Menu
Is it possible to disable instrumentation libraries in a Java application, or to check if any are currently running?
My goal is to prevent users from running instrumentation implementations over my application, for security reasons.
I've come up with a theoretical solution on my own after some experimentation, in which I discovered that the java.class.path system property ends with the path of the -javaagent VM argument jar file, after a path separator character. From this property, I could check if one of the class path attributes is an external jar not specified by my program itself, and then terminate my application if an alien jar is detected.
However, the above approach seems somewhat hacky to me, but I haven't been able to find a way to directly block the -javaagent argument, nor a simple way to detect the instrumentation agent library(ies). Are either of these cleaner alternatives possible?
783
Java agent can also be loaded at runtime:
vm = com.sun.tools.attach.VirtualMachine.attach(pid);
agent = new File("agent.jar");
vm.loadAgent(agent.toString());
vm.detach();
I don't think your code will work in this case.
One can check if attach allowed like so:
SecurityManager sm = System.getSecurityManager();
if (sm != null)
sm.checkPermission(new AttachPermission("attachVirtualMachine"));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
