The document provides practical tips for hardening Java applications, discussing various approaches including minimizing dependencies, upgrading to the latest JDK versions, and using tools like CycloneDX and Syft to generate software bills of materials. It also emphasizes the use of distroless images to reduce attack surface and the benefits of GraalVM's native image for performance and security enhancements. Additionally, it covers metrics for assessing the attack surface area and highlights the importance of addressing vulnerabilities in application dependencies.

1. Practical Tips for
Hardening Java
Applications
ShaunSmith
Senior Director, Product & Developer Relations
Oracle Labs
@shaunsmith(@mastodon.social)

2. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
2
Photo by Christian J. on Unsplash

3. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
3
Photo by Shaun Smith

4. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
4
Photo by Christian J. on Unsplash

5. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
5
Photo by Christin Hume on Unsplash

6. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
6
Photo by Luis Sánchez on Unsplash

7. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
7
Photo by Pixabay: https://www.pexels.com/photo/two-people-
hiking-532803/
Photo by Sergey Fokin on Unsplash
Photo by Laila Klinsmann:
https://www.pexels.com/photo/depth-of-field-
photography-of-woman-riding-brown-horse-883630/

8. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
8
Photo by Antonin Duallia on Unsplash

9. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
9
Hardening (computing)
https://en.wikipedia.org/wiki/Hardening_(computing)

10. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
10
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Application
Code

11. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
11
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Application
Code

12. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
12
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Application
Code

13. Software supply chain
https://en.wikipedia.org/wiki/Software_supply_chain
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
13

14. CycloneDX Maven/Gradle Syft generates a software bill of materials
from container images and filesystems.
Generating an SBOM
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
14

15. Common Vulnerabilities and
Exposures
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
15
https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

16. nvd.nist.gov/
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
16

17. CVE Detection
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
17
And many more..

18. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
18
SBOMs and CVEs
Cyclone DX / Syft / Spring PetClinic

19. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
19
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Application
Code

20. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
20
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Application
Code
Thursday 14:10 - 14:40

21. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
21
Minimize Dependencies
...and keep them up to date
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Application
Code

22. Always upgrade to the latest patch release of the
JDK
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
22
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Applicatio
n Code

23. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
23
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Application
Code

24. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
24
Operating System
JVM
JDK
Application
Dependencies
Application
Code

25. jwebserver—Our Example App
Copyright © 2024, Oracle and/or its affiliates
25
https://blogs.oracle.com/javamagazine/post/java-18-simple-web-server
2024-05-08

26. Copyright © 2024, Oracle and/or its affiliates
26
https://blogs.oracle.com/javamagazine/post/java-18-simple-web-server
2024-05-08

27. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
27
Demo!
jwebserver

28. 785 MB
Debian Slim + JDK 21
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
28
FROM debian:12-slim
WORKDIR /web
RUN apt-get update &&
apt-get install -y wget &&
apt-get clean &&
wget -q https://download.oracle.com/graalvm/21/archive/graalvm-jdk-
21.0.2_linux-x64_bin.tar.gz -O graalvm.tar.gz &&
tar -xf graalvm.tar.gz &&
rm -f graalvm.tar.gz
COPY index.html /web/index.html
EXPOSE 8000
ENTRYPOINT ["/web/graalvm-jdk-21.0.2+13.1/bin/jwebserver", "-b", "0.0.0.0", "-
d", "/web"]

29. 785 MB
Debian Slim + JDK 21
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
29

30. 436 MB
Eclipse Temurin JDK 21 (Ubuntu)
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
30
FROM eclipse-temurin:21
COPY index.html /web/index.html
EXPOSE 8000
ENTRYPOINT ["/opt/java/openjdk/bin/jwebserver", "-b", "0.0.0.0", "-d", "/web"]

31. 436 MB
Eclipse Temurin JDK 21 (Ubuntu)
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
31

32. Attack Surface Area Metrics
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
32
Number of Packages
Size (MB)
Number of
Executables
Number of Files
debian-slim full JDK eclipse-temurin21
103 136
785
436
779 861
2925
4482
Number of Packages
Size (MB)
Number of Executables
Number of Files

33. "Distroless" images contain only your
application and its runtime dependencies.
They do not contain package managers,
shells or any other programs you would
expect to find in a standard Linux
distribution.
https://github.com/GoogleContainerTools/distroless/blob/main/README.md
Copyright © 2024, Oracle and/or its affiliates
33 2024-05-08

