confluence.web.resources:page-ordering-tree.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-ordering-tree/confluence.web.resources:page-ordering-tree.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-location-editor/confluence.web.resources:page-location-editor.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-permissions-editor/confluence.web.resources:page-permissions-editor.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-permissions-editor/EntitiesAjaxService.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:labels-editor/AddLabeltoEntity.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:labels-editor/RemoveLabelFromEntity.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:labels-editor/SuggestedLabelsForEntity.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:labels-editor/GenerateAutocompleteLabelsListForEntity.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:labels-editor/confluence.web.resources:labels-editor.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:labels-editor/confluence.web.resources:labels-editor.css" media="all"/>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:breadcrumbs/confluence.web.resources:breadcrumbs.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css?media=print" media="print"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:safe-ajax/confluence.web.resources:safe-ajax.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.userstatus:userstatus-resources/confluence.userstatus:userstatus-resources.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.userstatus:userstatus-resources/confluence.userstatus:userstatus-resources.css" media="all"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:master-scripts/confluence.web.resources:master-scripts.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:master-scripts/PageNotification.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css" media="all"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css" media="all"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:atlassian-effects/confluence.web.resources:atlassian-effects.js" ></script>
<!-- end system resources -->
<link rel="stylesheet" href="/confluence/s/1627/6/1/_/styles/combined.css?spaceKey=java" type="text/css">
<meta name="robots" content="noindex,nofollow">
<meta name="robots" content="noarchive">
<meta name="confluence-request-time" content="1250711129965">
<link rel="shortcut icon" href="/confluence/favicon.ico">
<link rel="icon" type="image/png" href="/confluence/s/1627/6/_/images/logo/confluence_16.png">
<link rel="search" type="application/opensearchdescription+xml" href="/confluence/opensearch/osd.action" title="CERT Secure Coding Standards"/>
<script type="text/javascript">
function toggleMenu(menuId)
{
var visible = toggleVisibility(menuId);
if (visible)
setCookie("confluence.leftnav." + menuId, true);
else
setCookie("confluence.leftnav.", false);
}
function isMenuExpanded(menuId)
{
return getCookie("confluence.leftnav." + menuId);
}
function initMenuItem(menuId)
{
if (document.getElementById(menuId))
{
if (isMenuExpanded(menuId) == 'true')
{
document.getElementById(menuId).style.display = "block";
}
else
{
document.getElementById(menuId).style.display = "none";
}
}
}
</script>
</head>
<body onload="placeFocus()" id="com-atlassian-confluence">
<!--BEGIN HEADER -->
<table border="0" width="100%" cellspacing="0" cellpadding="0" bgcolor="#ffffff"><tr>
<td valign="middle"><img src="https://www.cert.org/images/1pxinv.gif" width="5" height="94"></td><td valign="middle"><a href="https://www.cert.org/"><img
src="https://www.cert.org/cert/images/cert_logo.gif" alt="CERT" border="0"></a></td><td valign="bottom" align="right" width="100%">
<!--NAVIGATION TABLE-->
<table border="0" cellspacing="0" cellpadding="0" width="600"><a href="https://www.cert.org/work/software_assurance.html"><img src="https://www.cert.org/cert/images/1off.jpg"
width="132" height="21"
alt="Software Assurance" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a href="https://www.cert.org/work/secure_systems.html"><img
src="https://www.cert.org/cert/images/2off.jpg" width="109" height="21" alt="Secure Systems" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a
href="https://www.cert.org/work/organizational_security.html"><img
src="https://www.cert.org/cert/images/3off.jpg" width="140" height="21" alt="Organizational Security" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a
href="https://www.cert.org/work/coordinating_response.html"><img
src="https://www.cert.org/cert/images/4off.jpg" width="140" height="21" alt="Coordinating Response" border="0"></a><img
src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a href="https://www.cert.org/work/training.html"><img src="https://www.cert.org/cert/images/5off.jpg" width="75"
