How can one check if a javaagent is injected into the JVM or disable attaching of javagents? I'm trying to prevent my application from being modified at runtime due to security reasons.
I know how to prevent a javaagent from being loaded on startup, but I was unable to figure out a way to prevent the VirtualMachine API from dynamically attaching.
Anyone have ideas?
On HotSpot, you can set -XX:+DisableAttachMechanism and on J9, you can disable attachment via -Dcom.ibm.tools.attach.enable=no but there is no way to disable it for any VM. What you could do would be to instrument any class with a premain(String, Instrumentation method yourself to not be passed an actual instance of the instrumentation interface or null. I would however not recommend it, this would break the attach API's general contract.
However, none of this increases security. An attachment requires that another process with privileges to access your JVM process is running on the same machine. If this is the case and this other process is an attacker, the instrumentation API is the last problem you should worry about. Also, if you maintain a library, your library's user has already full access to your code and the possibility to modify it before running your code.
Therefore, even though can can disable attachment, there is no gain in doing so to "increase security".
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With