RASP从0到1全面指南<\/h1>

1. RASP概述<\/h2>
Runtime Application Self-Protection (RASP)是Gartner在2012年推出的一项安全技术，它通过将安全防护直接集成到应用程序中，实现对应用运行时的全面监控和保护。<\/p>

1.1 RASP核心特点<\/h3>

深度集成<\/strong>：附加到应用程序内部，部署多个探针实现全面监控<\/li>
实时防护<\/strong>：保护应用程序免受攻击，保持低误报率和性能开销<\/li>
全面覆盖<\/strong>：覆盖整个应用堆栈，包括应用程序代码、库、框架和商用软件<\/li>

上下文感知<\/strong>：拥有完整的上下文信息，能更深层次检查和控制应用程序<\/li> <\/ul>
1.2 RASP与传统防护对比<\/h3>

特性<\/th> RASP<\/th> WAF<\/th> EDR<\/th> <\/tr> <\/thead>

防护层级<\/td> 应用内部<\/td> 流量层<\/td> 进程级<\/td> <\/tr>
上下文<\/td> 完整<\/td> 无<\/td> 有限<\/td> <\/tr>
0day防护<\/td> 有效<\/td> 有限<\/td> 有限<\/td> <\/tr>
误报率<\/td> 低<\/td> 高<\/td> 中<\/td> <\/tr>
部署方式<\/td> 应用集成<\/td> 网络边界<\/td> 主机<\/td> <\/tr> <\/tbody> <\/table>
2. RASP环境配置<\/h2>
2.1 项目结构<\/h3>
- agent (RASP核心模块) - javawebAgent - test-struts2 (测试模块) <\/code><\/pre> 2.2 agent模块配置<\/h3> pom.xml关键配置<\/h4> <dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.ow2.asm<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>asm-all<\/artifactId><\/span> <\/span><\/span> <version><\/span>5.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>commons-io<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-io<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.2<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>javax.servlet<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>javax.servlet-api<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.1.0<\/version><\/span> <\/span><\/span> <scope><\/span>provided<\/scope><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span> <\/span><\/span><build><\/span> <\/span><\/span> <plugins><\/span> <\/span><\/span> <plugin><\/span> <\/span><\/span> <groupId><\/span>org.apache.maven.plugins<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>maven-jar-plugin<\/artifactId><\/span> <\/span><\/span> <configuration><\/span> <\/span><\/span> <archive><\/span> <\/span><\/span> <manifestFile><\/span>src\/main\/resources\/MANIFEST.MF<\/manifestFile><\/span> <\/span><\/span> <\/archive><\/span> <\/span><\/span> <\/configuration><\/span> <\/span><\/span> <\/plugin><\/span> <\/span><\/span> <plugin><\/span> <\/span><\/span> <groupId><\/span>org.apache.maven.plugins<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>maven-shade-plugin<\/artifactId><\/span> <\/span><\/span> <executions><\/span> <\/span><\/span> <execution><\/span> <\/span><\/span> <configuration><\/span> <\/span><\/span> <artifactSet><\/span> <\/span><\/span> <includes><\/span> <\/span><\/span> <include><\/span>commons-io:commons-io:jar:*<\/include><\/span> <\/span><\/span> <include><\/span>org.ow2.asm:asm-all:jar:*<\/include><\/span> <\/span><\/span> <\/includes><\/span> <\/span><\/span> <\/artifactSet><\/span> <\/span><\/span> <\/configuration><\/span> <\/span><\/span> <\/execution><\/span> <\/span><\/span> <\/executions><\/span> <\/span><\/span> <\/plugin><\/span> <\/span><\/span> <\/plugins><\/span> <\/span><\/span><\/build><\/span> <\/span><\/span><\/code><\/pre>MANIFEST.MF配置<\/h4> Manifest-Version: 1.0 Premain-Class: cn.org.javaweb.agent.Agent Can-Retransform-Classes: true Can-Redefine-Classes: true Can-Set-Native-Method-Prefix: true <\/code><\/pre> 2.3 Tomcat虚拟机选项<\/h3> -Dfile.encoding=UTF-8 -noverify -Xbootclasspath\/p:E:\CODE_COLLECT\Idea_java_ProTest\javawebAgent\agent\target\agent.jar -javaagent:E:\CODE_COLLECT\Idea_java_ProTest\javawebAgent\agent\target\agent.jar <\/code><\/pre> 3. RASP核心实现<\/h2> 3.1 premain模式基础实现<\/h3> Agent类<\/h4> public<\/span> class<\/span> Agent<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> premain<\/span>(<\/span>String agentArgs,<\/span> Instrumentation inst)<\/span> {<\/span> <\/span><\/span> inst.