{"id":1839,"date":"2025-02-04T10:24:08","date_gmt":"2025-02-04T09:24:08","guid":{"rendered":"https:\/\/www.loicmathieu.fr\/wordpress\/?p=1839"},"modified":"2025-02-04T10:27:07","modified_gmt":"2025-02-04T09:27:07","slug":"java-vers-une-integrite-par-defaut-de-la-jvm","status":"publish","type":"post","link":"https:\/\/www.loicmathieu.fr\/wordpress\/informatique\/java-vers-une-integrite-par-defaut-de-la-jvm\/","title":{"rendered":"Java: towards JVM integrity by default"},"content":{"rendered":"<p>This article first appeared in <a href=\"https:\/\/www.programmez.com\/magazine\/article\/java-vers-une-integrite-par-defaut-de-la-jvm\" rel=\"noopener\" target=\"_blank\">Programmez! Hors s\u00e9rie #16<\/a> (in french only).<\/p>\n<p>The Java Virtual Machine (JVM) is an execution environment that enables programs written in Java (or other languages compiled into Java bytecode) to run on different operating systems and hardware architectures.<\/p>\n<p>From the begining, the JVM was designed to be dynamic: it can execute code not present at compile time by code hot-loading. It can also call native libraries, and supports numerous monitoring features.<\/p>\n<p>Java code can also be called dynamically using the Reflection API, and the Unsafe class can even be used for memory access, bypassing Java&#8217;s memory allocation mechanisms.<\/p>\n<p>All these features have made the JVM one of the platforms of choice for enterprise application development.<\/p>\n<p>But since its creation, security principles have evolved, and the risks inherent in application security and its impact are becoming ever greater, so the JVM had to evolve to limit its surface exposure to risks, while retaining the functionalities that have made it such a success. These changes have been underway for a very long time, at least since Java 9 and the modularization of the JVM, but it&#8217;s only recently that a global reflection has taken place within the Java Enhancement Proposal (JEP) <em>Integrity by Default<\/em>, which is still in draft: <a href=\"https:\/\/openjdk.org\/jeps\/8305968\" rel=\"noopener\" target=\"_blank\">JEP draft: Integrity by Default<\/a>. This JEP defines integrity by default, explains the reasons for it and lists the JEPs involved. It is an umbrella JEP that brings together many other JEPs.<\/p>\n<h2>What is integrity by default?<\/h2>\n<p>Here&#8217;s what JEP has to say about it:<\/p>\n<blockquote>In the context of a computer program, integrity means that the constructs from which we build the program \u2014 and ultimately the program itself \u2014 are both whole and sound.<\/blockquote>\n<p>Behind this lies a very simple principle: the JVM specification must describe precisely what is required for a program to be valid, and its implementation must obey it. For example: the array specification defines that an array can only be accessed within the limits defined when it was created; this constraint is guaranteed by the JVM, which throws an exception if it is violated.<\/p>\n<p>The benefits of integrity are that:<\/p>\n<ul><li>Code is predictable: Variables always have a defined value before they are used, and operations on data are always valid.<\/li>\n<li>Memory is securely managed: The risk of crashes due to poor memory management is minimized.<\/li>\n<li>Multi-threaded programs are stable: Objects maintain a consistent state, even in multi-tasking environments.<\/li>\n<\/ul>\n<p><strong>Encapsulation<\/strong> is one of the fundamental principles of JVM integrity.<\/p>\n<p>Encapsulation consists in grouping data and the methods that manipulate it within a single entity, usually a class. This protects data from external access and unauthorized modification, by ensuring that it can only be manipulated via well-defined interfaces.<\/p>\n<p>Encapsulation brings many advantages: program accuracy, maintainability, scalability, security and performance.<\/p>\n<p>Let&#8217;s focus on those directly related to JVM integrity:<\/p>\n<ul><li>Accuracy: Encapsulation ensures that data is accessed and modified in a controlled way, preventing edge effects and unexpected errors.