height="21" alt="Training" border="0"></a></td></tr></table>
<!--END NAVIGATION TABLE -->
</td></tr></table>
<table border="0" width="100%" cellspacing="0" cellpadding="0" bgcolor="#666666"><tr><td><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="3"></td></tr></table>
<!--END HEADER -->
<script type="text/javascript">
AJS.toInit(function ($) {
$(".message-close-button").each(function () {
var li = $(this).parent();
var cookieId = this.alt;
$(this).click(function () {
li.slideUp();
setCookie(cookieId, true);
});
});
$("#messageContainer .confluence-messages").each(function () {
if (!getCookie(this.id)) {
$(this).show();
}
})
});
</script>
<div id="header">
<form id="quick-search" class="quick-search" method="get" action="/confluence/dosearchsite.action">
<fieldset>
<legend>Quick Search</legend>
<input class="quick-search-query" id="quick-search-query" type="text" accessKey="q" autocomplete="off" name="queryString" size="25" />
<input class="quick-search-submit" id="quick-search-submit" type="submit" value="Search" />
</fieldset>
<fieldset class="hidden parameters">
<input type="hidden" class="quickSearchPlaceholder" id="quickSearchPlaceholder" value="Search" />
<input type="hidden" id="quickNavEnabled" value="true" />
<!-- Quick nav disabled. SettingsManager could not be found --> </fieldset>
</form>
<ol id="breadcrumbs">
<li class="first" ><span>
<a href="/confluence/dashboard.action">Dashboard</a>
</span></li>
<li><span>
<a href="/confluence/display/java">java</a>
</span></li>
<li id="ellipsis" title=" …
The CERT Sun Microsystems Secure Coding Standard for Java
…
"><span><strong>…</strong></span></li>
<li class="hidden-crumb" ><span>
<a href="/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java">The CERT Sun Microsystems Secure Coding Standard for Java</a>
</span></li>
<li><span>
<a href="/confluence/display/java/00.+Runtime+Environment+%28ENV%29">00. Runtime Environment (ENV)</a>
</span></li>
<li><span>
<a href="/confluence/display/java/ENV01-J.+Be+aware+of+the+JVM+Tool+Interface">ENV01-J. Be aware of the JVM Tool Interface</a>
</span></li>
<li><span>
Edit Page
</span></li>
</ol>
</div>
<div id="PageContent">
<table cellspacing="0" cellpadding="0" width="100%">
<tr>
<td width="150px" valign="top" class="sidebar" nowrap>
<div class="leftnav">
<div id="logodiv">
<a href="/confluence/display/java"><img class="logo global" src="/confluence/images/logo/confluence_48_white.png" alt=""></a> </div>
<div id="menu">
<table class="sectionMacro" border="0" cellpadding="5" cellspacing="0" width="100%"><tbody><tr>
<td class="confluenceTd" valign="top" width="105%">
<div class='panelMacro'><table class='infoMacro'><tr><td><p><b>Standards</b><br/>
<a href="/confluence/display/seccode/CERT+Secure+Coding+Standards" title="CERT Secure Coding Standards">Overview</a><br/>
<a href="/confluence/display/seccode/CERT+C+Secure+Coding+Standard" title="CERT C Secure Coding Standard">C Language</a><br/>
<a href="/confluence/pages/viewpage.action?pageId=637" title="CERT C++ Secure Coding Standard">C++</a><br/>
<a href="/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java" title="The CERT Sun Microsystems Secure Coding Standard for Java">Java</a></p>
<p><b>CERT Websites</b><br/>
<a href="http://www.cert.org/" rel="nofollow">CERT</a><br/>
<a href="http://www.cert.org/secure-coding" rel="nofollow">Secure Coding</a><br/>
<a href="http://www.cert.org/tech_tips/" rel="nofollow">Tech Tips</a></p>
<p><b>Related Websites</b><br/>
<a href="https://buildsecurityin.us-cert.gov/daisy/bsi/home.html" rel="nofollow">Build Security In</a></p>
<p><a href="http://www.informit.com/store/product.aspx?isbn=0321563212" rel="nofollow"><span class="image-wrap" style=""><img src="https://www.cert.org/images/cert-c-book-cover-100.jpg" border="0" width="100" /></span></a></p>
<p><a href="http://www.cert.org/books/secure-coding/" rel="nofollow"><span class="image-wrap" style=""><img src="https://www.cert.org/images/securec.jpg" border="0" width="100" /></span></a></p>
<p><b>Related Sites</b><br/>
<a href="http://www.us-cert.gov/" rel="nofollow"><span class="image-wrap" style=""><img src="https://www.cert.org/images/logo/uscert_4g_sm.jpg" border="0" /></span></a><br/>
<a href="http://www.cylab.cmu.edu/" title="http://www.cylab.cmu.edu/" rel="nofollow"><span class="image-wrap" style=""><img src="https://www.cert.org/images/logo/cylab_alt.jpg" border="0" /></span></a></p></td></tr></table></div></td></tr></tbody></table>
<h5><a href="#" onCLick="toggleMenu('pagenav'); return false;"><img src="/confluence/images/icons/docs_16.gif" width=16 height=16 border=0 align=absmiddle >Page Operations</a></h5>
<div id="pagenav" class="subnav" style="display:none;">
<ul>
<li><a id="viewPageLink" href="/confluence/display/java/ENV01-J.+Be+aware+of+the+JVM+Tool+Interface" onClick="javascript:saveDraftOnPageChange(this); return false;" accessKey="v"><u>V</u>iew</a></li>
<li><a id="editPageLink" href="/confluence/pages/editpage.action?pageId=20087903" class="current" onClick="javascript:saveDraftOnPageChange(this); return false;" accessKey="e"><u>E</u>dit</a></li>
<li><a id="view-attachments-link" href="/confluence/pages/viewpageattachments.action?pageId=20087903" onClick="javascript:saveDraftOnPageChange(this); return false;" accessKey="a"><u>A</u>ttachments (0)</a></li>
<li><a id="view-page-info-link" href="/confluence/pages/viewinfo.action?pageId=20087903" onClick="javascript:saveDraftOnPageChange(this); return false;" accessKey="i"><u>I</u>nfo</a></li>
<li><a href="/confluence/pages/worddav/uploadimport.action?pageId=20087903" onClick="javascript:saveDraftOnPageChange(this); return false;" >Doc Import</a></li>
</ul>
</div>
<h5><a href="#" onCLick="toggleMenu('browsenav'); return false;"><img src="/confluence/images/icons/browse_space.gif" height="16" width="16" border="0" align="absmiddle" title="Find Content">Browse Space</a></h5>
<div id="browsenav" class="subnav" style="display:none;">
<ul>
<li><a href="/confluence/pages/listpages.action?key=java" >Pages</a></li>
<li><a href="/confluence/pages/viewrecentblogposts.action?key=java" >News</a></li>
<li><a href="/confluence/labels/listlabels-heatmap.action?key=java" >Labels</a></li>
<li><a href="/confluence/spaces/listattachmentsforspace.action?key=java" >Attachments</a></li>
<li><a href="/confluence/spaces/viewmailarchive.action?key=java" >Mail</a></li>
<li><a href="/confluence/spaces/viewspacesummary.action?key=java" >Advanced</a></li>
</ul>
</div>
<h5><a href="#" onCLick="toggleMenu('addcontent'); return false;"><img src="/confluence/images/icons/add_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Content">Add Content</a></h5>
<div id="addcontent" class="subnav" style="display:none;">
<ul>
<li><a href="/confluence/pages/createpage.action?spaceKey=java&fromPageId=20087903"><img src="/confluence/images/icons/add_page_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Page"> Add Page</a></li>
<li><a href="/confluence/pages/createblogpost.action?spaceKey=java"><img src="/confluence/images/icons/add_blogentry_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add News"> Add News</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
initMenuItem("browsenav");
initMenuItem("pagenav");
initMenuItem("addcontent");
</script>
</div>
</td>
<td valign="top" width="100%">
<!-- Inner content table -->
<table width="100%" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2" valign="middle" align="right" style="background-color:#F0F0F0">
<ul id="page-view-panel">
<li> <a href="/confluence/pages/editpage.action?pageId=20087903&decorator=printable" rel="nofollow" title="View a printable version of the current page." class="print icon">View a printable version of the current page.</a>
</li>
<li>
<a href="/confluence/spaces/flyingpdf/pdfpageexport.action?pageId=20087903&atl_token=3UIncFJ_LX" rel="nofollow" title="Export Page as PDF" class="pdf icon">Export Page as PDF</a>
</li>
<li> </li>
</ul>
<ul id="user-control-panel">
<li class="first">Welcome <a href="/confluence/display/~agoyal">Ankur Goyal</a></li>
<li><a id="set-user-status-link" href="/confluence/display/~agoyal" >Update Status…</a></li>
<li><a id="view-user-history-link" href="/confluence/users/viewuserhistory.action" >Recently Viewed</a></li>
<li><a id="user-settings-link" href="/confluence/users/viewmysettings.action" >Settings</a></li>
<li><a id="logout-link" href="/confluence/logout.action" >Log Out</a></li>
</ul>
</td>
</tr>
<tr>
<td id="mainViewPane">
<div>
<table class="fullWidthBorderless">
<td><span id="spaceFullNameLink"> <a href="/confluence/display/java">java</a> </span></td>
<td align="right">
<a id="pageFavourite" href="/confluence/labels/addfavourite.action?entityId=20087903&atl_token=3UIncFJ_LX"><img src="/confluence/images/icons/star_grey.gif" height="16" width="16" border="0" align="absmiddle" title="Add this page to your favourites list" alt="Add this page to your favourites list"></a>
<a id="pageWatch" href="/confluence/pages/addpagenotification.action?pageId=20087903&atl_token=3UIncFJ_LX"><img src="/confluence/images/icons/watch_16.gif" height="16" width="16" border="0" align="absmiddle" title="Watch this page" alt="Watch this page"></a>
</td>
</table>
<h1>
<a href="/confluence/display/java/ENV01-J.+Be+aware+of+the+JVM+Tool+Interface">ENV01-J. Be aware of the JVM Tool Interface</a>
</h1>
</div>
<div id="content">
<!-- call the page decorator -->
<!--
Root decorator: this is a layer of abstraction that Confluence doesn't need. It will be removed eventually.
-->
<!--[if gte IE 5.5000]>
<script language="JavaScript">
function correctPNG() // correctly handle PNG transparency in Win IE 5.5 or higher.