<\/span>addTransformer<\/span>(<\/span>new<\/span> AgentTransform());<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>AgentTransform类<\/h4> public<\/span> class<\/span> AgentTransform<\/span> implements<\/span> ClassFileTransformer {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> byte<\/span>[]<\/span> transform<\/span>(<\/span>ClassLoader loader,<\/span> String className,<\/span> <\/span><\/span> Class<?><\/span> classBeingRedefined,<\/span> <\/span><\/span> ProtectionDomain protectionDomain,<\/span> <\/span><\/span> byte<\/span>[]<\/span> classfileBuffer)<\/span> {<\/span> <\/span><\/span> className =<\/span> className.<\/span>replace<\/span>(<\/span>"\/"<\/span>,<\/span> "."<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Load class:"<\/span> +<\/span> className);<\/span> <\/span><\/span> return<\/span> classfileBuffer;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2 ASM字节码操作<\/h3> TestClassVisitor实现<\/h4> public<\/span> class<\/span> TestClassVisitor<\/span> extends<\/span> ClassVisitor implements<\/span> Opcodes {<\/span> <\/span><\/span> public<\/span> TestClassVisitor<\/span>(<\/span>ClassVisitor cv)<\/span> {<\/span> <\/span><\/span> super<\/span>(<\/span>Opcodes.<\/span>ASM5<\/span>,<\/span> cv);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> MethodVisitor visitMethod<\/span>(<\/span>int<\/span> access,<\/span> String name,<\/span> String desc,<\/span> <\/span><\/span> String signature,<\/span> String[]<\/span> exceptions)<\/span> {<\/span> <\/span><\/span> MethodVisitor mv =<\/span> super<\/span>.<\/span>visitMethod<\/span>(<\/span>access,<\/span> name,<\/span> desc,<\/span> signature,<\/span> exceptions);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>name +<\/span> "方法的描述符是:"<\/span> +<\/span> desc);<\/span> <\/span><\/span> return<\/span> mv;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>增强版AgentTransform<\/h4> public<\/span> class<\/span> AgentTransform<\/span> implements<\/span> ClassFileTransformer {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> byte<\/span>[]<\/span> transform<\/span>(<\/span>ClassLoader loader,<\/span> String className,<\/span> <\/span><\/span> Class<?><\/span> classBeingRedefined,<\/span> <\/span><\/span> ProtectionDomain protectionDomain,<\/span> <\/span><\/span> byte<\/span>[]<\/span> classfileBuffer)<\/span> {<\/span> <\/span><\/span> className =<\/span> className.<\/span>replace<\/span>(<\/span>"\/"<\/span>,<\/span> "."<\/span>);<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>className.<\/span>contains<\/span>(<\/span>"ProcessBuilder"<\/span>))<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Load class: "<\/span> +<\/span> className);<\/span> <\/span><\/span> ClassReader classReader =<\/span> new<\/span> ClassReader(<\/span>classfileBuffer);<\/span> <\/span><\/span> ClassWriter classWriter =<\/span> new<\/span> ClassWriter(<\/span>classReader,<\/span> ClassWriter.<\/span>COMPUTE_MAXS<\/span>);<\/span> <\/span><\/span> ClassVisitor classVisitor =<\/span> new<\/span> TestClassVisitor(<\/span>classWriter);<\/span> <\/span><\/span> classReader.