Hi, I have some questions about this JEP.
Will something similar to Python's audit hooks[1][2] be considered, to give transparency what is happening inside, so that jvm behavior can be monitored - such as a security agent (it can interact with Antimalware Scan Interface (AMSI)[3]). Currently without using JFR, all the operations in the JDK are essentially a blackbox. [1] https://peps.python.org/pep-0578/ [2] https://docs.python.org/3/library/audit_events.html#audit-events [3] https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps Again, this is not sandboxing as in "Handler API", described in the alternative section in the JEP. I know that JFR has some events for file/network but it has limited coverage and events are delayed, making it not suitable for auditing in this context. See https://mail.openjdk.org/pipermail/hotspot-jfr-dev/2021-May/002714.html for discussion. Secondly, historically it is possible to disallow unsigned jar to run in the applet era. For centrally managed devices, while java is installed system wide in developers' machines, management do only allow signed jar to be executed. While AppLocker[4]/SRP is to restrict java executable itself from running, it does not know if the jar executed is signed. Other languages such as Powershell can only allow signed scripts to run [5][6] with an example for signing [7]. Is the default java[w] launcher able to restrict jar from executing be available for this scenario? [4] https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview#app-control-for-business [5] https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4#-executionpolicy [6] https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.4#to-permit-signed-scripts-to-run [7] https://adamtheautomator.com/how-to-sign-powershell-script/ Thirdly, it is advised to use an agent to modify classes that call System::exit in the appendix section. There are libraries that have DRM checks at runtime to enforce certain restrictions such as licensing checks, to deliberately crash if an agent is found, or its class is tampered by the agent. (These checks can also be added by obfuscator) How does one handle such cases? Will the JDK offer to hide all the loaded agents or do I need to start modifying System::exit instead if this is the case? Thank you.