34. Distroless Images
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
34

35. Distroless Images
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
35
For statically linked applications—no libc
For “mostly” statically linked applications—has libc
For JVM-based applications—no JDK, just required libs
Full JDK—with required libs

36. Distroless Java 21 (Debian 12)
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
36
For statically linked applications—no libc
For “mostly” statically linked applications—has libc
For JVM-based applications—no JDK, just required libs
Full JDK—with required libs

37. 192 MB
Distroless Java 21 (Debian 12)
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
37
FROM gcr.io/distroless/java21-debian12
COPY index.html /web/index.html
EXPOSE 8000
ENTRYPOINT ["/opt/java/openjdk/bin/jwebserver", "-b", "0.0.0.0", "-d", "/web"]

38. 192 MB
Distroless Java 21 (Debian 12)
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
38

39. Attack Surface Area Metrics
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
39
Number of Packages
Size (MB)
Number of
Executables
Number of Files
debian-slim full JDK eclipse-temurin21 distroless-java21
103 136
20
785
436
192
779 861
333
2925
4482
1341
Number of Packages
Size (MB)
Number of Executables
Number of Files

40. jlink
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
40

41. Remove unnecessary modules
jlink
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
41

42. Remove unnecessary modules
jlink
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
42

43. Distroless Java Base
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
43
For statically linked applications—no libc
For “mostly” statically linked applications—has libc
For JVM-based applications—no JDK, just required libs
Full JDK—with required libs

44. 128 MB
Distroless Java Base—Jlink
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
44
FROM container-registry.oracle.com/graalvm/jdk:21 AS build
RUN jlink
--module-path ${JAVA_HOME}/jmods
--add-modules jdk.httpserver
--verbose
--strip-debug
--compress zip-9
--no-header-files
--no-man-pages
--strip-java-debug-attributes
--output jwebserver-jlink
FROM gcr.io/distroless/java-base-debian12
COPY --from=build /build/jwebserver-jlink /usr/lib/java
COPY index.html /web/index.html
EXPOSE 8000
ENTRYPOINT ["/usr/lib/java/bin/jwebserver", "-b", "0.0.0.0", "-d", "/web"]

45. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
45
Demo!
jlink / jwebserver

46. 128 MB
Distroless Java Base—Jlink
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
46

47. Attack Surface Area Metrics
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
47
Number of Packages
Size (MB)
Number of
Executables
Number of Files
debian-slim full JDK eclipse-temurin21 distroless-java21 distroless-javabase / jlink
103 136
20 23
785
436
192 128
779 861
333 316
2925
4482
1341 1367
Number of Packages
Size (MB)
Number of Executables
Number of Files

48. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
48
How can we do better?

49. GraalVM Native Image compiles applications Ahead-of-Time (AOT)
into platform native executables.
Oracle GraalVM Native Image
Copyright © 2024, Oracle and/or its affiliates
49
.class
.jar
.class
.jar
Windows
Executable
macOS
Executable
Linux
Executable
2024-05-08

50. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
50
Demo!
GraalVM Native Image

51. Native Image Dead Code Elimination
#8 114.2 [2/8] Performing analysis... [******]
(97.9s @ 3.02GB)
#8 114.2 39,261 reachable types (93.3% of 42,095 total)
#8 114.3 60,730 reachable fields (63.4% of 95,790 total)
#8 114.5 211,215 reachable methods (65.8% of 321,005 total)
#8 114.5 11,974 types, 930 fields, and 14,499 methods registered for reflection
#8 114.5 65 types, 67 fields, and 57 methods registered for JNI access
Spring PetClinic—A Larger Example
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
51

52. Native Image Dead Code Elimination
#8 114.2 [2/8] Performing analysis... [******]
(97.9s @ 3.02GB)
#8 114.2 39,261 reachable types (93.3% of 42,095 total)
#8 114.3 60,730 reachable fields (63.4% of 95,790 total)
#8 114.5 211,215 reachable methods (65.8% of 321,005 total)
#8 114.5 11,974 types, 930 fields, and 14,499 methods registered for reflection
#8 114.5 65 types, 67 fields, and 57 methods registered for JNI access
Spring PetClinic—A Larger Example
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
52
JDK
Application
Dependencies
Application
Code