<\/span>accept<\/span>(<\/span>classVisitor,<\/span> ClassReader.<\/span>EXPAND_FRAMES<\/span>);<\/span> <\/span><\/span> classfileBuffer =<\/span> classWriter.<\/span>toByteArray<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> classfileBuffer;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 命令执行拦截实现<\/h3> ProcessBuilderHook类<\/h4> public<\/span> class<\/span> ProcessBuilderHook<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> start<\/span>(<\/span>List<<\/span>String><\/span> commands)<\/span> {<\/span> <\/span><\/span> String[]<\/span> commandArr =<\/span> commands.<\/span>toArray<\/span>(<\/span>new<\/span> String[<\/span>commands.<\/span>size<\/span>()]);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>Arrays.<\/span>toString<\/span>(<\/span>commandArr));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>增强版TestClassVisitor<\/h4> public<\/span> class<\/span> TestClassVisitor<\/span> extends<\/span> ClassVisitor implements<\/span> Opcodes {<\/span> <\/span><\/span> \/\/ ... 其他代码同上 ... <\/span><\/span><\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> MethodVisitor visitMethod<\/span>(<\/span>int<\/span> access,<\/span> String name,<\/span> String desc,<\/span> <\/span><\/span> String signature,<\/span> String[]<\/span> exceptions)<\/span> {<\/span> <\/span><\/span> MethodVisitor mv =<\/span> super<\/span>.<\/span>visitMethod<\/span>(<\/span>access,<\/span> name,<\/span> desc,<\/span> signature,<\/span> exceptions);<\/span> <\/span><\/span> if<\/span> (<\/span>"start"<\/span>.<\/span>equals<\/span>(<\/span>name)<\/span> &&<\/span> "()Ljava\/lang\/Process;"<\/span>.<\/span>equals<\/span>(<\/span>desc))<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> AdviceAdapter(<\/span>Opcodes.<\/span>ASM5<\/span>,<\/span> mv,<\/span> access,<\/span> name,<\/span> desc)<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> visitCode<\/span>()<\/span> {<\/span> <\/span><\/span> mv.<\/span>visitVarInsn<\/span>(<\/span>ALOAD,<\/span> 0<\/span>);<\/span> <\/span><\/span> mv.<\/span>visitFieldInsn<\/span>(<\/span>GETFIELD,<\/span> "java\/lang\/ProcessBuilder"<\/span>,<\/span> "command"<\/span>,<\/span> "Ljava\/util\/List;"<\/span>);<\/span> <\/span><\/span> mv.<\/span>visitMethodInsn<\/span>(<\/span>INVOKESTATIC,<\/span> "cn\/org\/javaweb\/agent\/ProcessBuilderHook"<\/span>,<\/span> <\/span><\/span> "start"<\/span>,<\/span> "(Ljava\/util\/List;)V"<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span> super<\/span>.<\/span>visitCode<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> };<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> mv;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 表达式注入监测<\/h2> 4.1 表达式注入监测实现<\/h3> Agent类实现<\/h4> public<\/span> class<\/span> Agent<\/span> implements<\/span> Opcodes {<\/span> <\/span><\/span> private<\/span> static<\/span> List<<\/span>MethodHookDesc><\/span> expClassList =<\/span> new<\/span> ArrayList<>();<\/span> <\/span><\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> expClassList.<\/span>add<\/span>(<\/span>new<\/span> MethodHookDesc(<\/span>"org.mvel2.MVEL"<\/span>,<\/span> "eval"<\/span>,<\/span> <\/span><\/span> "(Ljava\/lang\/String;)Ljava\/lang\/Object;"<\/span>));<\/span> <\/span><\/span> expClassList.<\/span>add<\/span>(<\/span>new<\/span> MethodHookDesc(<\/span>"ognl.Ognl"<\/span>,<\/span> "parseExpression"<\/span>,<\/span> <\/span><\/span> "(Ljava\/lang\/String;)Ljava\/lang\/Object;"<\/span>));<\/span> <\/span><\/span> expClassList.<\/span>add<\/span>(<\/span>new<\/span> MethodHookDesc(<\/span> <\/span><\/span> "org.springframework.expression.spel.standard.SpelExpression"<\/span>,<\/span> "<init>"<\/span>,<\/span> <\/span><\/span> "(Ljava\/lang\/String;Lorg\/springframework\/expression\/spel\/ast\/SpelNodeImpl;"<\/span> +<\/span> <\/span><\/span> "Lorg\/springframework\/expression\/spel\/SpelParserConfiguration;)V"<\/span>));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> premain<\/span>(<\/span>String agentArgs,<\/span> Instrumentation instrumentation)<\/span> {<\/span> <\/span><\/span> instrumentation.<\/span>addTransformer<\/span>(<\/span>new<\/span> ClassFileTransformer()<\/span> {<\/span> <\/span><\/span> public<\/span> byte<\/span>[]<\/span> transform<\/span>(<\/span>ClassLoader loader,<\/span> String className,<\/span> <\/span><\/span> Class<?><\/span> classBeingRedefined,<\/span> <\/span><\/span> ProtectionDomain protectionDomain,<\/span> <\/span><\/span> byte<\/span>[]<\/span> classfileBuffer)<\/span> {<\/span> <\/span><\/span> final<\/span> String class_name =<\/span> className.<\/span>replace<\/span>(<\/span>"\/"<\/span>,<\/span> "."<\/span>);<\/span> <\/span><\/span> for<\/span> (<\/span>final<\/span> MethodHookDesc methodHookDesc :<\/span> expClassList)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>methodHookDesc.<\/span>getHookClassName<\/span>().<\/span>equals<\/span>(<\/span>class_name))<\/span> {<\/span> <\/span><\/span> final<\/span> ClassReader classReader =<\/span> new<\/span> ClassReader(<\/span>classfileBuffer);<\/span> <\/span><\/span> ClassWriter classWriter =<\/span> new<\/span> ClassWriter(<\/span>classReader,<\/span> ClassWriter.<\/span>COMPUTE_MAXS<\/span>);<\/span> <\/span><\/span> final<\/span> int<\/span> api =<\/span> ASM5;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> ClassVisitor classVisitor =<\/span> new<\/span> ClassVisitor(<\/span>api,<\/span> classWriter)<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> MethodVisitor visitMethod<\/span>(<\/span>int<\/span> i,<\/span> final<\/span> String s,<\/span> String s1,<\/span> <\/span><\/span> String s2,<\/span> String[]<\/span> strings)<\/span> {<\/span> <\/span><\/span> final<\/span> MethodVisitor mv =<\/span> super<\/span>.<\/span>visitMethod<\/span>(<\/span>i,<\/span> s,<\/span> s1,<\/span> s2,<\/span> strings);<\/span> <\/span><\/span> if<\/span> (<\/span>methodHookDesc.<\/span>getHookMethodName<\/span>().<\/span>equals<\/span>(<\/span>s)<\/span> &&<\/span> <\/span><\/span> methodHookDesc.<\/span>getHookMethodArgTypeDesc<\/span>().<\/span>equals<\/span>(<\/span>s1))<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> MethodVisitor(<\/span>api,<\/span> mv)<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> visitCode<\/span>()<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>"ognl.Ognl"<\/span>.<\/span>equals<\/span>(<\/span>class_name)<\/span> ||<\/span> <\/span><\/span> "org.mvel2.MVEL"<\/span>.<\/span>equals<\/span>(<\/span>class_name))<\/span> {<\/span> <\/span><\/span> mv.<\/span>visitVarInsn<\/span>(<\/span>Opcodes.<\/span>ALOAD<\/span>,<\/span> 0<\/span>);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> mv.<\/span>visitVarInsn<\/span>(<\/span>Opcodes.<\/span>ALOAD<\/span>,<\/span> 1<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> mv.