The Java Agent: Modifying Bytecode at Runtime to Protect Against Log4J • Joe Beeton • GOTO 2022
This presentation was recorded at GOTO Copenhagen 2022. #GOTOcon #GOTOcph
https://gotocph.com
Joe Beeton - Senior Application Security Researcher at Contrast Security
RESOURCES
https://github.com/eclipse/jbom
https://github.com/JoeBeeton/cornflakerizer-rasp
https://github.com/welk1n/JNDI-Injection-Exploit
https://www.contrastsecurity.com/developer
https://www.contrastsecurity.com/contrast-community-edition
Joe
https://twitter.com/JosephBeeton
https://github.com/JoeBeeton
https://linkedin.com/in/joe-beeton-34b083231
ABSTRACT
Java Agents are a powerful tool to instrument or modify your application at runtime. But how do they work?
In this talk, I'll be going through how they work when configured at startup as well as attaching an agent to a running process.
I'll show how the underlying Java Agent API works, how it can be used to both analyse an application and modify the application using a simple example of Bytecode modification to protect against Log4J and other vulnerabilities [...]
TIMECODES
00:00 Intro
00:35 java.langinstrumentation
02:21 Dynamically attaching
08:14 JBOM Demo
21:21 Static attaching
21:46 RASPs
22:29 Log4J interpolation
23:58 What is JNDI
24:54 What a malicious JNDI server can do
29:10 Patching Log4J at runtime
30:00 Vulnerability Demo
38:12 Links
38:43 Outro
Download slides and read the full abstract here:
https://gotocph.com/2022/sessions/2195
RECOMMENDED BOOKS
Kevlin Henney & Trisha Gee • 97 Things Every Java Programmer Should Know • https://amzn.to/3kiTwJJ
Markus Eisele & Natale Vinto • Modernizing Enterprise Java • https://amzn.to/3EsEtZ3
Joshua Bloch • Effective Java • https://amzn.to/3ygmQJt
https://twitter.com/GOTOcon
https://www.linkedin.com/company/goto-
https://www.facebook.com/GOTOConferences
#Java #Security #JavaSecurity #JBOM #JavaAgent #Bytecode #JavaEcosystem #RASP #JVM #JCP #Java8 #JDK #Log4j #npm #Gradle #Maven #JoeBeeton
Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech
Sign up for updates and specials at https://gotopia.tech/newsletter
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.
https://www.youtube.com/user/GotoConferences/?sub_confirmation=1
Видео The Java Agent: Modifying Bytecode at Runtime to Protect Against Log4J • Joe Beeton • GOTO 2022 канала GOTO Conferences
https://gotocph.com
Joe Beeton - Senior Application Security Researcher at Contrast Security
RESOURCES
https://github.com/eclipse/jbom
https://github.com/JoeBeeton/cornflakerizer-rasp
https://github.com/welk1n/JNDI-Injection-Exploit
https://www.contrastsecurity.com/developer
https://www.contrastsecurity.com/contrast-community-edition
Joe
https://twitter.com/JosephBeeton
https://github.com/JoeBeeton
https://linkedin.com/in/joe-beeton-34b083231
ABSTRACT
Java Agents are a powerful tool to instrument or modify your application at runtime. But how do they work?
In this talk, I'll be going through how they work when configured at startup as well as attaching an agent to a running process.
I'll show how the underlying Java Agent API works, how it can be used to both analyse an application and modify the application using a simple example of Bytecode modification to protect against Log4J and other vulnerabilities [...]
TIMECODES
00:00 Intro
00:35 java.langinstrumentation
02:21 Dynamically attaching
08:14 JBOM Demo
21:21 Static attaching
21:46 RASPs
22:29 Log4J interpolation
23:58 What is JNDI
24:54 What a malicious JNDI server can do
29:10 Patching Log4J at runtime
30:00 Vulnerability Demo
38:12 Links
38:43 Outro
Download slides and read the full abstract here:
https://gotocph.com/2022/sessions/2195
RECOMMENDED BOOKS
Kevlin Henney & Trisha Gee • 97 Things Every Java Programmer Should Know • https://amzn.to/3kiTwJJ
Markus Eisele & Natale Vinto • Modernizing Enterprise Java • https://amzn.to/3EsEtZ3
Joshua Bloch • Effective Java • https://amzn.to/3ygmQJt
https://twitter.com/GOTOcon
https://www.linkedin.com/company/goto-
https://www.facebook.com/GOTOConferences
#Java #Security #JavaSecurity #JBOM #JavaAgent #Bytecode #JavaEcosystem #RASP #JVM #JCP #Java8 #JDK #Log4j #npm #Gradle #Maven #JoeBeeton
Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech
Sign up for updates and specials at https://gotopia.tech/newsletter
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.
https://www.youtube.com/user/GotoConferences/?sub_confirmation=1
Видео The Java Agent: Modifying Bytecode at Runtime to Protect Against Log4J • Joe Beeton • GOTO 2022 канала GOTO Conferences
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Plutus: Haskell for Blockchain Contract Development • Manuel M T Chakravarty • YOW! 2019Cloud Career Journeys • Prasad Rao & David Linthicum • GOTO 2024Platform Engineering as a (Community) Service • Nicki Watt • GOTO 2021Infrastructure As Code • Martin Fowler • YOW! 2016C4 Models as Code • Simon Brown • YOW! 2022Simplifying Systems with Elixir • Sasa Juric • YOW! 2020Simple Functional Effects with Tag Unions • Richard Feldman • YOW! 2022Idioms for Building Fault-tolerant Applications with Elixir • José Valim • YOW! 2021Prioritizing Technical Debt as If Time & Money Matters • Adam Tornhill • GOTO 2022Architects Live in the First Derivative • Gregor Hohpe • YOW! 2019Event Sourcing • Martin Fowler • YOW! 2016eBPF: Fueling New Flame Graphs & more • Brendan Gregg • YOW! 2022Microservices • Martin Fowler • YOW! 2016Getting to Grips with Kubernetes RBAC • Liz Rice • GOTO 2019The Power & Performance of Phoenix LiveView • Geoffrey Lessel • GOTO 2021ING's Journey to Agile • Henk Kolk • GOTO 2015Securing Danish Healthcare Using Cloud Native • Frederik Mogensen • GOTO 2021Migrating to Kubernetes + Best Practices for Cloud Native • T. Vitale & L. Højgaard • GOTO 2021#SteveWozniak H = S – F • What is your Formula for Happiness? • Link to Full Video in DescriptionDrinking a River of IoT Data with Akka.NET • Hannes Lowette • GOTO 2021Why Functional Programming Matters • John Hughes • YOW! 2017