{
for(var i=0; i<document.images.length; i++)
{
var img = document.images[i]
var imgName = img.src.toUpperCase()
if (imgName.substring(imgName.length-3, imgName.length) == "PNG")
{
var imgID = (img.id) ? "id='" + img.id + "' " : ""
var imgClass = (img.className) ? "class='" + img.className + "' " : ""
var imgTitle = (img.title) ? "title='" + img.title + "' " : "title='" + img.alt + "' "
var imgStyle = "display:inline-block;" + img.style.cssText
if (img.align == "left") imgStyle = "float:left;" + imgStyle
if (img.align == "right") imgStyle = "float:right;" + imgStyle
if (img.parentElement.href) imgStyle = "cursor:hand;" + imgStyle
var strNewHTML = "<span " + imgID + imgClass + imgTitle
+ " style=\"" + "width:" + img.width + "px; height:" + img.height + "px;" + imgStyle + ";"
+ "filter:progid:DXImageTransform.Microsoft.AlphaImageLoader"
+ "(src=\'" + img.src + "\', sizingMethod='scale');\"></span>"
img.outerHTML = strNewHTML
i = i-1
}
}
}
window.attachEvent("onload", correctPNG);
</script>
<![endif]-->
<div id="editpage">
<fieldset class="hidden parameters">
<input type="hidden" id="spaceKey" value="java">
<input type="hidden" id="pageId" value="20087903">
<input type="hidden" id="originalParentPage" value="00. Runtime Environment (ENV)">
<input type="hidden" id="formName" value="editpageform">
<input type="hidden" id="defaultContentTitle" value="">
<input type="hidden" id="draftSavedMessage" value="Draft saved at {0}">
<input type="hidden" id="draftSavingMessage" value="Saving draft…">
<input type="hidden" id="draftSavingTimedOutMessage" value="Draft saving timed out">
</fieldset>
<form id="editpageform" name="editpageform" method="post" action="doeditpage.action?pageId=20087903" class="editor">
<input type="hidden" name="atl_token" value="3UIncFJ_LX">
<input
type="hidden"
name="labelsShowing" value="false" id="labelsShowing" /> <input
type="hidden"
name="restrictionsShowing" value="false" id="restrictionsShowing" /> <input
type="hidden"
name="locationShowing" value="false" id="locationShowing" />
<input
type="hidden"
name="originalVersion" value="12" id="originalVersion" /> <input
type="hidden"
name="originalContent" value="The [JVM Tool Interface (JVMTI)|AA. Java References#JVMTI 06] contains extensive facilities to query the internals of a JVM, including facilities to monitor and modify a running Java program. These low level facilities require the use of the Java Native Interface (JNI) and C Language programming.
The JVMTI provides opportunities to access fields that would normally be inaccessible. Also, there are facilities that can change the behavior of a running Java program (for example, threads can be suspended or stopped). Its profiling tools also allow measuring the time that a thread takes to execute, leaving applications vulnerable to timing attacks.
h2. Noncompliant Code Example
The JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options {{-agentlib}} or {{-agentpath}}.
{code:bgColor=#FFcccc}
${JDK_PATH}/bin/java -agentlib:libname ApplicationName
{code}
Some JVMs allow agents to be started when the JVM is already running. Also, platforms that support environment variables allow agents to be specified in such variables, although this feature can be disabled where security is a concern. The JVMTI is always enabled by default, and JVMTI agents may run under the default security manager without requiring any permissions to be granted. While JVMTI may be useful for debuggers and profilers, such levels of access may be inappropriate for all users of the system on which the JVM runs.
h2. Compliant Solution
To be compliant, do not start the JVM with any agents enabled.
{code:bgColor=#ccccff}
${JDK_PATH}/bin/java -Djava.security.manager ApplicationName
{code}
Also, it is necessary to disable the environment variable {{JAVA\_TOOL\_OPTIONS}} so that JVMTI agents cannot be specified by this mechanism.
h2. Risk Assessment
Failing to appreciate that a Java application can be monitored and modified via the JVM Tool Interface may lead to an application being deployed that is open to attack from malicious users.
|| Recommendation || Severity || Likelihood || Remediation Cost || Priority || Level ||
| ENV01-CPP | low | unlikely | medium | {color:green}{*}P2{*}{color} | {color:green}{*}L3{*}{color} |
h3. Automated Detection
TODO
h3. Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+ENV01-J].
h2. References
\[[JVMTI 06|AA. Java References#JVMTI 06]\]
\[[Long 05|AA. Java References#Long 05]\] Section 2.6, The JVM Tool Interface
----
[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_left.png!|MSC01-J. Avoid memory leaks] [!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_up.png!|49. Miscellaneous (MSC)] [!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_right.png!|ENV02-J. Be aware of the Java Platform Debugger Architecture]
" id="orginalContent" /> <input
type="hidden"
name="conflictingVersion" value="12" id="conflictingVersion" />
<div id="wiki-editor">
<!-- remove content link -->
<div class="remove-control">
<a href="/confluence/pages/removepage.action?pageId=20087903"><img src="/confluence/images/icons/trash_16.gif" width="16" height="16" border="0px" align="absmiddle" title="Remove"></a> <a href="/confluence/pages/removepage.action?pageId=20087903">Remove Page</a>
</div>
<!-- title text field -->
<div id="content-title-div" class="inputSection">
<input type="text" name="title" size="43" value="ENV01-J. Be aware of the JVM Tool Interface" tabindex="1" id="content-title" class="pagetitle">
</div>
<!-- captcha form elements -->
<div id='heartbeat-div' class="hidden">
<table cellpadding='5' cellspacing='8px' class='noteMacro' border="0" align='center'>
<tr><td valign='top' width="1%"><img src="/confluence/s/1627/6/_/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>
This page is being edited by <span id='other-users-span'></span>.