<\/span>visitMethodInsn<\/span>(<\/span>Opcodes.<\/span>INVOKESTATIC<\/span>,<\/span> <\/span><\/span> Agent.<\/span>class<\/span>.<\/span>getName<\/span>().<\/span>replace<\/span>(<\/span>"."<\/span>,<\/span> "\/"<\/span>),<\/span> <\/span><\/span> "expression"<\/span>,<\/span> "(Ljava\/lang\/String;)V"<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> };<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> mv;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> };<\/span> <\/span><\/span> classReader.<\/span>accept<\/span>(<\/span>classVisitor,<\/span> ClassReader.<\/span>EXPAND_FRAMES<\/span>);<\/span> <\/span><\/span> classfileBuffer =<\/span> classWriter.<\/span>toByteArray<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Throwable t)<\/span> {<\/span> <\/span><\/span> t.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> classfileBuffer;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> });<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> expression<\/span>(<\/span>String exp_demo)<\/span> {<\/span> <\/span><\/span> System.<\/span>err<\/span>.<\/span>println<\/span>(<\/span>"---EXP---"<\/span>);<\/span> <\/span><\/span> System.<\/span>err<\/span>.<\/span>println<\/span>(<\/span>exp_demo);<\/span> <\/span><\/span> System.<\/span>err<\/span>.<\/span>println<\/span>(<\/span>"---调用链---"<\/span>);<\/span> <\/span><\/span> StackTraceElement[]<\/span> elements =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getStackTrace<\/span>();<\/span> <\/span><\/span> for<\/span> (<\/span>StackTraceElement element :<\/span> elements)<\/span> {<\/span> <\/span><\/span> System.<\/span>err<\/span>.<\/span>println<\/span>(<\/span>element);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> System.<\/span>err<\/span>.<\/span>println<\/span>(<\/span>"---"<\/span>);<\/span> <\/span><\/span> \/\/ 阻断攻击 <\/span><\/span><\/span><\/span> throw<\/span> new<\/span> SecurityException(<\/span>"Detected malicious expression: "<\/span> +<\/span> exp_demo);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>MethodHookDesc辅助类<\/h4> public<\/span> class<\/span> MethodHookDesc<\/span> {<\/span> <\/span><\/span> private<\/span> String hookClassName;<\/span> <\/span><\/span> private<\/span> String hookMethodName;<\/span> <\/span><\/span> private<\/span> String hookMethodArgTypeDesc;<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造方法、getter和setter <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. agentmain动态附加实现<\/h2> 5.1 agentmain核心实现<\/h3> attachAgent类<\/h4> public<\/span> class<\/span> attachAgent<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> agentmain<\/span>(<\/span>String agentArgs,<\/span> Instrumentation inst)<\/span> <\/span><\/span> throws<\/span> UnmodifiableClassException {<\/span> <\/span><\/span> CustomClassTransformer transformer =<\/span> new<\/span> CustomClassTransformer(<\/span>inst);<\/span> <\/span><\/span> transformer.<\/span>retransform<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>CustomClassTransformer类<\/h4> public<\/span> class<\/span> CustomClassTransformer<\/span> implements<\/span> ClassFileTransformer {<\/span> <\/span><\/span> private<\/span> Instrumentation inst;<\/span> <\/span><\/span> <\/span><\/span> public<\/span> CustomClassTransformer<\/span>(<\/span>Instrumentation inst)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>inst<\/span> =<\/span> inst;<\/span> <\/span><\/span> inst.