Practical Tips for Hardening Java Applications

Practical Tips for Hardening Java Applications Shaun Smith Senior Director, Product & Developer Relations Oracle Labs @ shaunsmith (@ mastodon.social )

2024-05-08 Copyright © 2024, Oracle and/or its affiliates 7 Photo by Pixabay : https:// www.pexels.com /photo/two-people-hiking-532803/ Photo by Sergey Fokin on Unsplash Photo by Laila Klinsmann: https:// www.pexels.com /photo/depth-of-field-photography-of-woman-riding-brown-horse-883630/

785 MB Debian Slim + JDK 21 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 28 FROM debian:12-slim WORKDIR /web RUN apt-get update && \ apt-get install -y wget && \ apt-get clean && \ wget -q https:// download.oracle.com / graalvm /21/archive/graalvm-jdk-21.0.2_linux-x64_bin.tar.gz -O graalvm.tar.gz && \ tar - xf graalvm.tar.gz && \ rm -f graalvm.tar.gz COPY index.html /web/ index.html EXPOSE 8000 ENTRYPOINT ["/web/graalvm-jdk-21.0.2+13.1/bin/ jwebserver ", "-b", "0.0.0.0", "-d", "/web"]

436 MB Eclipse Temurin JDK 21 (Ubuntu) 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 30 FROM eclipse-temurin:21 COPY index.html /web/ index.html EXPOSE 8000 ENTRYPOINT ["/opt/java/ openjdk /bin/ jwebserver ", "-b", "0.0.0.0", "-d", "/web"]

" Distroless " images contain only your application and its runtime dependencies . They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution. https:// github.com / GoogleContainerTools / distroless /blob/main/ README.md Copyright © 2024, Oracle and/or its affiliates 33 2024-05-08

Distroless Images 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 35 For statically linked applications—no libc For “mostly” statically linked applications—has libc For JVM-based applications—no JDK, just required libs Full JDK—with required libs

Distroless Java 21 (Debian 12) 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 36 For statically linked applications—no libc For “mostly” statically linked applications—has libc For JVM-based applications—no JDK, just required libs Full JDK—with required libs

192 MB Distroless Java 21 (Debian 12) 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 37 FROM gcr.io / distroless /java21-debian12 COPY index.html /web/ index.html EXPOSE 8000 ENTRYPOINT ["/opt/java/ openjdk /bin/ jwebserver ", "-b", "0.0.0.0", "-d", "/web"]

Distroless Java Base 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 43 For statically linked applications—no libc For “mostly” statically linked applications—has libc For JVM-based applications—no JDK, just required libs Full JDK—with required libs

128 MB Distroless Java Base— Jlink 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 44 FROM container- registry.oracle.com / graalvm /jdk:21 AS build RUN jlink \ --module-path ${JAVA_HOME}/ jmods \ --add-modules jdk.httpserver \ --verbose \ --strip-debug \ --compress zip-9 \ --no-header-files \ --no-man-pages \ --strip-java-debug-attributes \ --output jwebserver-jlink FROM gcr.io / distroless /java-base-debian12 COPY --from=build /build/ jwebserver-jlink / usr /lib/java COPY index.html /web/ index.html EXPOSE 8000 ENTRYPOINT ["/ usr /lib/java/bin/ jwebserver ", "-b", "0.0.0.0", "-d", "/web"]

GraalVM Native Image compiles applications Ahead-of-Time (AOT) into platform native executables. Oracle GraalVM Native Image Copyright © 2024, Oracle and/or its affiliates 49 .class .jar .class .jar Windows Executable macOS Executable Linux Executable 2024-05-08

Native Image Dead Code Elimination #8 114.2 [2/8] Performing analysis... [******] (97.9s @ 3.02GB) #8 114.2 39,261 reachable types ( 93.3% of 42,095 total) #8 114.3 60,730 reachable fields ( 63.4% of 95,790 total) #8 114.5 211,215 reachable methods ( 65.8% of 321,005 total) #8 114.5 11,974 types, 930 fields, and 14,499 methods registered for reflection #8 114.5 65 types, 67 fields, and 57 methods registered for JNI access Spring PetClinic —A Larger Example 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 51

Native Image Dead Code Elimination #8 114.2 [2/8] Performing analysis... [******] (97.9s @ 3.02GB) #8 114.2 39,261 reachable types ( 93.3% of 42,095 total) #8 114.3 60,730 reachable fields ( 63.4% of 95,790 total) #8 114.5 211,215 reachable methods ( 65.8% of 321,005 total) #8 114.5 11,974 types, 930 fields, and 14,499 methods registered for reflection #8 114.5 65 types, 67 fields, and 57 methods registered for JNI access Spring PetClinic —A Larger Example 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 52

Native Image Dead Code Elimination #8 114.2 [2/8] Performing analysis... [******] (97.9s @ 3.02GB) #8 114.2 39,261 reachable types ( 93.3% of 42,095 total) #8 114.3 60,730 reachable fields ( 63.4% of 95,790 total) #8 114.5 211,215 reachable methods ( 65.8% of 321,005 total) #8 114.5 11,974 types, 930 fields, and 14,499 methods registered for reflection #8 114.5 65 types, 67 fields, and 57 methods registered for JNI access Spring PetClinic —A Larger Example 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 53 Removed 2,834 Classes, 35,060 Fields, 109,790 Methods

Reduced application and dependent code surface of vulnerability—only Classes/Fields/Methods proven reachable by the application are included in the image Fixed resources—all defined at build time No new unknown code can be loaded at run time—you know what is in your app at build time Remove runtime dependency on XML/JSON parsers by parsing config files at build time, e.g., Spring AOT and Micronaut AOT Only includes GC implementation specified at build time Only includes (large) monitoring features (JMX, JFR, etc.) explicitly Reflection and deserialization is disabled by default and needs an explicit include list No Just-in-time compiler crashes, wrong compilations, and “JIT spraying” is impossible Native Image—Hardening Features 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 54

Native Image Benefits 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 55 *Relative results consistent on different hardware configurations Fast Start & Scale https:// quarkus.io / 80% less memory with Native Image https:// helidon.io /# microprofile 57% less memory with Native Image

Distroless Java Base 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 57 For statically linked applications—no libc For “mostly” statically linked applications—has libc For JVM-based applications—no JDK, just required libs Full JDK—with required libs

48.3 MB Distroless Java Base—Dynamically Linked Executable 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 59 FROM container- registry.oracle.com / graalvm /native-image:21 AS nativebuild WORKDIR /build RUN native-image -Ob --enable- sbom = cyclonedx -m jdk.httpserver -o jwebserver.dynamic FROM gcr.io / distroless /java-base-debian12 COPY --from= nativebuild /build/ jwebserver.dynamic / COPY index.html /web/ index.html EXPOSE 8000 ENTRYPOINT ["/ jwebserver.dynamic ", "-b", "0.0.0.0", "-d", "/web"]

GraalVM Native Executable Linking and Containerization Options Copyright © 2024, Oracle and/or its affiliates 62 glibc stdlibc ++, zlib , etc. Application Code Fully Dynamic OS must include all dynamically linked libs 2024-05-08 gcr.io / distroless / java-base -debian12 48.3 MB

GraalVM Native Executable Linking and Containerization Options Copyright © 2024, Oracle and/or its affiliates 63 glibc stdlibc ++, zlib , etc. Application Code Fully Dynamic OS must include all dynamically linked libs Application Code glibc stdlibc ++, zlib , etc. Mostly Static OS only need provide libc libs 2024-05-08 gcr.io / distroless / java-base -debian12 gcr.io / distroless / base -debian12 48.3 MB 35.2 MB

GraalVM Native Executable Linking and Containerization Options Copyright © 2024, Oracle and/or its affiliates 64 glibc stdlibc ++, zlib , etc. Application Code Fully Dynamic OS must include all dynamically linked libs Application Code Application Code glibc stdlibc ++, zlib , etc. Mostly Static musl libc stdlibc ++, zlib , etc. Fully Static OS only need provide libc libs No libs provided by OS 2024-05-08 gcr.io / distroless / java-base -debian12 gcr.io / distroless / base -debian12 gcr.io / distroless / static -debian12 48.3 MB 35.2 MB 17.1 MB

21.9 MB Alpine—Fully Static Executable 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 66 FROM container- registry.oracle.com / graalvm /native-image:21-muslib AS nativebuild WORKDIR /build RUN native-image -Ob --enable- sbom = cyclonedx --static -- libc = musl -m jdk.httpserver -o jwebserver.static FROM alpine:3 COPY --from= nativebuild /build/ jwebserver.static / COPY index.html /web/ index.html EXPOSE 8000 ENTRYPOINT ["/ jwebserver.static ", "-b", "0.0.0.0", "-d", "/web"]

This image is most useful in the context of building base...or super minimal images (that contain only a single binary and whatever it requires ...)” Copyright © 2024, Oracle and/or its affiliates 69 scratch 2024-05-08

14.5 MB Scratch 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 70 FROM container- registry.oracle.com / graalvm /native-image:21-muslib AS nativebuild WORKDIR /build RUN native-image -Ob --enable- sbom = cyclonedx --static -- libc = musl -m jdk.httpserver -o jwebserver.static FROM scratch COPY --from= nativebuild /build/ jwebserver.static / COPY index.html /web/ index.html EXPOSE 8000 ENTRYPOINT ["/ jwebserver.static ", "-b", "0.0.0.0", "-d", "/web"]

Reduce 3 rd party dependencies Generate SBOMs for your application to track deps and identify CVEs Remove unnecessary JDK modules using jlink Regularly upgrade dependencies and your JDK to the latest release Use minimal container images with “just enough operating system” Use GraalVM Native Image to minimize application attack surface area Summary—Hardening Tips 2024-05-08 Copyright © 2024, Oracle and/or its affiliates 77

Shaun Smith @ shaunsmith (@ mastodon.social )

Practical Tips for Hardening Java Applications

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Practical Tips for Hardening Java Applications

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77