</td></tr>
</table>
</div>
<!-- template link -->
<!-- content editor -->
<div class="inputSection">
<div class="submit-buttons">
<input tabindex="102" accessKey="s" type="submit" name="confirm" value="Save">
<input tabindex="104" type="submit" name="cancel" value="Cancel"> </div>
<div id="draft-status">
</div>
<div id="editorDiv">
<fieldset class="hidden parameters">
<input type="hidden" id="contextPath" value="/confluence">
<input type="hidden" id="contentId" value="20087903">
<input type="hidden" id="contentType" value="page">
<input type="hidden" id="useWysiwyg" value="false">
<input type="hidden" id="saveDrafts" value="true">
<input type="hidden" id="draftType" value="page">
<input type="hidden" id="heartbeat" value="true">
<input type="hidden" id="newPage" value="">
<input type="hidden" id="maxThumbWidth" value="200">
<input type="hidden" id="editorMode" value="markup">
<input type="hidden" id="paramsHeight" value="480">
<input type="hidden" id="isDevMode" value="false">
<input type="hidden" id="parametersName" value="content">
<input type="hidden" id="parametersId" value="content">
<input type="hidden" id="actionLocale" value="en_GB">
<input type="hidden" id="actionMarkup" value="markup">
<input type="hidden" id="actionRichtext" value="richtext">
<input type="hidden" id="actionPreview" value="preview">
<input type="hidden" id="spaceKey" value="java">
<input type="hidden" id="remoteUser" value="agoyal">
<input type="hidden" id="editorPluginResourcePrefix" value="/confluence/s/1627/6/3.0.0_01/_">
<input type="hidden" id="staticResourceUrlPrefix" value="/confluence/s/1627/6/_">
<input type="hidden" id="blankSearchText" value="Search">
<input type="hidden" id="loadBrowserErrorMessage" value="There has been an error loading the macro browser. Please try again or see your system administrator.">
<input type="hidden" id="unknownMacroMessage" value="Could not load unknown macro in the macro browser.">
<input type="hidden" id="nestingSameMacroNotAllowedMessage" value="Macros with the same name cannot be nested inside each other.">
<input type="hidden" id="loadingMessage" value="The Macro Browser has not yet been initialised. Please try again in a few seconds.">
<input type="hidden" id="categoryAllLabel" value="All">
<input type="hidden" id="nextButtonLabel" value="Next">
<input type="hidden" id="backButtonLabel" value="Back">
<input type="hidden" id="previewButtonLabel" value="Preview">
<input type="hidden" id="cancelButtonLabel" value="Cancel">
<input type="hidden" id="insertButtonLabel" value="Insert">
<input type="hidden" id="saveButtonLabel" value="Save">
<input type="hidden" id="formName" value="editpageform">
</fieldset>
<ul id="editor-tabs" class="tab-navigation">
<li id="markupTab" class="tab current">
<a href="#">Wiki Markup</a>
</li>
<li id="previewTab" class="tab ">
<a href="#">Preview</a>
</li>
<li id="wysiwygWaitImage" class="notab loading">Loadingâ¦</li>
</ul>
<div id="linkinserters" >
<a id="editor-insert-link" href="#" title="Insert Link (Ctrl+K)">
<span class="editor-icon"></span>
</a>
<a id="editor-insert-image" href="#" title="Insert Image (Ctrl+M)">
<span class="editor-icon"></span>
</a>
<a id="editor-insert-macro" href="#" title="Macro Browser">
<span class="editor-icon"></span>
</a>
</div>
<div id="markup" >
<textarea id="markupTextarea" name="content"
cols="80"
rows="30"
tabindex="5" style=""
class="monospaceInput"
>The [JVM Tool Interface (JVMTI)|AA. Java References#JVMTI 06] contains extensive facilities to query the internals of a JVM, including facilities to monitor and modify a running Java program. These low level facilities require the use of the Java Native Interface (JNI) and C Language programming.
The JVMTI provides opportunities to access fields that would normally be inaccessible. Also, there are facilities that can change the behavior of a running Java program (for example, threads can be suspended or stopped). Its profiling tools also allow measuring the time that a thread takes to execute, leaving applications vulnerable to timing attacks.
h2. Noncompliant Code Example
The JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options {{-agentlib}} or {{-agentpath}}.
{code:bgColor=#FFcccc}
${JDK_PATH}/bin/java -agentlib:libname ApplicationName
{code}
Some JVMs allow agents to be started when the JVM is already running. Also, platforms that support environment variables allow agents to be specified in such variables, although this feature can be disabled where security is a concern. The JVMTI is always enabled by default, and JVMTI agents may run under the default security manager without requiring any permissions to be granted. While JVMTI may be useful for debuggers and profilers, such levels of access may be inappropriate for all users of the system on which the JVM runs.
h2. Compliant Solution
To be compliant, do not start the JVM with any agents enabled.
