SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 93

changes.mady.by.user Brendan Saulsbury

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Java provides several APIs that allow outside external programs to monitor a running Java program. These APIs also permit the Java program to be monitored remotely by programs on distinct hosts. Such features are handy convenient for debugging the program , or fine-tuning its performance. However, if a Java program is deployed in production with remote monitoring enabled, an attacker can connect to the Java Virtual Machine (JVM) and inspect its behavior and data, including potentially sensitive information. An attacker can also exert some control over the program's behavior. Consequently, remote monitoring must be disabled when running a Java program in production.

JVM Tool Interface (JVMTI)

Wiki MarkupJava 5 introduced the JVM Tool Interface (JVMTI) \ [[Sun 04d|AA. Bibliography#Sun 04d]\], replacing both the JVM Profiler Interface (JVMPI) and the JVM Debug Interface (JVMDI), which are now deprecated.

The JVMTI contains extensive facilities to find out learn about the internals of a running JVM, including facilities to monitor and modify a running Java program. These facilities are rather low - level and require the use of the Java Native Interface (JNI) and C Language language programming. However, they provide the opportunity to access fields that would not normally be accessibleinaccessible. Also, there are facilities that can change the behavior of a running Java program (for example, threads can be suspended or stopped). The JVMTI profiling tools can also measure the time that a thread takes to execute, leaving applications vulnerable to timing attacks.

The JVMTI works by using agents that communicate with the running JVM. These agents must be loaded at JVM startup and are usually specified via one of the command-line options {{–agentlib:}} or {{–agentpath:}} -agentlib or -agentpath. However, agents can be specified in environment variables, although this feature can be disabled where security is a concern. The JVMTI is always enabled, and JVMTI agents may run under the default security manager without requiring any permissions to be granted.

Java Platform Debugger Architecture (JPDA)

...

The Java Platform Debugger Architecture (JPDA) builds on the JVMTI and provides high-level facilities for debugging Java systems while they are running \[ [JPDA 2004|AA. Bibliography#JPDA 2004]\]. ].

The JPDA The JDPA facilities are similar to the reflection API, which is described in rule SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields. In particular, the JPDA provides methods to get and set field and array values. Access control is not enforced, so , for example, even the values of private fields can be set by a remote process via the JPDA.

Introducing the default security manager means that various Various permissions must be granted in order for debugging to take place under the default security manager. The following policy file was used to run the JPDS JPDA Trace demonstration under the default security manager:

Code Block

grant {
  permission java.io.FilePermission "traceoutput.txt", "read,write";
  permission java.io.FilePermission "C:/Program Files/Java/jdk1.5.0_04/lib/tools.jar", "read";
  permission java.io.FilePermission "C:/Program", "read,execute";
  permission java.lang.RuntimePermission "modifyThread";
  permission java.lang.RuntimePermission "modifyThreadGroup";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
  permission java.lang.RuntimePermission "loadLibrary.dt_shmem";
  permission java.util.PropertyPermission "java.home", "read";
  permission java.net.SocketPermission "<localhost>", "resolve";
  permission com.sun.jdi.JDIPermission "virtualMachineManager";
};

Because JPDA supports remote debugging, a remote host can access the debugger. An attacker can exploit this feature to study sensitive information or modify the behavior of a running Java application unless appropriate protection is enabled. A security manager can ensure that only known, trusted hosts are given permissions to use the debugger interface.

Java SE Monitoring and Management

...

Features

Java contains extensive facilities for monitoring and managing a JVM [JMX 2006]. In particular, the Java Management Extension (JMX) API enables the monitoring and control of class loading, thread state and stack traces, deadlock detection, memory usage, garbage collection, operating system information, and other operations [Sun 04a]. It also has facilities for logging monitoring and Wiki MarkupJava contains extensive facilities for monitoring and managing a JVM \[[JMX 2006|AA. Bibliography#JMX 2006]\]. In particular, the Java Management Extension (JMX) API enables the monitoring and control of class loading, thread state and stack traces, deadlock detection, memory usage, garbage collection, operating system information, and other operations \[[Sun 04a|AA. Bibliography#Sun 04a]\]. There are also facilities for logging monitoring and management.