<\/span>addTransformer<\/span>(<\/span>this<\/span>,<\/span> true<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> byte<\/span>[]<\/span> transform<\/span>(<\/span>ClassLoader loader,<\/span> String className,<\/span> <\/span><\/span> Class<?><\/span> classBeingRedefined,<\/span> <\/span><\/span> ProtectionDomain protectionDomain,<\/span> <\/span><\/span> byte<\/span>[]<\/span> classfileBuffer)<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"In Transform"<\/span>);<\/span> <\/span><\/span> ClassReader cr =<\/span> new<\/span> ClassReader(<\/span>classfileBuffer);<\/span> <\/span><\/span> ClassWriter cw =<\/span> new<\/span> ClassWriter(<\/span>cr,<\/span> ClassWriter.<\/span>COMPUTE_MAXS<\/span>);<\/span> <\/span><\/span> ClassVisitor cv =<\/span> new<\/span> ClassVisitor(<\/span>Opcodes.<\/span>ASM5<\/span>,<\/span> cw)<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> MethodVisitor visitMethod<\/span>(<\/span>int<\/span> i,<\/span> final<\/span> String s,<\/span> String s1,<\/span> <\/span><\/span> String s2,<\/span> String[]<\/span> strings)<\/span> {<\/span> <\/span><\/span> final<\/span> MethodVisitor mv =<\/span> super<\/span>.<\/span>visitMethod<\/span>(<\/span>i,<\/span> s,<\/span> s1,<\/span> s2,<\/span> strings);<\/span> <\/span><\/span> if<\/span> (<\/span>"say"<\/span>.<\/span>equals<\/span>(<\/span>s))<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> MethodVisitor(<\/span>Opcodes.<\/span>ASM5<\/span>,<\/span> mv)<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> visitCode<\/span>()<\/span> {<\/span> <\/span><\/span> super<\/span>.<\/span>visitCode<\/span>();<\/span> <\/span><\/span> mv.<\/span>visitFieldInsn<\/span>(<\/span>Opcodes.<\/span>GETSTATIC<\/span>,<\/span> "java\/lang\/System"<\/span>,<\/span> <\/span><\/span> "out"<\/span>,<\/span> "Ljava\/io\/PrintStream;"<\/span>);<\/span> <\/span><\/span> mv.<\/span>visitLdcInsn<\/span>(<\/span>"CALL "<\/span> +<\/span> s +<\/span> " method"<\/span>);<\/span> <\/span><\/span> mv.<\/span>visitMethodInsn<\/span>(<\/span>Opcodes.<\/span>INVOKEVIRTUAL<\/span>,<\/span> <\/span><\/span> "java\/io\/PrintStream"<\/span>,<\/span> <\/span><\/span> "println"<\/span>,<\/span> "(Ljava\/lang\/String;)V"<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> };<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> mv;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> };<\/span> <\/span><\/span> cr.<\/span>accept<\/span>(<\/span>cv,<\/span> ClassReader.<\/span>EXPAND_FRAMES<\/span>);<\/span> <\/span><\/span> return<\/span> cw.<\/span>toByteArray<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> retransform<\/span>()<\/span> throws<\/span> UnmodifiableClassException {<\/span> <\/span><\/span> Class[]<\/span> loadedClasses =<\/span> inst.<\/span>getAllLoadedClasses<\/span>();<\/span> <\/span><\/span> for<\/span> (<\/span>Class clazz :<\/span> loadedClasses)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>"cn.org.javaweb.agent.attach.MainTest"<\/span>.<\/span>equals<\/span>(<\/span>clazz.<\/span>getName<\/span>()))<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>inst.<\/span>isModifiableClass<\/span>(<\/span>clazz)<\/span> &&<\/span> <\/span><\/span> !<\/span>clazz.<\/span>getName<\/span>().