Compact Profiles: Space and Security
By Erik Costlow-Oracle on May 20, 2014
By shrinking the size of the JRE, we enable developers to use their existing Java skills in new areas and take advantage of hardware like the Raspberry Pi, the BeagleBoard, and many others. This post will cover a few aspects of Compact Profiles:
- Comparisons between complete JRE and each profile
- Threat modeling of a Compact Profile
- Identifying and creating your compact JRE
- Configuring, installing, and updating your compact JRE
- Summary of compact profiles
Comparisons between the complete JRE and each profile
To see the various areas that Java runs in, here is a chart of sizes:
|Version||Approx. Size Installed
| JDK 8
Most developers use this.
||Developers building Java applications and/or profiling them with Mission Control.|
Most client systems use this.
||Clients running Java applications on their Windows/Max/Linux desktop.
| Server JRE 8
||Server systems, for running back-end processes or application servers. This JRE can run servlet containers and compile JSPs. It is smaller than the regular JDK because it does not contain the browser plug-in, Java Mission Control, or VisualVM.|
|Java SE Embedded 8
||Embedded devices like the Raspberry Pi, BeagleBoard, etc.
|Java SE Embedded compact 3
||Embedded devices requiring Kerberos or remote monitoring like JMX, but not APIs like Swing, CORBA, and Java Sound.
|Java SE Embedded compact 2
||Embedded devices making use of SQL connectivity or XML processing, but not any functionality from compact3.
|Java SE Embedded compact 1
||Embedded devices requiring a minimal version of Java SE, but not any functionality from compact2.
|Java ME Embedded
||Varies based on highly constrained device.
||Highly constrained embedded devices.
If you are working on an embedded device and wondering which profile you should use, please see the video “Choosing a Compact Profile for your Deployment.” It is also possible to mix-and-match certain items in different profiles through extensions.
Threat modeling of a Compact Profile
Compact profiles also contain a different threat model than the typical JDK Conceptual Diagram. Although the runtime is similar from the application’s point of view, the profiles are defined by items that are NOT present. For example any risk or potential misuse associated with Java2D would be mitigated in the compact3 profile, which does not include that component.
The Server JRE is a similar example: by not even having the deployment components of RIAs and browser plugins, the risk is eliminated (servers typically do not use that functionality).
It is possible to reduce and mitigate other threats as well given the control that the device manufacturer or operator has over installation/updates of the JRE. For example after creating a compact profile, one could decrease the threat model’s scope of Spoofing and likely Information Disclosure by updating the default keystore to remove everything except known-needed roots and then requiring encryption.
Identifying and creating a Compact Profile
JDK 8 provides a new tool called JDeps that can look at a collection of JAR and CLASS files and report on which compact profiles are used. When using JDeps to evaluate profiles, the report is transitive: if all your code fits in compact1 but you require something else that needs the larger compact2, then you must either use compact2 or remove the offending component.
Example usage of this is:
jdeps -profile filename.jar
filename.jar -> C:\Program Files\Java\jdk1.8.0\jre\lib\jce.jar (compact1)
filename.jar -> C:\Program Files\Java\jdk1.8.0\jre\lib\rt.jar (Full JRE)
filename.jar -> AnotherPackage.jar
-> com.sun.deploy.config JDK internal API (deploy.jar)
-> java.io compact1
-> java.lang compact1
-> java.lang.invoke compact1
-> java.math compact1
Additional details can be found in Jim Connors’ blog, Compact Profiles Demonstrated.
Creating, configuring, and updating your Compact Profile
Once you have identified the appropriate profile, you can create a compact profile that will run on the target device.
- Download the version of Java SE Embedded for your target platform.
- Unzip the version that you downloaded into its usual ejdk folder.
- Use the included bin/jrecreate command to create the profile.
This step requires a JAVA_HOME variable, which should point to your system’s java installation and not anything related to the target device.
For non-embedded OpenJDK, the profiles must be built separately on Linux.
- To create the bare minimum compact1 profile:
jrecreate -d ~/compact1 -profile compact1
- To create the bare minimum compact1 profile that also has the sun elliptical curve extension:
jrecreate -d ~/compact1WithEC -profile compact1 -x sunec
Once created, simply copy the newly created folder to your device and run it like any other application.
Configuring your Compact Profile
Once the compact profile has been created, it contains several noteworthy items beyond the JRE itself. One file in particular, called bom, lists the bill of materials for this compact JRE. By having that file, you and any subsequent users will be able to see precisely what went into this profile, when it was created, and other useful piece of information.
You may then customize the information as you would any other JRE. All configuration files are present, such as such as network configuration and proxy information, timezone data, etc.
Updating your Compact Profile
Any compact profile that you create is outside the scope of typical package management systems like RPM. For a device manufacturer, there are many commercial systems which exist to handle this. It is recommended to have a mechanism for patching devices, should the need arise.
Although devices may perform minimal operations, it is reasonable to plan ahead for software updates of your applications, the compact Java profile, as well as any underlying operating system and its libraries.
Compact profiles provide a way to trim down the Java runtime in order to fit on embedded devices, either as a system component or part of an application. Not only can compact profiles shrink the size of a Java runtime down to 11MB, it also decreases the potential attack surface.