Skip to main content
Version: 2.3

ARMR Library Rule

Overview

The ARMR library rule can be used to control native library loading. This is useful to prevent unauthorized attempts by an application to load native libraries.

The ARMR library rule is currently only supported on Waratek Elevate.

Given (Condition)

To control native library loading using the ARMR library rule the user must specify the load declaration.

loadA parameter must be supplied to the load declaration to determine the libraries to which the ARMR libary rule will control loading.Both Unix and Windows filesystem paths are supportedThis parameter takes the form of a list of one or more quoted-strings indicating specifically targeted native libraries and directories containing such native libraries.Each string represented in the parameter can be:- a single library name - the agent will control access to any library on the filesystem that matches the given name

  • an absolute path to a specific libraryThe wildcard character (*) is supported anywhere in the library name or path:- only one wildcard character can be used with each path

  • the wildcard will only wildcard a single directory

  • the wildcard can be used to specify all libraries with a specific prefix

  • the wildcard character specified on its own represents all native libraries on the filesystem |

When (Action)

There are three supported actions for the ARMR library rule: protect, detect and allow.

protectAny attempt to load a protected native library is blocked.If configured, a log message is generated with details of the event.
detectMonitoring mode: the application behaves as normal. Any attempt to load a native library specified by the ARMR library rule is allowed.If configured, a log message is generated with details of the event.A log message must be specified with this action.
allowCan be used to allow loading of specific libraries which are a subset of protected libraries covered by an ARMR library rule in protect mode.

As part of the action statement, the user may optionally specify the parameter stacktrace: “full”. When this parameter is specified, the stacktrace of the location of the attempted exploit is included in the security log entry.

Examples

All examples of the ARMR library rule are given for both Unix and Windows style filesystem paths, where appropriate.

In the following example, we define an ARMR library rule that prevents loading all native libraries inside a specific directory.

Unix

app("Library mod"):
  requires(version: ARMR/2.3)
  library("Prevent loading of all native libraries in specific directory"):
    load("/tmp/*")
    protect(message: "Blocked attempt to load library", severity: High)
  endlibrary
endapp

Windows

app("Library mod"):
  requires(version: ARMR/2.3)
  library("Prevent loading of all native libraries in specific directory"):
    load("C:\Windows\*")
    protect(message: "Blocked attempt to load library", severity: High)
  endlibrary
endapp

Logging

Unix

<10>1 2021-03-31T10:52:42.103+01:00 userX_system java 6229 - - CEF:0|ARMR:Library mod|Library mod|2.3|Prevent loading of all native libraries in specific directory|Execute Rule|High|rt=Mar 31 2021 10:52:42.102 +0100 dvchost=userX_system procid=6229 appVersion=1 act=protect msg=Blocked attempt to load library path=/tmp/libCounter.so

Windows

<10>1 2021-03-30T16:56:46.512+01:00 userX_system java 4349 - - CEF:0|ARMR:Library mod|Library mod|2.3|Prevent loading of all native libraries in specific directory|Execute Rule|High|rt=Mar 30 2021 16:56:46.512 +0100 dvchost=userX_system procid=4349 appVersion=1 act=protect msg=Blocked attempt to load library path=C:\\Windows\\Counter.dll

Further Examples

As above, with the stacktrace also logged

Unix

app("Library mod - with stacktrace"):
  requires(version: ARMR/2.3)
  library("Prevent loading of all native libraries in specific directory"):
    load("/tmp/*")
    protect(message: "Blocked attempt to load library", severity: High, stacktrace: "full")
  endlibrary
endapp

Windows

app("Library mod - with stacktrace"):
  requires(version: ARMR/2.3)
  library("Prevent loading of all native libraries in specific directory"):
    load("C:\Windows\*")
    protect(message: "Blocked attempt to load library", severity: High, stacktrace: "full")
  endlibrary
endapp