<\/li>\n<li>Security: By restricting access to data, encapsulation helps protect sensitive information from unauthorized access.<\/li>\n<\/ul>\n<p>However, there are APIs in the Java Development Kit (JDK) that can bypass encapsulation:<\/p>\n<ul><li><strong>AccessibleObject::setAccessible(boolean)<\/strong>: This method enables deep reflection, allowing access to private fields and methods, even if normally inaccessible.<\/li>\n<li><strong>sun.misc.Unsafe<\/strong>: This class provides methods for accessing private methods and fields, as well as final fields.<\/li>\n<li><strong>Java Native Interface (JNI)<\/strong>: JNI allows native code to interact with Java objects without respecting encapsulation boundaries.<\/li>\n<li><strong>Instrumentation API<\/strong>: This API allows agents to modify the bytecode of methods, which can bypass encapsulation.<\/li>\n<\/ul>\n<p>The integrity by default of the JVM therefore requires restricting the operation of these APIs by default. The idea is not to eliminate them, but to reduce their scope or to force the developer to knowingly authorize them, so as to control their use.<\/p>\n<h2>Restricting deep reflection<\/h2>\n<p>Since Java 9 and the introduction of modularity (<a href=\"https:\/\/openjdk.org\/jeps\/261\" rel=\"noopener\" target=\"_blank\">JEP 261: Module System<\/a>), it has been possible to restrict deep reflection using Java modules, as the <code>AccessibleObject::setAccessible(boolean)<\/code> method respects module boundaries: a class in one module cannot modify the accessibility of a field in a class in another module.<\/p>\n<p>This change, initiated with Java 9 and the modularity of the JDK, was implemented progressively, with unauthorized access first discouraged by issuing a warning at application launch, then prohibited in Java 16. It is still possible to authorize deep reflection either globally<code>(--illegal-access=permit<\/code>) or on a case-by-case basis via module opening (<code>--add-opens<\/code>).<\/p>\n<h2>Restricting the use of Unsafe<\/h2>\n<p>The <code>sun.misc.Unsafe<\/code> class includes methods that perform a variety of low-level operations without any security checks.<\/p>\n<p>A component that uses Unsafe compromises the integrity of the JVM.<\/p>\n<p>Unsafe is rarely used by a Java application, but many frameworks rely on it, as do many Java agents.<\/p>\n<p>Over the years, numerous replacements via supported APIs have emerged, making the use of Unsafe less and less necessary.<\/p>\n<p>Low-level manipulation of objects in the heap can now be carried out more safely via the <strong>VarHandle<\/strong> API , and manipulation of data in memory outside the heap can now be carried out more safely via the <strong>MemorySegment<\/strong> API .<\/p>\n<p>Since Java 23 and the <a href=\"https:\/\/openjdk.org\/jeps\/471\" rel=\"noopener\" target=\"_blank\">JEP 471: Deprecate the Memory-Access Methods in sun.misc.Unsafe for Removal<\/a>, Unsafe memory-access methods have been deprecated, but their use is still permitted. It is possible to restrict their use via the command line option: <code>--sun-misc-unsafe-memory-access<\/code>.<\/p>\n<p>The use of these methods will be progressively restricted in future versions of Java. From Java 24 onwards, they emit a warning in the JVM logs the first time they are used.<\/p>\n<h2>Restricting the use of JNI<\/h2>\n<p>With Java 24 and the <a href=\"https:\/\/openjdk.org\/jeps\/472\" rel=\"noopener\" target=\"_blank\">JEP 472: Prepare to Restrict the Use of JNI<\/a>, access to native libraries will be restricted for both JNI and the new Foreign Function and Memory (FFM) API.<\/p>\n<p>It was already the case for the FFM API since Java 22.<\/p>\n<p>A native library does not respect the integrity of the JVM, because it can :<\/p>\n<ul><li>Have an undefined behavior, which can cause the JVM to crash.<\/li>\n<li>Exchange data via direct byte buffers.<\/li>\n<li>Access fields and methods without access control.