01 Project introduction 中文说明
Java Runtime Application Self Protection means Java application self-protection system, which is called 'jrasp' for short.
jrasp-agent is the core part of jrasp project.
jrasp-agent based on Java Agent technology, modifies Java bytecode, adds security detection logic, detects and blocks vulnerability attacks in real time.
- Security plug-in can be customized
- Detection logic low delay
- Plug in Hot Update
- Java Process Identification and Automatic Injection
- Support native method hooks such as command execution to completely prevent bypassing;
- Compatible with Windows, Mac and Linux
- Small size, core jar package 600KB
- Increase CPU by 5% (test under normal request)
- Memory consumption below 200MB
- Plug in and daemon HASH verification
- Agent and Daemon socket customized communication protocol and RSA asymmetric encryption;
- The core functions are loaded by custom class loaders and isolated from business classes, which improves the difficulty of attacking RASP from within the JVM;
- Reflection reinforcement: RASP core methods (such as unloading, degradation, etc.) reflect reinforcement to prevent malicious reflection;
- Do not use third-party frameworks, such as servlet, json, sl4j2, apache common, etc
Security module of jrasp agent The currently supported modules are:
-
- Command execution module (native)
-
- Deserialization module (jdk deserialization/fastjson/yaml/stream)
-
- HTTP module (springboot/tomcat/jetty/underwown/spark) (IP blacklist/URL blacklist/scanner identification)
-
- xxe module (dom4j/jdom/jdk)
-
- File access module (io/nio)
-
- Expression injection module (spel/ognl)
-
- SQL injection (mysql)
-
- JNDI injection
under development:
-
- SSRF
-
- danger protocol
-
- DNS query
-
- Memory
-
- Class loader
-
- attach
- jdk6+
- 1.download
curl https://jrasp-download.oss-cn-shanghai.aliyuncs.com/jrasp-install.sh|bash
It should be noted that the above installation script will install jrasp in the /usr/local/jrasp
directory.
- 2.1 start mode 1:use attach tool (only for test or debug)
Use the 'attach' tool to inject Java processes. Enter the bin directory under the jrasp installation directory
cd ./jrasp/bin
Injecting Java processes with pid 46575
./attach -p 46575
attach success log:
2022/09/29 18:04:28 attach java process,pid: 46575
2022/09/29 18:04:28 jvm create uds socket file success
2022/09/29 18:04:28 command socket init success: [0.0.0.0:51370]
2022/09/29 18:04:28 attach jvm success
- 2.2 start mode 2:startup daemon (only for online environments)
enter the bin directory:
cd ./jrasp/bin
startup daemon process:
./jrasp-daemon
start success log:
➜ ./jrasp-daemon
_ _____ _____ _____
| | | __ \ /\ / ____| | __ \
| | | |__) | / \ | (___ | |__) |
_ | | | _ / / /\ \ \___ \ | ___/
| |__| | | | \ \ / ____ \ ____) | | |
\____/ |_| \_\ /_/ \_\ |_____/ |_|
:: JVM RASP :: (v1.1.0.RELEASE) https://www.jrasp.com
{"level":"INFO","ts":"2023-01-08 22:30:21.150","caller":"jrasp-daemon/main.go:55","msg":"daemon startup","logId":1000,"ip":"192.168.8.145","hostName":"MacBook-Pro","pid":20333,"detail":"{\"agentMode\":\"dynamic\"}"}
{"level":"INFO","ts":"2023-01-08 22:30:21.150","caller":"jrasp-daemon/main.go:57","msg":"config id","logId":1030,"ip":"192.168.8.145","hostName":"MacBook-Pro","pid":20333,"detail":"{\"configId\":1}"}
Note: use systemctl startup jrasp-daemon process.
- 3 Output Log
all log files are under the jrasp/logs/
directory.
- jrasp-agent-0.log is the java agent log
- jrasp-daemon.log is the daemon process log
- jrasp-attack-0.log is the attack log
The logs generated by the jrasp agent are on the local disk and can be transferred to kafka using log collection tools such as filebeat
Filebeat one click installation command:
curl https://jrasp-download.oss-cn-shanghai.aliyuncs.com/filebeat-install.sh|bash
Note that only public cloud (such as Alibaba Cloud, Tencent Cloud and Huawei Cloud) environments are supported; The logs are transferred to the kafka cluster officially provided by jrasp.
- jdk 1.8
- golang 1.16
- maven 3.2.5
Enter the jrsap-agent/bin directory and execute the corresponding environment script.
It should be noted that macOs/windows is only for development and testing.
wx:sear2022
-
Based on the open source project jvm-sandbox
-
the hook class/method part from open-rasp
If you are using it, please contact us and add it here.
GPL3.0(You can learn and use in your own projects, but commercialization must be authorized)