Logging

Unix

<10>1 2021-04-01T12:10:21.282+01:00 userX_system java 27607 - - CEF:0|ARMR:Library mod - with stacktrace|Library mod - with stacktrace|2.3|Prevent loading of all native libraries in specific directory|Execute Rule|High|rt=Apr 01 2021 12:10:21.282 +0100 dvchost=userX_system procid=27607 appVersion=1 act=protect msg=Blocked attempt to load library stacktrace=com.waratek.jvi.RuntimeSystemEnv.load0(RuntimeSystemEnv.java:175)\njava.lang.System.loadLibrary(Container-1)(System.java)\nCounter.<clinit>(Container-1)(Counter.java:17)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:498)\njava.lang.Thread.run(Container-1)(Thread.java:876)\njava.lang.Thread.begin(Container-1)(Thread.java:897)\njava.lang.Thread.invokeRun(Container-1)(Thread.java:883)\njava.lang.Thread$ThreadHandler.invokeRun(Container-1)(Thread.java:55) path=/tmp/libCounter.so

Windows

<10>1 2021-04-01T12:09:43.442+01:00 userX_system java 25465 - - CEF:0|ARMR:Library mod - with stacktrace|Library mod - with stacktrace|2.3|Prevent loading of all native libraries in specific directory|Execute Rule|High|rt=Apr 01 2021 12:09:43.442 +0100 dvchost=userX_system procid=25465 appVersion=1 act=protect msg=Blocked attempt to load library stacktrace=com.waratek.jvi.RuntimeSystemEnv.load0(RuntimeSystemEnv.java:175)\njava.lang.System.loadLibrary(Container-1)(System.java)\nCounter.<clinit>(Container-1)(Counter.java:17)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:498)\njava.lang.Thread.run(Container-1)(Thread.java:876)\njava.lang.Thread.begin(Container-1)(Thread.java:897)\njava.lang.Thread.invokeRun(Container-1)(Thread.java:883)\njava.lang.Thread$ThreadHandler.invokeRun(Container-1)(Thread.java:55) path=C:\\Windows\\Counter.dll

Prevent loading a specific native library

Unix

app("Library mod 2"):
  requires(version: ARMR/2.2)
  library("Prevent loading a specific native library"):
    load("/tmp/libCounter.so")
    protect(message: "Blocked attempt to load library", severity: High)
  endlibrary
endapp

Windows

app("Library mod 2"):
  requires(version: ARMR/2.2)
  library("Prevent loading a specific native library"):
    load("C:\Windows\Counter.dll")
    protect(message: "Blocked attempt to load library", severity: High)
  endlibrary
endapp

Detect loading of any library with a specific name

Unix

app("Library mod 3"):
  requires(version: ARMR/2.2)
  library("Detect loading a native library with a specific name"):
    load("libCounter.so")
    detect(message: "Detected attempt to load library", severity: 6)
  endlibrary
endapp

Windows

app("Library mod 3"):
  requires(version: ARMR/2.2)
  library("Detect loading a native library with a specific name"):
    load("Counter.dll")
    detect(message: "Detected attempt to load library", severity: 6)
  endlibrary
endapp

Prevent loading of all native libraries, except allow specific library to be loaded

Unix

app("Library mod 4"):
  requires(version: ARMR/2.2)

  library("Prevent loading all native libraries"):
    load("*")
    protect(message: "Blocked attempt to load library", severity: 10)
  endlibrary

  library("Detect loading a native library with a specific name"):
    load("/tmp/libCounter.so")
    allow(message: "Access granted to load particular native library", severity: Medium)
  endlibrary

endapp

Windows

app("Library mod 4"):
  requires(version: ARMR/2.2)

  library("Prevent loading all native libraries"):
    load("*")
    protect(message: "Blocked attempt to load library", severity: 10)
  endlibrary

  library("Detect loading a native library with a specific name"):
    load("C:\Windows\Counter.dll")
    allow(message: "Access granted to load particular native library", severity: Medium)
  endlibrary

endapp