<\/li>\n<li>Call JVM functions incorrectly.<\/li>\n<\/ul>\n<p>Authorizing access to native libraries requires the use of the <code>--enable-native-access<\/code> command line option or the <code>Enable-Native-Access<\/code> manifest attribute, which can either be the name of a module or <code>ALL-UNNAMED<\/code> to authorize the whole classpath.<\/p>\n<p>For the time being, the use of an unauthorized JNI library will issue a warning when the application is launched, but their use will be progressively restricted in future versions of Java.<\/p>\n<h2>Restricting the use of the instrumentation API<\/h2>\n<p>An agent is a component that can modify the code of an application while it is running.<\/p>\n<p>It can therefore compromise the integrity of the JVM in various ways.<\/p>\n<p>Since Java 21 and <a href=\"https:\/\/openjdk.org\/jeps\/451\" rel=\"noopener\" target=\"_blank\">JEP 451: Prepare to Disallow the Dynamic Loading of Agents<\/a>, dynamic loading of Java agents has been restricted.<\/p>\n<p>The command line option <code>-XX:+DisableAttachMechanism<\/code> controls dynamic agent loading, and is currently set to true by default.<\/p>\n<p>For the time being, the dynamic loading of unauthorized Java agents will issue a warning when the application is launched, but their use will be progressively restricted in future versions of Java. It will then be necessary to declare all Java agents when launching the JVM via the <code>--agent<\/code> command-line option.<\/p>\n<h2>Conclusion<\/h2>\n<p>Application security is becoming increasingly important, and it&#8217;s a good thing that Java is evolving to provide greater security by default. It also puts more power in the hands of developers, who will be able to better control which library or module can perform which action (reflection, native library loading, etc.).<\/p>","protected":false},"excerpt":{"rendered":"<p>This article first appeared in Programmez! Hors s\u00e9rie #16 (in french only). The Java Virtual Machine (JVM) is an execution environment that enables programs written in Java (or other languages compiled into Java bytecode) to run on different operating systems and hardware architectures. From the begining, the JVM was designed to be dynamic: it can execute code not present at compile time by code hot-loading. It can also call native libraries, and supports numerous monitoring features. Java code can also&#8230;<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/www.loicmathieu.fr\/wordpress\/informatique\/java-vers-une-integrite-par-defaut-de-la-jvm\/\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p><\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[9],"tags":[11,214],"class_list":["post-1839","post","type-post","status-publish","format-standard","hentry","category-informatique","tag-java","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":1668,"url":"https:\/\/www.loicmathieu.fr\/wordpress\/informatique\/devoxx-fr-2023-hidden-security-features-of-th-jvm-everything-you-didnt-know-and-more-par-steve-poole\/","url_meta":{"origin":1839,"position":0},"title":"(Fran\u00e7ais) Devoxx FR 2023 &#8211; Hidden security features of the JVM &#8211; everything you didn&#8217;t know and more par Steve Poole","author":"admin","date":"Friday April 14th, 2023","format":false,"excerpt":"Sorry, this entry is only available in Fran\u00e7ais.","rel":"","context":"In &quot;informatique&quot;","block_context":{"text":"informatique","link":"https:\/\/www.loicmathieu.fr\/wordpress\/category\/informatique\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1877,"url":"https:\/\/www.loicmathieu.fr\/wordpress\/informatique\/java-24-quoi-de-neuf\/","url_meta":{"origin":1839,"position":1},"title":"Java 24 : what&#8217;s new?","author":"admin","date":"Friday January 10th, 2025","format":false,"excerpt":"Now that Java 24 is features complete (Rampdown Phase One at the day of writing), it\u2019s time to walk through all the functionalities that bring to us, developers, this new version. This article is part of a series on what\u2019s new on the last