<\/span>startsWith<\/span>(<\/span>"java.lang.invoke.LambdaForm"<\/span>))<\/span> {<\/span> <\/span><\/span> inst.<\/span>retransformClasses<\/span>(<\/span>clazz);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.2 动态附加程序<\/h3> Attachit_execinRun类<\/h4> public<\/span> class<\/span> Attachit_execinRun<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> List<<\/span>VirtualMachineDescriptor><\/span> list =<\/span> VirtualMachine.<\/span>list<\/span>();<\/span> <\/span><\/span> for<\/span> (<\/span>VirtualMachineDescriptor vmd :<\/span> list)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>vmd.<\/span>displayName<\/span>().<\/span>endsWith<\/span>(<\/span>"MainTest"<\/span>))<\/span> {<\/span> <\/span><\/span> VirtualMachine virtualMachine =<\/span> VirtualMachine.<\/span>attach<\/span>(<\/span>vmd.<\/span>id<\/span>());<\/span> <\/span><\/span> virtualMachine.<\/span>loadAgent<\/span>(<\/span>"agent.jar路径"<\/span>,<\/span> "Attach!"<\/span>);<\/span> <\/span><\/span> virtualMachine.<\/span>detach<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.3 agentmain的MANIFEST.MF配置<\/h3> Manifest-Version: 1.0 Agent-Class: cn.org.javaweb.agent.attach.attachjar.attachAgent Can-Retransform-Classes: true Can-Redefine-Classes: true Can-Set-Native-Method-Prefix: true <\/code><\/pre> 6. RASP实现中的关键问题<\/h2> 6.1 字节码操作关键点<\/h3> 局部变量表访问规则<\/strong>：<\/p> 静态方法中：0指代第一个参数，1指代第二个参数<\/li> 实例方法中：0指代this，1指代第一个参数<\/li> <\/ul> <\/li> 方法描述符解析<\/strong>：<\/p> (Ljava\/util\/List;)V<\/code>：接收一个List参数，返回void<\/li> ()Ljava\/lang\/Process;<\/code>：无参数，返回Process对象<\/li> <\/ul> <\/li> 关键字节码指令<\/strong>：<\/p> ALOAD<\/code>：加载引用到操作数栈<\/li> GETFIELD<\/code>：获取实例字段值<\/li> INVOKESTATIC<\/code>：调用静态方法<\/li> INVOKEVIRTUAL<\/code>：调用实例方法<\/li> <\/ul> <\/li> <\/ol> 6.2 RASP实现挑战<\/h3> premain vs agentmain<\/strong>：<\/p> premain：启动时加载，可添加方法<\/li> agentmain：运行时附加，不可添加方法<\/li> <\/ul> <\/li> 类重定义限制<\/strong>：<\/p> 不能添加\/删除方法<\/li> 不能更改父类<\/li> 不能更改接口<\/li> 不能更改方法签名<\/li> <\/ul> <\/li> 性能考量<\/strong>：<\/p> 尽量减少transform操作<\/li> 使用COMPUTE_MAXS自动计算最大栈和局部变量<\/li> 避免不必要的类转换<\/li> <\/ul> <\/li> <\/ol> 7. RASP实践中的思考<\/h2> 7.1 RASP的优势<\/h3> 上下文感知<\/strong>：拥有完整的执行上下文信息<\/li> 0day防护<\/strong>：对未知漏洞有一定防护能力<\/li> 低误报率<\/strong>：基于实际行为而非模式匹配<\/li> 供应链安全<\/strong>：能监控第三方库的行为<\/li> <\/ol> 7.2 RASP的局限性<\/h3> 语言限制<\/strong>：不同语言需要不同实现<\/li> 部署复杂性<\/strong>：需要侵入应用<\/li> 稳定性风险<\/strong>：错误可能导致应用崩溃<\/li> 自身安全<\/strong>：RASP本身可能成为攻击面<\/li> <\/ol> 7.3 RASP最佳实践<\/h3> 与WAF\/EDR协同<\/strong>：构建纵深防御体系<\/li> 规则精细化<\/strong>：针对业务定制规则<\/li> 性能优化<\/strong>：减少对业务的影响<\/li> 安全加固<\/strong>：确保RASP自身安全<\/li> <\/ol> 8. 总结<\/h2> RASP作为一种深度集成的运行时防护技术，能够提供传统边界防护无法实现的精细化安全控制。通过字节码插桩技术，RASP可以在关键API调用点插入安全检查逻辑，实现对命令执行、表达式注入等攻击的有效防护。<\/p> 实现一个完整的RASP解决方案需要考虑：<\/p> 选择合适的hook点<\/li> 设计高效的字节码转换逻辑<\/li> 构建完善的规则体系<\/li> 确保部署和运行的稳定性<\/li> 与其他安全产品协同工作<\/li> <\/ol> 随着应用安全需求的不断提升，RASP将在应用安全防护体系中扮演越来越重要的角色。<\/p>

RASP从0到1全面指南<\/h1>

1. RASP概述<\/h2> Runtime Application Self-Protection (RASP)是Gartner在2012年推出的一项安全技术，它通过将安全防护直接集成到应用程序中，实现对应用运行时的全面监控和保护。<\/p>

2. RASP环境配置<\/h2>

2.2 agent模块配置<\/h3>

3. RASP核心实现<\/h2>

3.1 premain模式基础实现<\/h3>

3.2 ASM字节码操作<\/h3>

3.3 命令执行拦截实现<\/h3>

4. 表达式注入监测<\/h2>

4.1 表达式注入监测实现<\/h3>

5. agentmain动态附加实现<\/h2>

5.1 agentmain核心实现<\/h3>

5.2 动态附加程序<\/h3>

6. RASP实现中的关键问题<\/h2>

7. RASP实践中的思考<\/h2>

1. RASP概述<\/h2>
Runtime Application Self-Protection (RASP)是Gartner在2012年推出的一项安全技术，它通过将安全防护直接集成到应用程序中，实现对应用运行时的全面监控和保护。<\/p>