Several question about JEP 486

Lim lim.chainz11+mailing at gmail.com
Thu Oct 3 10:30:11 UTC 2024 

Hi, I have some questions about this JEP.


Will something similar to Python's audit hooks[1][2] be considered, to
give transparency what is happening inside,
so that jvm behavior can be monitored - such as a security agent (it
can interact with Antimalware Scan Interface (AMSI)[3]).
Currently without using JFR, all the operations in the JDK are
essentially a blackbox.

[1] https://peps.python.org/pep-0578/
[2] https://docs.python.org/3/library/audit_events.html#audit-events
[3] https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps

Again, this is not sandboxing as in "Handler API", described in the
alternative section in the JEP.

I know that JFR has some events for file/network but it has limited
coverage and events are delayed,
making it not suitable for auditing in this context.
See https://mail.openjdk.org/pipermail/hotspot-jfr-dev/2021-May/002714.html
for discussion.



Secondly, historically it is possible to disallow unsigned jar to run
in the applet era.

For centrally managed devices, while java is installed system wide in
developers' machines,
management do only allow signed jar to be executed. While AppLocker[4]/SRP is to
restrict java executable itself from running, it does not know if the
jar executed is signed.

Other languages such as Powershell can only allow signed scripts to
run [5][6] with an example for signing [7].
Is the default java[w] launcher able to restrict jar from executing be
available for this scenario?

[4] https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview#app-control-for-business
[5] https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4#-executionpolicy
[6] https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.4#to-permit-signed-scripts-to-run
[7] https://adamtheautomator.com/how-to-sign-powershell-script/



Thirdly, it is advised to use an agent to modify classes that call
System::exit in the appendix section.

There are libraries that have DRM checks at runtime to enforce certain
restrictions such as licensing checks,
to deliberately crash if an agent is found, or its class is tampered
by the agent. (These checks can also be added by obfuscator)

How does one handle such cases?
Will the JDK offer to hide all the loaded agents or do I need to start
modifying System::exit instead if this is the case?


Thank you.

More information about the security-dev mailing list