Restrict Java or a process by the arguments


The reason we need to secure and restrict java arguments, is malware is increasing in its sophistication and it’s capabilities to leverage weaknesses. One of the main weakness being exploited are executable frameworks (e.g. Java, python) that allows JIT (Just In Time) code execution and the ability to run on multiple Operating Systems. As such there is a increase in Malware being built to execute on these frameworks. Some examples:

So how do you secure yourself against these threats? Currently the best method is to remove Java, but if removal is not an option regular patching is recommended. Patching will provide protection against known remote vulnerabilities but doesn’t provide protection against unknown vulnerabilities or Java code being executed locally. 

Today we are going to focus on securing Java code being executed locally by restricting the arguments / parameters used to execute java. This could be used to secure executable frameworks such as java or any other executable where you only need them for a specific list of commands but you want to prevent the execution of unapproved code (such as Malware) executing on these frameworks.

This makes sense when you only need java for a number of known cases where you can add the parameters into the whitelist. Such as: java example.jar

Restrict Java Arguments for linux:

This method works by having an executable that reads a whitelist of acceptable commands, and only runs the commands if they are on the whitelist. Below is a working implementation of restrict java by arguments.

Step 1:

Download and install the program. The v1.0 of binaries can be downloaded here, otherwise you can download and compile the source code.

STEP 2:

Copy all the files to /usr/bin/whitelist/ and either run install.sh or manually:

  1. Create symbolic links of the executable names to be restricted to /usr/bin/whitelist/whitelist in /usr/bin/whitelist/
  2. Move whitelist.txt to /etc/whitelist.txt

STEP 3:

Next we will need to restrict direct access to the normal executable using Apparmor (Linux). Create the apparmor.d profiles:

#/etc/apparmor.d/usr.bin.java
/usr/lib/jvm/java-[1-9]-openjdk-amd64/jre/bin/java {
}
#/etc/apparmor.d/usr.bin.whitelist.whitelist
#include <tunables/global>

/usr/bin/whitelist/whitelist {
#include <abstractions/base>

/** r,
/usr/lib/jvm/java-[1-9]-openjdk-amd64/jre/bin/java ix,
}

STEP 4:

Update the whitelist.txt (changes will require re-running the install.sh step) :

<absolute executable> <process> <arg1> <arg2> ...

e.g.

/usr/bin/java java -version

STEP 5:

Check the java command:

$ java -version
java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

STEP 6:

Update the PATH to use the whitelist command for one session:

$ PATH=/usr/bin/whitelist:$PATH

OR update the PATH globally:

$ sudo cp /etc/environment /etc/environment_backup
$ sudo echo PATH=\"/usr/bin/whitelist:$PATH\" > /etc/environment

STEP 7:

Then check the java command again:

$ java -version
Whitelist command found.
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-0ubuntu4~16.04.1-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

SUCCESS!

This approach can also be applied to restricting other frameworks by their parameters. Also this is not the only way to restrict a process but is good for situations where it is easier to know and control the parameters than apply other restrictions. Some other ways to restrict resources for a process include using Sandboxie / AppArmor / SElinux or creating a specific script to restrict access. Each comes with it’s own advantages and disadvantages depending on your specific situation. This type of parameter restrictions also works on Windows but due to differences in the kernel and Process restrictions (Applocker vs AppArmor) it is a different solution.

You can purchase software support for this solution from Vertex Technologies Pty Ltd. Vertex Technologies Pty Ltd also provide customised security solutions and security consulting to meet your specific situation. Contact Vertex Technologies today.