JVM RASP Bypass #149
Comments
|
这应该是所有基于instrument的JVM RASP应用无法避免的问题,直接调用native方法会被绕过,目前能缓解的方案是部署整套Elkeid方案,因为driver层面是无法被绕过的。RASP主要是作为定位代码漏洞的手段,提供调用栈和代码行号等信息。 |
|
或许之后可以考虑在JVM层面对native方法进行inline hook |
|
如果不考虑性能影响,可以对Method.setAccessible、Method.invoke等api进行hook,那么该bypass行为便能感知,并且可以配置相应的阻断规则。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
代码执行后,我们可以通过theUnsafe去实例化一个对象且不调用他的构造方法,之后去执行对象的native方法,另外需要注意Unsafe的其他方法,也能用于bypass。
https://tech.meituan.com/2019/02/14/talk-about-java-magic-class-unsafe.html
demo:
https://github.com/turn1tup/JvmRaspBypass/blob/main/src/main/java/com/test/Cmd.java
The text was updated successfully, but these errors were encountered: