Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JVM debug connector internals and security

I recently came across the question: Debug a java application without starting the JVM with debug arguments

Reading more about the various connectors and transports offered by JVM at https://docs.oracle.com/javase/7/docs/technotes/guides/jpda/conninv.html, I am now trying to find answers to the below questions:

Docs say that for SADebugServerAttachingConnector and SAPIDAttachingConnector :

The process to be debugged need not have been started in debug mode(ie, with -agentlib:jdwp or -Xrunjdwp)

So:

1) Why do debug options like Xrunjdwp exist in the first place then?

2) How does SADebugServerAttachingConnector work without taking a port number in the arguments?

3) Documentation does not say anything about requiring root privileges. Is it not a serious privilege escalation vulnerability to allow arbitrary debugging of jvm instances not started in debug mode, by unprivileged users?

like image 424
Erric Avatar asked Apr 15 '19 18:04

Erric


People also ask

How do I debug JVM?

Enable JVM DebuggingClick Java > JVM Settings tab. Under Debug Java Settings, select the Enable Debug checkbox. Provide JVM options as necessary by clicking the New button. If you substitute suspend=y, the JVM starts in suspended mode and stays suspended until a debugger attaches to it.

How does JVM debugging work?

Since in the JVM architecture, the debugging functionality is not found within the JVM itself but is abstracted away into external tools (that are aptly referred to as debuggers), these tools can either reside on the local machine running the JVM being debugged or be run from am external machine.

What is remote JVM debug?

Remote Java Debugging is the process of debugging a Java program or application running on another machine or a server environment.


1 Answers

I will focus on the SADebugServerAttachingConnector case.

Here are some more quotes from the Java 11 version of the document you linked to:

SA Debug Server Attaching Connector

This connector can be used by a debugger application to debug a process or core file on a machine other than the machine upon which the debugger is running.

This connector uses RMI to communicate with a 'debug server' running on the remote machine. Before the attach() method on this connector is called, the debug server must be started on the remote machine and told what process or corefile is to be debugged.

A process to be debugged need not have been started in debug mode(ie, with -agentlib:jdwp or -Xrunjdwp).


1) Why do debug options like Xrunjdwp exist in the first place then?

The SA Debug Server method allows you to debug a Java process where you either didn't want to launch with an agent (e.g. for security reasons), or you didn't have the foresight to do that.

Conversely, the agent approach is for cases where you don't want the hassle of setting up an SA Debug Server to debug your Java app.

It is "horses for courses" ... as they say.

2) How does SADebugServerAttachingConnector work without taking a port number in the arguments?

Your debugger is using the RMI default port to talk to the SA Debug Server. The SA Debug Server is attaching to the target JVM using a mechanism that is known to the server and the target. It is likely to be an OS-specific mechanism under the hood. For example, on Linux it could use ptrace(2) APIs. Network sockets and ports need not be involved.

3) Documentation does not say anything about requiring root privileges. Is it not a serious privilege escalation vulnerability to allow arbitrary debugging of jvm instances not started in debug mode, by unprivileged users?

The documentation states that you need to specifically set up the linkage between the SA Debug Server and the target VM. This is done when you start the SA Debug Server.

OS-level access controls won't allow a non-root SA Debug Server to use (for example) ptrace syscalls access a Java process belonging to another user / user id. And the OS won't let you start a root SA Debug Server unless you already have root privilege. So there is no escalation of privilege, either in the root or non-root cases.

(Modulo any undisclosed or unpatched OS-level root escalation bugs ... of course.)

like image 93
Stephen C Avatar answered Sep 29 '22 06:09

Stephen C