...
Various permissions must be granted for debugging to take place under the default security manager. The following policy file was used to run the JPDA Trace demonstration under the default security manager:
| Code Block |
|---|
grant {
permission java.io.FilePermission "traceoutput.txt", "read,write";
permission java.io.FilePermission "C:/Program Files/Java/jdk1.5.0_04/lib/tools.jar", "read";
permission java.io.FilePermission "C:/Program", "read,execute";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "loadLibrary.dt_shmem";
permission java.util.PropertyPermission "java.home", "read";
permission java.net.SocketPermission "<localhost>", "resolve";
permission com.sun.jdi.JDIPermission "virtualMachineManager";
};
|
...
In this noncompliant code example, the JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command-line options -agentlib or -agentpath. In the following command, libname is the name of the library to load while options are passed to the agent on startup.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -agentlib:libname=options ApplicationName
|
...
This noncompliant code example uses command-line arguments to invoke the JVM so that it can be debugged from a running debugger application by listening for connections using shared memory at transport address mysharedmemory.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_shmem,
address=mysharedmemory ApplicationName
|
...
This noncompliant code example invokes the JVM with command line arguments that permit remote monitoring via port 8000. This may result in a security vulnerability when the password is weak or the SSL protocol is misapplied.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java
-Dcom.sun.management.jmxremote.port=8000 ApplicationName
|
...
This compliant solution starts the JVM without any agents enabled. Avoid using the -agentlib, -Xrunjdwp, and -Xdebug command-line arguments on production machines. This compliant solution also installs the default security manager.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -Djava.security.manager ApplicationName
|
...
Remote debugging requires the use of sockets as the transport (transport=dt_socket). Remote debugging also requires specification of the type of application (server=y, where y denotes that the JVM is the server and is waiting for a debugger application to connect to it) and the port number to listen on (address=9000).
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_socket,
server=y,address=9000 ApplicationName
|
...
This compliant solution allows the JPDA host to attach to a trusted debugger application.
| Code Block | ||
|---|---|---|
| ||
${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_socket,
server=n,address=9000 ApplicationName
|
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV05-J | high | probable | low | P18 | L1 |
Automated Detection
This rule is not amenable to automated static analysis.
Related Vulnerabilities
CVE-2010-4495 describes a vulnerability in the TIBCO ActiveMatrix product line where a flaw in JMX connection processing allowed remote users to execute arbitrary code, cause denial of service or obtain potentially sensitive information.
Android Implementation Details
JVMTI is not supported on the Dalvik VM.
Bibliography
[JMX 2006] |
|
| |
| |
| |
Section 2.6, The JVM Tool Interface; Section 2.7, Debugging; Section 2.8, Monitoring and Management | |
Reflection, Sun Microsystems, Inc. (2006) |