Skip to main content
Version: 2.2

ARMR Library Rule

Overview

The ARMR library rule can be used to control native library loading. This is useful to prevent unauthorized attempts by an application to load native libraries.

The ARMR library rule is currently only supported on Waratek Elevate.

Given (Condition)

To control native library loading using the ARMR library rule the user must specify the load declaration.

loadA parameter must be supplied to the load declaration to determine the libraries to which the ARMR libary rule will control loading.Both Unix and Windows filesystem paths are supportedThis parameter takes the form of a list of one or more quoted-strings indicating specifically targeted native libraries and directories containing such native libraries.Each string represented in the parameter can be:- a single library name - the agent will control access to any library on the filesystem that matches the given name

  • an absolute path to a specific libraryThe wildcard character (*) is supported anywhere in the library name or path:- only one wildcard character can be used with each path

  • the wildcard will only wildcard a single directory

  • the wildcard can be used to specify all libraries with a specific prefix

  • the wildcard character specified on its own represents all native libraries on the filesystem |

When (Action)

There are three supported actions for the ARMR library rule: protect, detect and allow.

protectAny attempt to load a protected native library is blocked. If configured, a log message is generated with details of the event.
detectMonitoring mode: the application behaves as normal. Any attempt to load a native library specified by the ARMR library rule is allowed, and a log message is generated with details of the event.A log message must be specified with this action.
allowCan be used to allow loading of specific libraries which are a subset of protected libraries covered by an ARMR library rule in protect mode.

Examples

All examples of the ARMR library rule are given for both Unix and Windows style filesystem paths, where appropriate.

In the following example, we define an ARMR library rule that prevents loading all native libraries inside a specific directory.

Unix

app("Library mod"):
  requires(version: ARMR/2.2)
  library("Prevent loading of all native libraries in specific directory"):
    load("/tmp/*")
    protect(message: "Blocked attempt to load library", severity: High)
  endlibrary
endapp

Windows

app("Library mod"):
  requires(version: ARMR/2.2)
  library("Prevent loading of all native libraries in specific directory"):
    load("C:\Windows\*")
    protect(message: "Blocked attempt to load library", severity: High)
  endlibrary
endapp

Logging

Unix

<10>1 2020-07-08T18:23:19.512+01:00 l-qa02 java 27675 - - CEF:0|ARMR:Library mod|Library mod|2.2|Prevent loading of all native libraries in specific directory|Execute Rule|High|rt=Jul 08 2020 18:23:19.511 +0100 dvchost=l-qa02 procid=27675 outcome=success act=protect msg=Blocked attempt to load library path=/tmp/libCounter.so

Windows

<10>1 2020-07-08T14:44:39.012+01:00 win-02 java 27884 - - CEF:0|ARMR:Library mod|Library mod|2.2|Prevent loading of all native libraries in specific directory|Execute Rule|High|rt=Jul 08 2020 14:44:39.012 +0100 dvchost=win-02 procid=27884 outcome=success act=protect msg=Blocked attempt to load library path=C:\\Windows\\Counter.dll

Further Examples

Prevent loading a specific native library

Unix

app("Library mod 2"):
  requires(version: ARMR/2.2)
  library("Prevent loading a specific native library"):
    load("/tmp/libCounter.so")
    protect(message: "Blocked attempt to load library", severity: High)
  endlibrary
endapp

Windows

app("Library mod 2"):
  requires(version: ARMR/2.2)
  library("Prevent loading a specific native library"):
    load("C:\Windows\Counter.dll")
    protect(message: "Blocked attempt to load library", severity: High)
  endlibrary
endapp

Detect loading of any library with a specific name

Unix

app("Library mod 3"):
  requires(version: ARMR/2.2)
  library("Detect loading a native library with a specific name"):
    load("libCounter.so")
    detect(message: "Detected attempt to load library", severity: 6)
  endlibrary
endapp

Windows

app("Library mod 3"):
  requires(version: ARMR/2.2)
  library("Detect loading a native library with a specific name"):
    load("Counter.dll")
    detect(message: "Detected attempt to load library", severity: 6)
  endlibrary
endapp

Prevent loading of all native libraries, except allow specific library to be loaded

Unix

app("Library mod 4"):
  requires(version: ARMR/2.2)

  library("Prevent loading all native libraries"):
    load("*")
    protect(message: "Blocked attempt to load library", severity: 10)
  endlibrary

  library("Detect loading a native library with a specific name"):
    load("/tmp/libCounter.so")
    allow(message: "Access granted to load particular native library", severity: Medium)
  endlibrary

endapp

Windows

app("Library mod 4"):
  requires(version: ARMR/2.2)

  library("Prevent loading all native libraries"):
    load("*")
    protect(message: "Blocked attempt to load library", severity: 10)
  endlibrary

  library("Detect loading a native library with a specific name"):
    load("C:\Windows\Counter.dll")
    allow(message: "Access granted to load particular native library", severity: Medium)
  endlibrary

endapp