53. JDK
Application
Dependencies
Application
Code
Native Image Dead Code Elimination
#8 114.2 [2/8] Performing analysis... [******]
(97.9s @ 3.02GB)
#8 114.2 39,261 reachable types (93.3% of 42,095 total)
#8 114.3 60,730 reachable fields (63.4% of 95,790 total)
#8 114.5 211,215 reachable methods (65.8% of 321,005 total)
#8 114.5 11,974 types, 930 fields, and 14,499 methods registered for reflection
#8 114.5 65 types, 67 fields, and 57 methods registered for JNI access
Spring PetClinic—A Larger Example
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
53
Removed
2,834 Classes, 35,060 Fields, 109,790 Methods

54. 1. Reduced application and dependent code surface of vulnerability—only Classes/Fields/Methods
proven reachable by the application are included in the image
2. Fixed resources—all defined at build time
3. No new unknown code can be loaded at run time—you know what is in your app at build time
4. Remove runtime dependency on XML/JSON parsers by parsing config files at build time, e.g., Spring
AOT and Micronaut AOT
5. Only includes GC implementation specified at build time
6. Only includes (large) monitoring features (JMX, JFR, etc.) explicitly
7. Reflection and deserialization is disabled by default and needs an explicit include list
8. No Just-in-time compiler crashes, wrong compilations, and “JIT spraying” is impossible
Native Image—Hardening Features
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
54

55. Native Image Benefits
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
55 *Relative results consistent on different hardware configurations
FastStart
& Scale
0
1
2
3
4
5
6
7
JIT (C2) Native Executable
(Optimized)
6.64
0.33
PetClinic Startup (seconds)
https://quarkus.io/
80% less memory with Native Image
https://helidon.io/#microprofile
57% less memory with Native Image

56. 2024-05-08
Copyright © 2024, Oracle and/or its affiliates
56
Friday 10:00 – 10:50

57. Distroless Java Base
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
57
For statically linked applications—no libc
For “mostly” statically linked applications—has libc
For JVM-based applications—no JDK, just required libs
Full JDK—with required libs

58. Distroless Java Base—Dynamically Linked Executable
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
58
glibc
stdlibc++, zlib, etc.
Application Code
Fully Dynamically
Linked Executable

59. 48.3 MB
Distroless Java Base—Dynamically Linked Executable
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
59
FROM container-registry.oracle.com/graalvm/native-image:21 AS nativebuild
WORKDIR /build
RUN native-image -Ob --enable-sbom=cyclonedx -m jdk.httpserver -o
jwebserver.dynamic
FROM gcr.io/distroless/java-base-debian12
COPY --from=nativebuild /build/jwebserver.dynamic /
COPY index.html /web/index.html
EXPOSE 8000
ENTRYPOINT ["/jwebserver.dynamic", "-b", "0.0.0.0", "-d", "/web"]

60. 48.3 MB
Distroless Java Base—Dynamically Linked Executable
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
60

61. Attack Surface Area Metrics
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
61
Number of Packages
Size (MB)
Number of
Executables
Number of Files
debian-slim full JDK eclipse-temurin21 distroless-java21 distroless-javabase / jlink distroless-javabase /
dynamically linked
103 136
20 23 28
785
436
192 128 48
779 861
333 316 300
2925
4482
1341 1367 1367
Number of Packages
Size (MB)
Number of Executables
Number of Files

62. GraalVM Native Executable Linking and Containerization Options
Copyright © 2024, Oracle and/or its affiliates
62
glibc
stdlibc++, zlib, etc.
Application Code
Fully Dynamic
OS must include all
dynamically linked libs
2024-05-08
gcr.io/distroless/
java-base-debian12
48.3 MB

63. GraalVM Native Executable Linking and Containerization Options
Copyright © 2024, Oracle and/or its affiliates
63
glibc
stdlibc++, zlib, etc.
Application Code
Fully Dynamic
OS must include all
dynamically linked libs
Application Code
glibc
stdlibc++, zlib,
etc.
Mostly Static
OS only need provide
libc libs
2024-05-08
gcr.io/distroless/
java-base-debian12
gcr.io/distroless/
base-debian12
48.3 MB 35.2 MB

64. GraalVM Native Executable Linking and Containerization Options
Copyright © 2024, Oracle and/or its affiliates
64
glibc
stdlibc++, zlib, etc.
Application Code
Fully Dynamic
OS must include all
dynamically linked libs
Application Code
Application Code
glibc
stdlibc++, zlib,
etc.
Mostly Static
musl libc
stdlibc++, zlib,
etc.
Fully Static
OS only need provide
libc libs
No libs provided by OS
2024-05-08
gcr.io/distroless/
java-base-debian12
gcr.io/distroless/
base-debian12
gcr.io/distroless/
static-debian12
48.3 MB 35.2 MB 17.1 MB