{code:bgColor=#ccccff}
${JDK_PATH}/bin/java -Djava.security.manager ApplicationName
{code}
Also, it is necessary to disable the environment variable {{JAVA\_TOOL\_OPTIONS}} so that JVMTI agents cannot be specified by this mechanism.
h2. Risk Assessment
Failing to appreciate that a Java application can be monitored and modified via the JVM Tool Interface may lead to an application being deployed that is open to attack from malicious users.
|| Recommendation || Severity || Likelihood || Remediation Cost || Priority || Level ||
| ENV01-CPP | low | unlikely | medium | {color:green}{*}P2{*}{color} | {color:green}{*}L3{*}{color} |
h3. Automated Detection
TODO
h3. Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+ENV01-J].
h2. References
\[[JVMTI 06|AA. Java References#JVMTI 06]\]
\[[Long 05|AA. Java References#Long 05]\] Section 2.6, The JVM Tool Interface
----
[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_left.png!|MSC01-J. Avoid memory leaks] [!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_up.png!|49. Miscellaneous (MSC)] [!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_right.png!|ENV02-J. Be aware of the Java Platform Debugger Architecture]
</textarea>
</div>
<input id="selectedText" name="selectedText" type="hidden">
<input type="hidden" name="sel1"> <input type="hidden" name="sel2"> <input type="hidden" name="inPreview" value="false"/>
<input type="hidden" name="mode" value="markup"/>
<input type="hidden" name="xhtml" value="false"/>
<div id="preview" class="hidden">
<div id="previewArea"></div>
</div>
<div id="macro-browser-templates" class="hidden">
<ol id="macro-summaries-template" class="macro-list"></ol>
<ul>
<li id="macro-summary-template" class="macro-list-item">
<h3 class="macro-title"></h3>
<div class="macro-desc"></div>
</li>
</ul>
<div id="macro-insert-template">
<input class="macro-name" type="hidden"/>
<div class="macro-preview-container dialog-panel">
<div class="macro-preview-header">
<a href="#">Refresh</a>
<span>Preview</span>
</div>
<div class="macro-preview"></div>
</div>
<div class="macro-input-fields dialog-panel"></div>
</div>
<span id="macro-doco-link-template">
<a href="#" class="macro-doco-link">Documentation</a>
</span>
<div id="macro-freeform-template" class="macro-freeform-div">
<div class="macro-freeform-desc">This macro does not provide any parameter information. If the available information does not help, you may find its documentation at <a href=http://confluence.atlassian.com/display/CONFEXT>Confluence Extensions</a>.</div>
<div class="macro-freeform-input">
{<span class="macro-name-display"></span><input type="text" class="macro-text"/>}
</div>
<div class="macro-example hidden">
<h3 class="underlined">Examples</h3>
</div>
<div class="macro-help hidden">
<h3 class="underlined">Description</h3>
</div>
</div>
<div id="macro-param-template" class="macro-param-div">
<label></label>
<input type="text" class="text"/>
</div>
<div id="macro-param-checkbox-template" class="macro-param-div boolean-param">
<label></label>
<input type="checkbox" value="true"/>
</div>
<div id="macro-param-select-template" class="macro-param-div">
<label></label>
<select></select>
</div>
<div id="macro-param-hidden-text-template" class="macro-param-div">
<label></label>
<input type="text" class="text"/>
<input type="hidden"/>
</div>
<div id="macro-param-hidden-template" class="macro-param-div">
<input type="hidden"/>
</div>
<div id="macro-param-desc-template" class="macro-param-desc"></div>
<div id="macro-body-template" class="macro-body-div">
<label>Body Text</label>
<textarea class="monospaceInput textarea" type="text" rows="10"></textarea>
</div>
</div> </div>
</div>
<!-- comment field and minor edit checkbox -->
<div class="inputSection">
<div class="minor-edit">
<input id="minorEdit" type="checkbox" name="minorEdit" value="true" />
<label for="minorEdit">
<span class="smalltext"><b>Minor change?</b> (no notifications will be sent)</span>
</label>
</div>
<span class="formtitle">Comment:</span>
<input type="text"
name="versionComment"
size="40" tabindex="6" class="monospaceInput" style="width: 50%" /> </div>
<!-- content location editor -->
<div class="inputSection">
<fieldset class="hidden parameters">
<input type="hidden" title="editLabel" value="Edit">
<input type="hidden" title="doneLabel" value="Done">
<input type="hidden" title="showLocation" value="false">
<input type="hidden" title="hasChildren" value="false">
<input type="hidden" title="availableSpacesSize" value="4">
<input type="hidden" title="spaceKey" value="java">
<input type="hidden" title="pageId" value="20087903">
<input type="hidden" title="actionMode" value="edit">
<input type="hidden" title="parentPageId" value="33128636">
<input type="hidden" title="expandedNodes" class="list" value="4179">
<input type="hidden" title="expandedNodes" class="list" value="33128636">
</fieldset>
<span class="formtitle">Location:</span>
<span id="location_info">
<span id="space_info" >