The Java SE Monitoring monitoring and Management management features fall into four broad categories:

  • The Java Management Extensions ( JMX ) technology: This technology serves as the underlying interface for local and remote monitoring and management.
  • Instrumentation for the Java Virtual Machine ( JVM): These facilities enable out-of-the-box monitoring and management of the JVM and are based on the JMX specification.
  • Monitoring and Management Application Programming Interfaces (management API): These facilities use the the java.lang.management package  package to provide the monitoring and management interface. Applications can use this package to monitor themselves or to let JMX technology compliant technology–compliant tools to monitor and manage them.
  • Monitoring and Management management tools: Tools such as Jconsole JConsole implement the JMX interface to provide monitoring and management facilities.

These facilities can be used either locally (from on the machine that runs the JVM) or remotely. Local monitoring and management is enabled by default when a JVM is started; remote monitoring and management is not. For a JVM to be monitored and managed remotely, it must be started with various system properties set (either on the command line or in a configuration file).unmigrated-wiki-markup

When remote monitoring and management is enabled, access is password-controlled by default. However, password control can be disabled. Disabling password authentication is insecure because any user who can discover the port number that the JMX service is listening on can monitor and control the Java applications running on the JVM \ [[JMXG 2006|AA. Bibliography#JMXG 06]\].

Wiki MarkupThe JVM Remote remote monitoring and management facility uses a secure communication channel (Secure Sockets Layer [SSL]) by default. However, if an attacker can start a bogus RMI registry on the monitored machine before the legitimate RMI registry is started, JMX passwords can be intercepted. Also, SSL can be disabled when using remote monitoring and management which could, again, compromise security. See The Java SE Monitoring and Management Guide \[[JMXG 2006|AA. Bibliography#JMXG 06]\] for further details and for avoidance remote method invocation (RMI) registry server on the monitored machine before the legitimate RMI registry server is started, JMX passwords can be intercepted. Also, SSL can be disabled when using remote monitoring and management, which could, again, compromise security. See The Java SE Monitoring and Management Guide [JMXG 2006] for further details and for mitigation strategies.

There are also provisions to require proper authentication of the remote server. However, users may start a JVM with remote monitoring and management enabled , but with no security, and ; this would leave the JVM open to attack from by outsiders. Although a user could not easily turn on accidentally enabling remote monitoring and management by accidentis unlikely, they users might not realize that starting a JVM so enabled, without any security also switched on, could leave their JVM exposed to outside abuseattack.

If exploited, the monitoring and management facilities can seriously compromise the security of Java applications. For example, an attacker can obtain information about the number of classes loaded and threads running, thread state along with traces of live threads, system properties, VM virtual machine arguments, and memory consumption.

...

In this noncompliant code example, the JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command-line options, options -agentlib or  or -agentpath. In the following command, libname is the name of the library to load while options are passed to the agent on startup.

Code Block
bgColor#FFcccc

// "libname" is the name of the library to load, or an absolute library path
// "options" are passed to the agent on start-up
$${JDK_PATH}/bin/java -agentlib:libname=options ApplicationName

Wiki Markup
Some JVMs allow agents to be started when the JVM is already running. This is insecure in a production environment. Refer to the JVMTI documentation \[[JVMTI 2006|AA. Bibliography#JVMTI 06]\] for platform-specific information on enabling/disabling this feature.

Some JVMs allow agents to be started when the JVM is already running. This practice is insecure in a production environment. Refer to the JVMTI documentation [JVMTI 2006] for platform-specific information on enabling/disabling this feature.

