/jrasp-agent

技术细节请参照官网

Primary LanguageJava

jrasp-agent

Build Status Version Go Guild Version Maven Version Java Build Version License install platform

01 Project introduction 中文说明

Java Runtime Application Self Protection means Java application self-protection system, which is called 'jrasp' for short.

jrasp-agent is the core part of jrasp project.

jrasp-agent based on Java Agent technology, modifies Java bytecode, adds security detection logic, detects and blocks vulnerability attacks in real time.

02 Characteristics

Functional characteristics

  • Security plug-in can be customized
  • Detection logic low delay
  • Plug in Hot Update
  • Java Process Identification and Automatic Injection
  • Support native method hooks such as command execution to completely prevent bypassing;
  • Compatible with Windows, Mac and Linux
  • Small size, core jar package 600KB

Performance

  • Increase CPU by 5% (test under normal request)
  • Memory consumption below 200MB

Self security

  • Plug in and daemon HASH verification
  • Agent and Daemon socket customized communication protocol and RSA asymmetric encryption;
  • The core functions are loaded by custom class loaders and isolated from business classes, which improves the difficulty of attacking RASP from within the JVM;
  • Reflection reinforcement: RASP core methods (such as unloading, degradation, etc.) reflect reinforcement to prevent malicious reflection;
  • Do not use third-party frameworks, such as servlet, json, sl4j2, apache common, etc

Security module

Security module of jrasp agent The currently supported modules are:

    1. Command execution module (native)
    1. Deserialization module (jdk deserialization/fastjson/yaml/stream)
    1. HTTP module (springboot/tomcat/jetty/underwown/spark) (IP blacklist/URL blacklist/scanner identification)
    1. xxe module (dom4j/jdom/jdk)
    1. File access module (io/nio)
    1. Expression injection module (spel/ognl)
    1. SQL injection (mysql)
    1. JNDI injection

under development:

    1. SSRF
    1. danger protocol
    1. DNS query
    1. Memory
    1. Class loader
    1. attach

Supported jdk versions

  • jdk6+

03 Install (centos)

  • 1.download
curl https://jrasp-download.oss-cn-shanghai.aliyuncs.com/jrasp-install.sh|bash

It should be noted that the above installation script will install jrasp in the /usr/local/jrasp directory.

  • 2.1 start mode 1:use attach tool (only for test or debug)

Use the 'attach' tool to inject Java processes. Enter the bin directory under the jrasp installation directory

cd ./jrasp/bin

Injecting Java processes with pid 46575

./attach -p 46575

attach success log:

2022/09/29 18:04:28 attach java process,pid: 46575
2022/09/29 18:04:28 jvm create uds socket file success
2022/09/29 18:04:28 command socket init success: [0.0.0.0:51370]
2022/09/29 18:04:28 attach jvm success
  • 2.2 start mode 2:startup daemon (only for online environments)

enter the bin directory:

cd ./jrasp/bin

startup daemon process:

./jrasp-daemon

start success log:

➜  ./jrasp-daemon 
       _   _____                _____   _____  
      | | |  __ \      /\      / ____| |  __ \ 
      | | | |__) |    /  \    | (___   | |__) |
  _   | | |  _  /    / /\ \    \___ \  |  ___/ 
 | |__| | | | \ \   / ____ \   ____) | | |   
  \____/  |_|  \_\ /_/    \_\ |_____/  |_|
:: JVM RASP ::        (v1.1.1.RELEASE) https://www.jrasp.com
{"level":"INFO","ts":"2023-01-08 22:30:21.150","caller":"jrasp-daemon/main.go:55","msg":"daemon startup","logId":1000,"ip":"192.168.8.145","hostName":"MacBook-Pro","pid":20333,"detail":"{\"agentMode\":\"dynamic\"}"}
{"level":"INFO","ts":"2023-01-08 22:30:21.150","caller":"jrasp-daemon/main.go:57","msg":"config id","logId":1030,"ip":"192.168.8.145","hostName":"MacBook-Pro","pid":20333,"detail":"{\"configId\":1}"}

Note: use systemctl startup jrasp-daemon process.

  • 3 Output Log

all log files are under the jrasp/logs/ directory.

  • jrasp-agent-0.log is the java agent log
  • jrasp-daemon.log is the daemon process log
  • jrasp-attack-0.log is the attack log
  • jrasp-module-0.log is the module log

04 Log reporting to the management end (not required, can be skipped)

The logs generated by the jrasp agent are on the local disk and can be transferred to kafka using log collection tools such as filebeat

Filebeat one click installation command:

curl https://jrasp-download.oss-cn-shanghai.aliyuncs.com/filebeat-install.sh|bash

Note that only public cloud (such as Alibaba Cloud, Tencent Cloud and Huawei Cloud) environments are supported; The logs are transferred to the kafka cluster officially provided by jrasp.

05 develop & Compilation (can be skipped, use the release package)

  • jdk 1.8
  • golang 1.16
  • maven 3.2.5

Enter the jrsap-agent/bin directory and execute the corresponding environment script.

It should be noted that macOs/windows is only for development and testing.

06 Version record

RELEASE

07 Wechart

wx:sear2022

08 Official website

https://www.jrasp.com

09 Explanation

10 Users

If you are using it, please contact us and add it here.

11 Copyright Information

GPL3.0(You can learn and use in your own projects, but commercialization must be authorized)