Preventing java agents from attaching at runtime

Question

Reposting this here as advised by security.stackexchange

How can I prevent Java Agents from attaching to my running java application at runtime?

I am able to prevent users from launching my application with a javaagent at startup by scanning the command line arguments:

List<String> args = ManagementFactory.getRuntimeMXBean().getInputArguments();
for(String arg : args)
{
    if(arg.contains("-javaagent"))
    {
        System.out.println("Detected Java Agent: " + arg);
        logIncident(0x01);
        Runtime.getRuntime().exit(0);
    }
}

However this does not prevent people from attaching at runtime visualvm style.

I heard that you can use the -XX:+DisableAttachMechanism flag to disable this, however when I tried to use jinfo -flag +DisableAttachMechanism <PID> I got an exception telling me that it is not possible to modify this argument at runtime.

Another possibility I considered was modifying the system security manager to disallow all AttachPermission's (I believe that this needs to be allowed for java agents to attach), but I'm not sure where to start.

Would really appreciate any guidance on how to implement the ideas Ive already come up with, as well as suggestions for any new ideas.

Edit: I created a custom security manager to deny all AttachPermissions however it appears to not be triggered in the jar being attached to but rather the agent itself. Now I am looking to enable DisableAttachMechanism at runtime, but I cant seem to find any references to this in OpenJDK source?

Answer 1

Exit if this returns true:

  private static boolean acceptsJavaAgentsAttachingToThisJvm() {
    HotSpotDiagnosticMXBean vm = ManagementFactory.getPlatformMXBean(HotSpotDiagnosticMXBean.class);
    VMOption opt = vm.getVMOption("DisableAttachMechanism");
    return "false".equals(opt.getValue()) || opt.isWriteable();
  }

which should defend against casual usecases.