Platforms that support environment variables allow agents to be specified in such variables. "Platforms may disable this feature in cases where security is a concern; for example, the Reference Implementation disables this feature on UNIX systems when the effective user or group ID differs from the real ID" [JVMTI 2006] Wiki MarkupPlatforms that support environment variables allow agents to be specified in such variables. "Platforms may disable this feature in cases where security is a concern; for example, the Reference Implementation disables this feature on UNIX systems when the effective user or group ID differs from the real ID" \[[JVMTI 2006|AA. Bibliography#JVMTI 06]\].

Agents may run under the default security manager without requiring any permissions to be granted. While Although the JVMTI is useful for debuggers and profilers, such levels of access are inappropriate for deployed production code.

...

This noncompliant code example uses command-line arguments to invoke the JVM so that it can be debugged from a running debugger application by listening for connections using shared memory at transport address address mysharedmemory.:

Code Block
bgColor#FFcccc

${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_shmem,
    address=mysharedmemory ApplicationName

Likewise, the command-line arguments -Xrunjdwp, (which is equivalent to to -agentlib, and ) and -Xdebug, (which is used by the jdb tool, command line arguments the jdb tool) also enable application debugging.

...

This noncompliant code example invokes the JVM with command-line arguments that permit remote monitoring via port 8000. This invocation may result in a security  vulnerability when the password is weak or the SSL protocol is misapplied.

Code Block
bgColor#FFcccc

${JDK_PATH}/bin/java
    -Dcom.sun.management.jmxremote.port=8000 ApplicationName

...

This compliant solution starts the JVM without any agents enabled. Avoid using the the the -agentlib, -Xrunjdwp and , and -Xdebug command  command-line arguments on production machines. This compliant solution also installs a the default security manager for good measure.

Code Block
bgColor#ccccff

${JDK_PATH}/bin/java -Djava.security.manager ApplicationName

Clear the environment variable variable JAVA_TOOL_OPTIONS in  in the manner appropriate for your platform, for example, by setting it to an empty string value. This Doing prevents JVMTI agents from receiving arguments via this routemechanism. The command-line argument argument -Xnoagent can  can also be used to disable the debugging features supported by the old Java debugger (oldjdb).

This compliant solution disables monitoring by remote machines. By default, local monitoring is enabled in Java 6 and later. In earlier versions, the system property property com.sun.management.jmxremote had to  must be set to enable local monitoring. Although the unsupported unsupported -XX:+DisableAttachMechanism command  command-line option may be used to disable local Java tools from monitoring the JVM, it is always possible to use native debuggers and other tools to perform monitoring. Fortunately, monitoring tools require at least as many privileges as the owner of the JVM process possesses, reducing the threat of a local exploitation through privilege escalation attack.

Local monitoring uses temporary files and sets the file permissions to those of the owner of the JVM process. Ensure that adequate file protection is in place on the system running the JVM so that the temporary files are accessed appropriately . See rule (see FIO03-J. Remove temporary files before termination for  for additional information).

Wiki MarkupThe Java SE Monitoring and Management Guide \[[JMXG 2006|AA. Bibliography#JMXG 06]\] provides further The Java SE Monitoring and Management Guide [JMXG 2006] provides further advice:

Local monitoring with with jconsole is  is useful for development and prototyping. Using Using jconsole locally  locally is not recommended for production environments because because jconsole itself  itself consumes significant system resources. Rather, use use jconsole on  on a remote system to isolate it from the platform being monitored.

Moving Moving jconsole to  to a remote system removes its system resource load from the production environment.

Noncompliant Code Example (

...

Remote Debugging)

Remote debugging requires the use of sockets as the transport (transport=dt_socket). Remote debugging also requires specification of the type of application (server=y, where where y denotes  denotes that the JVM is the server and is waiting for a debugger application to connect to it) and the port number to listen on (address=9000).

Code Block
bgColor#FFcccc

${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_socket, 
    server=y,address=9000 ApplicationName

Remote debugging is dangerous because an attacker can spoof the client IP address and connect to the JPDA host. Depending on the attacker's position in the network, they he or she could glean extract debugging information by sniffing the network traffic that the JPDA host sends to the forged IP address.