<span id="space_content">java</span>
</span>
<span id="parent_info" >
> <span id="parent_content">00. Runtime Environment (ENV)</span>
</span>
<a href="" class="inline-control-link" id="location_edit_link">Edit</a>
</span>
<a name="locationSection"/>
<div id="location_div" class="toggleFormDiv editor-panel hidden">
<div class="smalltext" style="float:right">You can move the highlighted page by dragging it to a new position in the tree.</div>
<div>
<label id="currentLocation" class="formtitle">Space</label>
<select id="newSpaceKey" name="newSpaceKey" tabindex="3">
<option value="cplusplus" >C++ Secure Coding Practices</option>
<option value="java" selected>java</option>
<option value="seccode" >Secure Coding</option>
<option value="SD" >Secure Design</option>
</select>
</div>
<div id="resultsDiv"></div>
<div style="padding: 10px" id="outer-container"><div id="tree-div" style="min-height:150px"></div></div>
<input id="parentPageString" type="hidden" value="00. Runtime Environment (ENV)" name="parentPageString"/>
<input id="hierarchy_checkbox" type="hidden" name="moveHierarchy" value="true" />
<input id="position" type="hidden" value="" name="position"/>
<input id="targetId" type="hidden" value="" name="targetId"/>
</div>
</div>
<!-- content permissions -->
<div class="inputSection">
<!-- Copy some methods out of prototype 1.5 since we can't rev to it yet due to it causing a memory leak in jwebunit 1.2 and hence our func tests -->
<!-- this block of javascript can be removed when we rev to prototype 1.5 -->
<script type="text/javascript">
Array.prototype.indexOf = function(object)
{
for (var i = 0, length = this.length; i < length; i++)
if (this[i] == object) return i;
return -1;
}
Array.prototype.without = function()
{
var values = $A(arguments);
return this.select(function(value)
{
return !values.include(value);
});
}
String.prototype.strip = function()
{
return this.replace(/^\s+/, '').replace(/\s+$/, '');
}
</script>
<script type="text/javascript">
var viewPagePermissions = new PagePermissions();
var editPagePermissions = new PagePermissions();
var viewPermissionManager = new PermissionManager(PagePermissionType.VIEW);
var editPermissionManager = new PermissionManager(PagePermissionType.EDIT);
var currentPermissionManager = viewPermissionManager;
i18n['perms.remove'] = 'Remove';
i18n['done.name.caps'] = 'Done';
i18n['edit.name.caps'] = 'Edit';
i18n['page.perms.viewing.restricted'] = 'Viewing restricted to:';
i18n['page.perms.editing.restricted'] = 'Editing restricted to:';
i18n['page.perms.no.view.restrictions'] = 'No viewing restrictions set on this page';
i18n['page.perms.no.edit.restrictions'] = 'No editing restrictions set on this page';
i18n['page.perms.duplicate.names'] = 'Duplicate user or group name(s):';
i18n['page.perms.invalid.entity.names'] = 'Invalid user or group name(s):';
</script>
</div>
<!-- labels section -->
<div class="inputSection">
<fieldset class="hidden parameters">
<input type="hidden" id="editLabel" value="Edit">
<input type="hidden" id="doneLabel" value="Done">
<input type="hidden" id="pageId" value="20087903">
</fieldset>
<div id="labels_tab">
<span class="formtitle">Labels: </span>
<a href="" class="inline-control-link" id="labels_edit_link">Edit</a>
</div>
<div id="labels_info">
review-one
</div>
<div id="labels_div" class="toggleFormDiv editor-panel hidden" style="padding: 8px;">
<table width="100%">
<tr>
<td width="60%" valign="top">
<span class="error">
<span class="errorMessage" id="errorSpan"></span>
</span>
<input autocomplete="off" type="text" id="labelsString" name="labelsString" value="review-one" class="monospaceInput" style="width:100%;" />
<div class="smalltext">Looking for a label? Just start typing.</div>
<div class="auto_complete" id="labelsAutocompleteList"></div>
</td>
<td valign="top">
<div id="suggestedLabelsSpan" style="margin-top:5px;">
</div>
</td>
</tr>
</table>
</div>
</div>
<div class="submit-buttons bottom">
<input tabindex="102" accessKey="s" type="submit" name="confirm" value="Save">
<input tabindex="104" type="submit" name="cancel" value="Cancel"> </div>
</div>
</form>
</div>
</div>
</td>
<td valign="top" id="helptd" style="display:block; width:200px; border-top:1px solid #CCC;">
<div style="padding-left:5px;">
<div id="info-panel" class="rightpanel">
<h3 id="helpheading">Help Tips</h3>
<div id="helpcontent">
<dl>
<dt class="first">Text formatting</dt>
<dd class="text-formatting"><code>*bold*</code> <strong>bold</strong></dd>
<dd class="text-formatting"><code>_italic_</code> <em>italic</em></dd>
<dd class="text-formatting"><code>-strike-</code> <del>strike</del></dd>
<dd class="text-formatting"><code>+under+</code> <u>under</u></dd>
<dt>Headings
<dd><code>h1.</code> Large heading</dd>
<dd><code>h3.</code> Medium heading</dd>
<dd><code>h5.</code> Small heading</dd>
<dt>Lists</dt>
<dd><code>*</code> Bulleted point</dd>
<dd><code>#</code> Numbered point</dd>
<dt>Tables</dt>
<dd><pre>||head1 ||head2||
| colA1 | colA2 |
