You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 72 Next »

The JVM Tool Interface [[JVMTI 2006]] provides facilities for querying the internals of a JVM and includes methods for monitoring and modifying the behavior of a running Java program. These low level facilities require the use of the Java Native Interface (JNI) and C language programming. The JVM Tool Interface is typically used by development and monitoring tools.

From a security point of view, the JVMTI provides access to fields that are normally inaccessible. The interface also provides facilities for changing the behavior of a running Java program; for example, threads can be suspended or stopped. The JVMTI profiling tools can measure the time that a thread takes to execute, leaving applications vulnerable to timing attacks.

Noncompliant Code Example

In this noncompliant code example, the JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options, -agentlib or -agentpath.

// "libname" is the name of the library to load, or an absolute library path
// "options" are passed to the agent on start-up
${JDK_PATH}/bin/java -agentlib:libname=options ApplicationName

Some JVMs allow agents to be started when the JVM is already running. This is insecure in a production environment. Refer to the JVMTI documentation [[JVMTI 2006]] for platform-specific information on enabling/disabling this feature.

Platforms that support environment variables allow agents to be specified in such variables. "Platforms may disable this feature in cases where security is a concern; for example, the Reference Implementation disables this feature on UNIX systems when the effective user or group ID differs from the real ID" [[JVMTI 2006]].

Agents may run under the default security manager without requiring any permissions to be granted. While the JVMTI is useful for debuggers and profilers, such levels of access are inappropriate for deployed production code.

Compliant Solution

Do not start the JVM with any agents enabled on a production machine. This compliant solution removes the -agentlib command line argument and installs a security manager, as required by rule ENV02-J. Create a secure sandbox using a Security Manager.

${JDK_PATH}/bin/java -Djava.security.manager ApplicationName

Clear the environment variable JAVA_TOOL_OPTIONS in the manner appropriate for your platform, for example, by setting it to an empty string value or by {{unset}}ing it. This prevents JVMTI agents from receiving arguments via this route.

Risk Assessment

Deploying a Java application with the JVM Tool Interface enabled can allow an attacker to monitor or modify its behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV07-J

low

unlikely

medium

P2

L3

Automated Detection

Not amenable to automated static analysis.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f92dcabb-df9f-4130-afda-268b1d3092af"><ac:plain-text-body><![CDATA[

[[JVMTI 2006

AA. Bibliography#JVMTI 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fd21a6d2-47be-46e7-bfcf-134551b3e3b7"><ac:plain-text-body><![CDATA[

[[Long 2005

AA. Bibliography#Long 05]]

Section 2.6, The JVM Tool Interface

]]></ac:plain-text-body></ac:structured-macro>


ENV06-J. Provide a trusted environment and sanitize all inputs      15. Runtime Environment (ENV)      ENV08-J. Do not deploy an application that can be accessed using the Java Platform Debugger Architecture

  • No labels