Disable Instrumentation Library

Question

Is it possible to disable instrumentation libraries in a Java application, or to check if any are currently running?

My goal is to prevent users from running instrumentation implementations over my application, for security reasons.

I've come up with a theoretical solution on my own after some experimentation, in which I discovered that the java.class.path system property ends with the path of the -javaagent VM argument jar file, after a path separator character. From this property, I could check if one of the class path attributes is an external jar not specified by my program itself, and then terminate my application if an alien jar is detected.

However, the above approach seems somewhat hacky to me, but I haven't been able to find a way to directly block the -javaagent argument, nor a simple way to detect the instrumentation agent library(ies). Are either of these cleaner alternatives possible?

Answer 1

Java agent can also be loaded at runtime:

vm = com.sun.tools.attach.VirtualMachine.attach(pid);
agent = new File("agent.jar");
vm.loadAgent(agent.toString());
vm.detach();

I don't think your code will work in this case.
One can check if attach allowed like so:

SecurityManager sm = System.getSecurityManager();
if (sm != null)
    sm.checkPermission(new AttachPermission("attachVirtualMachine"));

Answer 2

After doing some more research, I found a solid solution a couple days ago after writing a makeshift classpath property analyzer.

I use RuntimeMXBean to get the VM arguments, and then I check for a -javaagent: argument.

RuntimeMXBean RuntimemxBean = ManagementFactory.getRuntimeMXBean();
List<String> args = RuntimemxBean.getInputArguments();
for (String arg : args) {
    if (arg.contains("-javaagent:")) {
        // block application from running
    }
}