Compliant Solution (

...

Remote Debugging)

Restrict remote debugging to trusted hosts by modifying the security policy file to grant appropriate permissions only to those trusted hosts. For example, specify the permission permission java.net.SocketPermission for  for only the JPDA host and remove the permission from other hosts.

The JPDA host can serve either as a server or as a client. When the attacker cannot sniff the network to determine the identity of machines that use the JPDA host (for example, through the use of a secure channel), prefer specifying specify the JPDA host as the client and the debugger application as the server by changing the value of the the server argument to  argument to n.

This compliant solution allows the JPDA host to attach to a trusted debugger application. :

Code Block
bgColor#ccccff

${JDK_PATH}/bin/java -agentlib:jdwp=transport=dt_socket, 
    server=n,address=9000 ApplicationName

When it is necessary to run a JVM with debugging enabled, avoid granting permissions that are not needed by the application. In particular, avoid granting socket permissions to arbitrary hosts, ; that is, omit the permission permission java.net.SocketPermission "*", "connect,accept".

Exceptions

ENV05-J-EX0: A  A Java program may be remotely monitored using any of these technologies if it can be guaranteed that no program outside the local trust boundary can access the program. For example, if the program lives on a local network that is both completely trusted and disconnected from any larger untrusted networks, including the Internet, then remote monitoring is permitted.

...

Deploying a Java application with the JVM Tool InterfaceJVMTI, JPDJPDA, or remote monitoring enabled can allow an attacker to monitor or modify its behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV05-J

high High

probable Probable

low Low

P18

L1

Automated Detection

Not amenable This rule is not amenable to automated static analysis.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2cc7c01e-b3ee-4e51-a855-5b5f1d166944"><ac:plain-text-body><![CDATA[

[[JMX 2006

AA. Bibliography#JMX 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="beca10c6-b531-493c-9134-45bf981e72c7"><ac:plain-text-body><![CDATA[

[[JMXG 2006

AA. Bibliography#JMXG 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="970fe8f5-ecaf-4e2a-952d-816d7a2f98db"><ac:plain-text-body><![CDATA[

[[JPDA 2004

AA. Bibliography#JPDA 04]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ecaae9c7-3ea3-469e-86e4-e820a65e4e21"><ac:plain-text-body><![CDATA[

[[JVMTI 2006

AA. Bibliography#JVMTI 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9e786b72-d07a-4309-9675-ed1460c63555"><ac:plain-text-body><![CDATA[

[[Long 2005

AA. Bibliography#Long 05]]

Section 2.6, The JVM Tool Interface, Section 2.7, Debugging, Section 2.8, Monitoring and Management

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b158da4c-4880-4170-8420-99da9082bad3"><ac:plain-text-body><![CDATA[

[[Reflect 2006

AA. Bibliography#Reflect 06]]

[Reflection

http://java.sun.com/javase/6/docs/technotes/guides/reflection/index.html], Sun Microsystems, Inc. (2006)

]]></ac:plain-text-body></ac:structured-macro>

Related Vulnerabilities

CVE-2010-4495 describes a vulnerability in the TIBCO ActiveMatrix product line in which a flaw in JMX connection processing allowed remote users to execute arbitrary code, cause denial of service, or obtain potentially sensitive information.

Android Implementation Details

JVMTI is not supported on the Dalvik VM.

Bibliography

[JMX 2006]

 

[JMXG 2006]

 

[JPDA 2004]

 

[JVMTI 2006]

 

[Long 2005]

Section 2.6, "The JVM Tool Interface"
Section 2.7, "Debugging"
Section 2.8, "Monitoring and Management"

[Reflect 2006]

Reflection

 

...

Image Added Image Added Image AddedImage Removed      15. Runtime Environment (ENV)      49. Miscellaneous (MSC)