Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


green league technology blog

Posted by bax at 2020-02-24

Reading: 16263

What is rasp? What is the performance comparison between rasp and WAF? What is the implementation idea of rasp, which will be introduced in detail in this article

RASP overview

What is rasp

Rasp (runtime application self-protection) runtime application self-protection,

RSAP injects itself into the application program, integrates with the application program, monitors and blocks attacks in real time, so that the program has the ability of self-protection. And the application does not need to make any changes in the coding, just a simple configuration

Run inside the application;

The detection point is located at the input and output position of the application program;

Input points include user request, file input, etc;

The output point includes database, network, file system, etc.

What rasp can do

Rasp vs WAF < deployment >


Unified deployment of external boundary entrance

Support transparent (in series), bypass and reverse proxy

It is easy to form a single point of failure, with a large impact area


Ø the server is deployed separately and embedded in the application program, so the application code is not aware

Java program, add the – javaagent rasp.jar parameter at startup

The development language is strongly related, but the protection plug-ins can be shared

Learn more about application context

Rasp vs WAF < performance >


The more regular matching rules, the lower performance

? related to hardware specifications

The service message has one more socket forwarding, and the delay is large

No impact on server CPU


Ø not all requests match all rules because they are only detected at key points

Some manufacturers claim that the impact on server CPU performance can be reduced to 2%

Ø the delay of unprotected state increases by 3-5%, and the delay of protected state increases by 4.6-8.9%

Rasp vs WAF < product features >

Rasp vs WAF < detection capability >


RASP prospects

“The RASP market size is expected to grow from USD 294.7 million in 2017 to USD 1,240.1 million by 2022, at a Compound Annual Growth Rate (CAGR) of 33.3% during the forecast period. “

Rasp technology implementation (Java)

Rasp implementation ideas

How to inject detection code

In which access control points to inject

How to detect attacks after injection

How to deal with attacks detected

Rasp injection method (Java)

Servlet filter: on the request response path, only HTTP messages can be filtered

JVM Refactoring: embedded in the JVM, rasp container is implemented based on the security control layer of the JVM. It is very difficult to be familiar with the JVM. Waratek abroad adopts this method

Java instrument: the most common approach

Java Foundation: source code, compilation and operation

What is java instrument

The new features of Java se 5 rely on JVMTI.

Used to monitor and assist programs running on the JVM, and even to replace and modify the definition of some classes

- the javaagent parameter specifies the jar file of the instrumentation function to run the program:

        java   –javaagent:K:\java\MyAgent.jar   app.HelloWorld

What is JVMTI

The full name JVM tool interface is a collection of local programming interfaces exposed by the JVM for users to extend.

Based on event driven, every time the JVM executes certain logic, it will actively call some event callback interfaces, which can be used by developers to extend their own logic.

Principles of Java instrument

How to implement intrument

JDK reflection


Java recognizes information about objects and classes at runtime in two ways:

Traditional RTTI: determine whether a class is loaded by the JVM at compile time;

Reflection mechanism: in the running state, all the properties and methods of any class (including those not loaded) can be known; for any object, any method and property can be called;

With the help of the "self auditing" ability and polymorphism of class structure exploration, we can give full play to the flexibility of Java.


Java provides a library called reflect, which encapsulates methods, constructors, fields, proxies, invocationhandler and other classes


At runtime, judge the class to which any object belongs.

Construct an object of any class at run time.

At runtime, judge the member variables and methods of any class.

Call the method of any object at runtime

Generate dynamic agent

JDK reflection - Example 1

Dynamic loading

JDK reflection - Example 2

Dynamic proxy

JDK reflex - conclusion

Although dynamic agent has high flexibility, it still needs to use the relevant class library to configure the dynamic agent and integrate it into the application source code, which is not an ideal solution.

No suitable method was found to proxy the existing classes without modifying the application code



An open source class library for analyzing, editing, and creating Java bytecode.

Founded by Shigeru Chiba (Chiba Zi) of the Department of mathematics and computer science, Tokyo Institutet of Technology. It has joined the open source JBoss application server project to implement the dynamic "AOP" framework for JBoss by using javassist to operate bytecode.

Allows developers to freely add new methods to a compiled class, or modify existing methods.

A way of Java instrumentation.


Simple, directly using java coding form, without understanding the virtual machine instructions, can dynamically change the structure of the class, or dynamically generate the class.


Javassist library, encapsulating classpool, ctclass, ctmethod and other classes;

Javassist - instance 1

Dynamic construction class

Javassist – instance 2


Premain function:

Transform function:

If it is a class to be modified, find the function to be injected in the middle of the class, and add a detection function before and after the function (the figure below is just a sketch).



An open source application framework for Java bytecode analysis, creation and modification.

Allows developers to freely add new methods to a compiled class, or modify existing methods.

A way of Java instrumentation.


It can operate bytecode directly with JVM instruction, which is more flexible;

High performance;

More functions;


ASM library / tools

Encapsulate many functional classes such as classreader, classvisitor and classwriter

Need to understand JVM instructions and class file structure

ASM - common classes

ASM - class diagram

Typical static agent mode:

ASM - bytecode resolution process

ASM - Example 1

Dynamic construction class

ASM - Example 2

Modification class

ASM - extension class using method