Consider a Java application in a private banking system. A new network administrator is hired, and while going around, he notices that the app is making network calls to an unknown external endpoint. After some investigation, it’s found that this app has been sending for years confidential data to a competitor (or a state, or hackers, whatever). This is awkward. Especially since it could have been avoided. Code reviews are good to improve the hardening of an application, but what if the malicious code was planted purposely? Some code buried in a commit could extract code from binary content, compile it on the fly, and then execute the code in the same JVM run… By default, the JVM is not secured! Securing the JVM for a non-trivial application is complex and time-consuming but the risks of not securing it could be disastrous. In this talk, I’ll show some of the things you could do in an unsecured JVM. I’ll also explain the basics of securing it, and finally demo a working process on how to do it.

1. @nicolas_frankel
SECURING THE JVM
Neither for fun nor for profit,
but do you have a choice?

2. @nicolas_frankel
●
●

3. @nicolas_frankel
●
●

4. @nicolas_frankel
public class Foo {
private String hidden = "This should remain inaccessible!";
}
public class Oops {
public static void main(String[] args) throws Exception {
Foo foo = new Foo();
Class<? extends Foo> clazz = foo.getClass();
Field field = clazz.getDeclaredField( "hidden");
field.setAccessible( true);
Object hidden = field.get(foo);
System. out.println(hidden);
}
}

5. @nicolas_frankel
●
○ java.lang.reflect

6. @nicolas_frankel
●
○
●
○
○
●
●

7. @nicolas_frankel
public class Bar {
private int hidden = 5;
}
public class OopsAgain {
public static void main(String[] args) throws Exception {
Bar bar = new Bar();
Class<? extends Bar> clazz = bar.getClass();
Field field = clazz.getDeclaredField("hidden");
Field type = Field.class.getDeclaredField("type");
AccessibleObject.setAccessible(
new AccessibleObject[] { field, type } , true);
type.set(field, String.class);
field.set(bar, "This should print 5!");
Object hidden = field.get(bar);
System.out.println(hidden);
}
}

8. @nicolas_frankel
●
●
●
●

9. @nicolas_frankel
●
●
●
●
●

10. @nicolas_frankel

11. @nicolas_frankel
Time for DEMO

12. @nicolas_frankel
1.
○
2.
3.
4.
○
5.

13. @nicolas_frankel

14. @nicolas_frankel
●
○
○

15. @nicolas_frankel
●
○
●
○

16. @nicolas_frankel
●
○ java -Djava.security.manager …
●
○ System.setSecurityManager()

17. @nicolas_frankel
●
○
○ ➔
●
○
○ ➔

18. @nicolas_frankel
●
○ -Djava.security.policy==my.policy
●
○ -Djava.security.policy=my.policy

19. @nicolas_frankel

20. @nicolas_frankel
●
●

21. @nicolas_frankel
public class AccessibleObject
implements AnnotatedElement {
public void setAccessible(boolean flag)
throws SecurityException {
SecurityManager sm =
System.getSecurityManager();
if (sm != null)
sm.checkPermission(ACCESS_PERMISSION);
setAccessible0(this, flag);
}
}

22. @nicolas_frankel
☺
•
•
•
•
•
•
•
•
•
•

23. @nicolas_frankel
•
•
•
•
•
•
•
•
•
•
•

24. @nicolas_frankel
grant codebase "file:myjar" {
permission Foo "foo";
permission Bar "bar", "baz";
};

25. @nicolas_frankel
Time for DEMO

26. @nicolas_frankel
@nicolas_frankel #jvm #security

27. @nicolas_frankel
●
●
●