versions of Java, for those who\u2026","rel":"","context":"In &quot;informatique&quot;","block_context":{"text":"informatique","link":"https:\/\/www.loicmathieu.fr\/wordpress\/category\/informatique\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":722,"url":"https:\/\/www.loicmathieu.fr\/wordpress\/informatique\/java-10-quoi-de-neuf\/","url_meta":{"origin":1839,"position":2},"title":"Java 10 : what&#8217;s new ?","author":"admin","date":"Monday March 26th, 2018","format":false,"excerpt":"Now that java 10 is out, it's time to look at all the new functionalities of this version. Like my previous article on Java 9, I will focus on the changes that will impact developers that uses Java leaving aside the changes that are internal\/very small\/on rarely used API. The\u2026","rel":"","context":"In &quot;informatique&quot;","block_context":{"text":"informatique","link":"https:\/\/www.loicmathieu.fr\/wordpress\/category\/informatique\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":739,"url":"https:\/\/www.loicmathieu.fr\/wordpress\/informatique\/les-optimisations-de-performances-de-java-9\/","url_meta":{"origin":1839,"position":3},"title":"Java 9 performance optimizations","author":"admin","date":"Friday January 26th, 2018","format":false,"excerpt":"In a previous article on Java 9, I listed all the main new features for the developers : http:\/\/www.loicmathieu.fr\/wordpress\/en\/informatique\/les-nouveautes-de-java-9-pour-les-developeurs. Here, I will list all the main performance optimizations of Java 9. I will again go through the main JEP : JEP 143: Improve Contended Locking Optimization of Java monitors (lock\u2026","rel":"","context":"In &quot;informatique&quot;","block_context":{"text":"informatique","link":"https:\/\/www.loicmathieu.fr\/wordpress\/category\/informatique\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":712,"url":"https:\/\/www.loicmathieu.fr\/wordpress\/informatique\/demarrage-jvm-8-vs-9\/","url_meta":{"origin":1839,"position":4},"title":"D\u00e9marrage JVM 8 vs 9","author":"admin","date":"Thursday August 31st, 2017","format":false,"excerpt":"Introduction En parcourant la mailing liste d'open JDK (core-lib-dev) j'ai vu plusieurs threads de mail \u00e0 propos d'optimisation de temps de d\u00e9marrage et d'occupation m\u00e9moire d'une JVM \"minimale\". Ce travail a \u00e9t\u00e9 r\u00e9alis\u00e9 en grande partie par Claes Redestad (Oracle) lors du d\u00e9veloppement de Java 9. J'ai donc d\u00e9cid\u00e9 de\u2026","rel":"","context":"In &quot;informatique&quot;","block_context":{"text":"informatique","link":"https:\/\/www.loicmathieu.fr\/wordpress\/category\/informatique\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1258,"url":"https:\/\/www.loicmathieu.fr\/wordpress\/informatique\/profiler-une-application-java-dans-un-conteneur-deploye-dans-kubernetes-avec-jfr-java-flight-recorder\/","url_meta":{"origin":1839,"position":5},"title":"(Fran\u00e7ais) Profiler une application Java dans un conteneur d\u00e9ploy\u00e9 dans kubernetes avec JFR &#8211; Java Flight Recorder","author":"admin","date":"Monday April 12th, 2021","format":false,"excerpt":"Sorry, this entry is only available in Fran\u00e7ais.","rel":"","context":"In &quot;informatique&quot;","block_context":{"text":"informatique","link":"https:\/\/www.loicmathieu.fr\/wordpress\/category\/informatique\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/posts\/1839","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/comments?post=1839"}],"version-history":[{"count":7,"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/posts\/1839\/revisions"}],"predecessor-version":[{"id":1916,"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/posts\/1839\/revisions\/1916"}],"wp:attachment":[{"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/media?parent=1839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/categories?post=1839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.loicmathieu.fr\/wordpress\/wp-json\/wp\/v2\/tags?post=1839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}