| colB1 | colB2 |</pre></dd>
<dt>Links</dt>
<dd><code>[title#anchor]</code> Link a page</dd>
<dd><code>[dev:title]</code> In 'dev' space</dd>
<dd><code>[http://host.com]</code> Remote link</dd>
<dd><code>[phrase@shortcut]</code> Shortcut</dd>
<dd><code>[alias|link]</code> Custom link title
</dl>
<a href="/confluence/renderer/notationhelp.action" onClick="window.open('/confluence/renderer/notationhelp.action','notation_help','width=780, height=580, resizable, scrollbars'); return false;">Full notation guide</a>
</div>
</div>
</div>
</td>
</tr>
</table>
<!-- End inner content table -->
</td>
</tr>
</table>
</div>
<!-- <ul id="poweredby">
<li>Powered by <a href="http://www.atlassian.com/software/confluence" class="smalltext">Atlassian Confluence</a> 3.0.0_01, the <a href="http://www.atlassian.com/software/confluence" class="smalltext">Enterprise Wiki</a>.</li>
<li><a href="http://jira.atlassian.com/secure/BrowseProject.jspa?id=10470" class="smalltext">Bug/feature request</a> –</li>
<li><a href="http://www.atlassian.com/about/connected.jsp?s_kwcid=Confluence-stayintouch" class="smalltext">Atlassian news</a> –</li>
<li><a href="/confluence/administrators.action">Contact administrators</a></li>
</ul>
-->
<!-- delay the loading of large javascript files to the end so that they don't interfere with the loading of page content -->
<span style="display: none"></span>
<!--BEGIN FOOTER -->
<table border="0" width="100%" cellspacing="0" cellpadding="8" bgcolor="#666666"><tr>
<td width="50%"><img src="https://www.cert.org/cert/images/sei_cmu_logo2.gif" alt="Software Engineering Institute | Carnegie Mellon University" border="0" usemap="#footermap"/>
<map name="footermap" id="footermap">
<area shape="rect" coords="2,2,233,19" href="http://www.sei.cmu.edu/" alt="Software Engineering Institute"/>
<area shape="rect" coords="241,3,341,19" href="http://www.cmu.edu/" alt="Carnegie Mellon University" />
</map>
</td>
<td width="50%" align="right">
<span style="font-size:11px; color:#ffffff; font-family:Verdana">
<a style="color:#ffffff" href="https://www.cert.org/">Home</a> |
<a style="color:#ffffff" href="https://www.cert.org/meet_cert/meetcertcc.html">About</a> |
<a style="color:#ffffff" href="https://www.cert.org/contact_cert/">Contact</a> |
<a style="color:#ffffff" href="https://www.cert.org/faq/cert_faq.html">FAQ</a> |
<a style="color:#ffffff" href="https://www.cert.org/stats/">Statistics</a> |
<a style="color:#ffffff" href="https://www.cert.org/jobs/">Jobs</a> |
<a style="color:#ffffff" href="https://www.cert.org/legal_stuff/">Legal</a> |
<a style="color:#ffffff" href="https://www.securecoding.cert.org/confluence/display/seccode/Terms+and+Conditions">Legal</a>
<br/>
Copyright © 1995-2009 Carnegie Mellon University
</td>
</tr>
</table>
<!--END FOOTER -->
</body>
</html>
|
The JVM Tool Interface (JVMTI) contains extensive facilities to query the internals of a JVM, including facilities to monitor and modify a running Java program. These low level facilities require the use of the Java Native Interface (JNI) and C Language programming.
The JVMTI provides opportunities to access fields that would normally be inaccessible. Also, there are facilities that can change the behavior of a running Java program (for example, threads can be suspended or stopped). Its profiling tools also allow measuring the time that a thread takes to execute, leaving applications vulnerable to timing attacks.
Noncompliant Code Example
The JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options -agentlib
or -agentpath
.
Code Block | ||
---|---|---|
| ||
${JDK_PATH}/bin/java -agentlib:libname ApplicationName
|
Some JVMs allow agents to be started when the JVM is already running. Also, platforms that support environment variables allow agents to be specified in such variables, although this feature can be disabled where security is a concern. The JVMTI is always enabled by default, and JVMTI agents may run under the default security manager without requiring any permissions to be granted. While JVMTI may be useful for debuggers and profilers, such levels of access may be inappropriate for all users of the system on which the JVM runs.
Compliant Solution
To be compliant, do not start the JVM with any agents enabled.
Code Block | ||
---|---|---|
| ||
${JDK_PATH}/bin/java -Djava.security.manager ApplicationName
|
Also, it is necessary to disable the environment variable JAVA_TOOL_OPTIONS
so that JVMTI agents cannot be specified by this mechanism.
Risk Assessment
Failing to appreciate that a Java application can be monitored and modified via the JVM Tool Interface may lead to an application being deployed that is open to attack from malicious users.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ENV01-J | low | unlikely | medium | P2 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[JVMTI 06|AA. Java References#JVMTI 06]\]
\[[Long 05|AA. Java References#Long 05]\] Section 2.6, The JVM Tool Interface |
...