65. Attack Surface Area Metrics
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
65
Number of Packages
Size (MB)
Number of
Executables
Number of Files
debian-slim full JDK eclipse-temurin21 distroless-java21 distroless-javabase /
jlink
distroless-javabase /
dynamically linked
distroless-base /
mostly statically linked
distroless-static /
statically linked
103 136
20 23 28 11 9
785
436
192 128 48 36 17
779 861
333 316 300 280
1
2925
4482
1341 1367 1367
1228
935
Number of Packages
Size (MB)
Number of Executables
Number of Files

66. 21.9 MB
Alpine—Fully Static Executable
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
66
FROM container-registry.oracle.com/graalvm/native-image:21-muslib AS nativebuild
WORKDIR /build
RUN native-image -Ob --enable-sbom=cyclonedx --static --libc=musl -m
jdk.httpserver -o jwebserver.static
FROM alpine:3
COPY --from=nativebuild /build/jwebserver.static /
COPY index.html /web/index.html
EXPOSE 8000
ENTRYPOINT ["/jwebserver.static", "-b", "0.0.0.0", "-d", "/web"]

67. 21.9 MB
Alpine—Fully Static Executable
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
67

68. Attack Surface Area Metrics
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
68
Number of Packages
Size (MB)
Number of
Executables
Number of Files
debian-slim full JDK eclipse-temurin21 distroless-java21 distroless-javabase
/ jlink
distroless-javabase
/ dynamically linked
distroless-base /
mostly statically
linked
distroless-static /
statically linked
alpine / statically
linked
103 136
20 23 28 11 9 21
785
436
192 128 48 36 17 22
779 861
333 316 300 280
1 18
2925
4482
1341 1367 1367
1228
935
80
Number of Packages
Size (MB)
Number of Executables
Number of Files

69. This image is most useful in the context of
building base...or super minimal images
(that contain only a single binary and
whatever it requires...)”
Copyright © 2024, Oracle and/or its affiliates
69
scratch
2024-05-08

70. 14.5 MB
Scratch
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
70
FROM container-registry.oracle.com/graalvm/native-image:21-muslib AS nativebuild
WORKDIR /build
RUN native-image -Ob --enable-sbom=cyclonedx --static --libc=musl -m
jdk.httpserver -o jwebserver.static
FROM scratch
COPY --from=nativebuild /build/jwebserver.static /
COPY index.html /web/index.html
EXPOSE 8000
ENTRYPOINT ["/jwebserver.static", "-b", "0.0.0.0", "-d", "/web"]

71. 14.5 MB
Scratch—Fully Static Executable
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
71

72. Attack Surface Area Metrics
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
72
Number of Packages
Size (MB)
Number of…
Number of Files
debian-slim full JDK eclipse-temurin21 distroless-java21 distroless-javabase
/ jlink
distroless-javabase
/ dynamically linked
distroless-base /
mostly statically
linked
distroless-static /
statically linked
alpine / statically
linked
scratch / statically
linked
103 136
20 23 28 11 9 21 6
785
436
192 128 48 36 17 22 15
779 861
333 316 300 280
1 18 1
2925
4482
1341 1367 1367
1228
935
80 1
Number of Packages
Size (MB)
Number of Executables
Number of Files

73. Where We Started
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
73
Cloud Platform
Operating System
JVM
JDK
Application
Dependencies
Application
Code

74. Jlink
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
74
Operating System
JVM
JDK
Application
Dependencies
Application
Code
Harden JDK by removing unnecessary modules

75. Distroless
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
75
Operating System
JVM
JDK
Application
Dependencies
Application
Code
Harden Operating System by removing unnecessary components

76. Harden by removing unnecessary Classes, Methods, Fields, and JDK infrastructure
GraalVM Native Image
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
76
JVM
JDK
Application
Dependencies
Application
Code

77. 1. Reduce 3rd party dependencies
2. Generate SBOMs for your application to track deps and identify CVEs
3. Remove unnecessary JDK modules using jlink
4. Regularly upgrade dependencies and your JDK to the latest release
5. Use minimal container images with “just enough operating system”
6. Use GraalVM Native Image to minimize application attack surface area
Summary—Hardening Tips
2024-05-08
Copyright © 2024, Oracle and/or its affiliates
77

78. Shaun Smith
@shaunsmith(@mastodon.social)