The reason we need to secure and restrict java arguments is that malware is increasing in its sophistication and its capabilities to leverage weaknesses. One of the main weaknesses being exploited are executable frameworks (e.g. Java, python) that allows JIT (Just In Time) code execution and the ability to run on multiple Operating Systems. As such there is an increase in Malware being built to execute on these frameworks. Some examples:
- Java Malware Becomes a Cross-Platform Threat
- Write Once, Infect Anywhere or The Rise of the Cross-Platform Malware
So how do you secure yourself against these threats? Currently the best method is to remove Java, but if removal is not an option regular patching is recommended. Patching will provide protection against known remote vulnerabilities but doesn’t provide protection against unknown vulnerabilities or Java code being executed locally.
Today we are going to focus on securing Java code being executed locally by restricting the arguments / parameters used to execute java. This could be used to secure executable frameworks such as java or any other executable where you only need them for a specific list of commands but you want to prevent the execution of unapproved code (such as Malware) executing on these frameworks.
This makes sense when you only need java for a number of known cases where you can add the parameters into the whitelist. Such as: java example.jar
Restrict Java Arguments for linux:
This method works by having an executable that reads a whitelist of acceptable commands, and only runs the commands if they are on the whitelist. Below is a working implementation of restrict java by arguments.
Step 1:
Download and install the program. The v1.0 of binaries can be downloaded here, otherwise you can download and compile the source code.
STEP 2:
Copy all the files to /usr/bin/whitelist/ and either run install.sh or manually:
- Create symbolic links of the executable names to be restricted to /usr/bin/whitelist/whitelist in /usr/bin/whitelist/
- Move whitelist.txt to /etc/whitelist.txt
STEP 3:
Next we will need to restrict direct access to the normal executable using Apparmor (Linux). Create the apparmor.d profiles:
#/etc/apparmor.d/usr.bin.java
/usr/lib/jvm/java-[1-9]-openjdk-amd64/jre/bin/java {
}#/etc/apparmor.d/usr.bin.whitelist.whitelist
#include <tunables/global>
/usr/bin/whitelist/whitelist {
#include <abstractions/base>
/** r,
/usr/lib/jvm/java-[1-9]-openjdk-amd64/jre/bin/java ix,
}STEP 4:
Update the whitelist.txt (changes will require re-running the install.sh step) :
...
e.g.
/usr/bin/java java -version
STEP 5:
Check the java command:
$ java -version java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
STEP 6:
Update the PATH to use the whitelist command for one session:
$ PATH=/usr/bin/whitelist:$PATH
OR update the PATH globally:
$ sudo cp /etc/environment /etc/environment_backup $ sudo echo PATH=\"/usr/bin/whitelist:$PATH\" > /etc/environment
STEP 7:
Then check the java command again:
$ java -version Whitelist command found. openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-0ubuntu4~16.04.1-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
SUCCESS!
This approach can also be applied to restricting other frameworks by their parameters. Also, this is not the only way to restrict a process but is good for situations where it is easier to know and control the parameters than apply other restrictions. Some other ways to restrict resources for a process include using Sandboxie / AppArmor / SElinux or creating a specific script to restrict access. Each comes with it’s own advantages and disadvantages depending on your specific situation. This type of parameter restrictions also works on Windows but due to differences in the kernel and Process restrictions (Applocker vs AppArmor) it is a different solution.
Vertex Technologies Pty Ltd can provide customised security solutions and security consulting to meet your specific situation. Contact Vertex Cyber Security today.
