Block java agents without restarting jvm

Question

I need to block java agents from modifying or reading the JVM. The reason for this is I have a secure launcher system that remotely downloads sensitive portions of the application. Unfortunately, someone used a class dumper of some sort to download the secure classes. I've done some searching and found -XX:+DisableAttachMechanism should disable them connecting. The issue is I can't restart the jvm, or modify the starting arguments. I do have access to the JNI, if that helps (still need windows, mac, and linux compatibility though).

Answer 1

It's easy to disable HotSpot dynamic attach mechanism in runtime - you just need to remove the attach socket /tmp/.java_pidPID (where PID is the target process ID). If there is no such file, activate the attach mechanism first by running jcmd PID VM.version.

This is unlikely to help from dumping classes though.

If someone has access to the systems where JVM runs, he can probably access the memory of the process without JVM even knowing about it. For example, Serviceability Agent is able to read JVM memory with no cooperation from JVM at all. See this and this questions for details.

There is a trick to make using Serviceability Agent difficult, but it's still not bullet-proof, as long as a user has permissions to access the process on the OS level.

If you really want to secure your JVM process, you have to do this using OS security features, including user accounts, ACLs, capabilities, cgroups, etc.