Meituan Java RASP: Architecture, Challenges, and Performance Optimizations

RASP (Runtime Application Self-Protection) is a runtime security technology that detects and blocks application‑level attacks. The article describes Meituan’s Java RASP implementation, its architecture, deployment challenges, and performance optimisation.

Deployment modes : two Java Agent entry points – agentmain (dynamic attach) and premain (JVM start‑time). Agentmain allows hot‑plug without restart but may cause CPU spikes; premain is stable but requires JVM parameter changes.

Challenges :

Complex business environments (multiple deployment forms, diverse JDK versions, various web containers).

Significant performance impact on CPU ( cpu.busy) and tail latency (TP9999) during bytecode transformation.

Upgrade difficulty because a loaded Java Agent cannot be reloaded without JVM restart.

Monitoring difficulty due to hidden impact on business metrics.

Architecture : Meituan RASP consists of a bootstrap jar ( rasp-boot.jar), the agent jar ( rasp-agent.jar), a plugin jar ( rasp-plugin.jar) loaded by a custom classloader, and script classes for detection logic. The classloader hierarchy isolates RASP code from the application.

Solutions :

Gray‑deployment strategy (10 % → 30 % → 50 % → 100 % of hosts).

Traffic pre‑warm and soft‑degrade mechanisms to limit impact under high load.

Separate frequently updated logic into a hot‑replaceable plugin, enabling runtime hot‑update without JVM restart.

Performance‑optimised premain stub that only enables bytecode transformation, reducing CPU spikes.

Comprehensive monitoring of host coverage, coredump count, bytecode modification volume, and latency metrics.

Performance results : After optimisation, CPU busy increased by only 0.06 %–3.73 % across QPS 20‑500, heap memory grew by ~180 MB, and TP9999 latency spikes were largely eliminated. Java‑based detection scripts outperformed JavaScript (average 6.5 ms vs 585 ms for a 100 k loop).

Supported vulnerability types : command execution, SQL injection, file access, deserialization, JNDI, expression injection, etc.

Future work : support for lightweight containers, zero‑impact injection, and automated configuration distribution.

Recruitment : Meituan’s Information Security team is hiring engineers with Java, JVM, and security expertise.

// 前置检查...
// 增加环境变量
if [[ $RASP_SWITCH=="ON" ]];then 
JAVA_TOOL_OPTIONS="$JAVA_TOOL_OPTIONS -javaagent:rasp-premain.jar" && export JAVA_TOOL_OPTIONS
fi
// 启动Java进程...

Manifest-Version: 1.0
Premain-Class: com.meituan.rasp.agent.RaspAgent
Agent-Class: com.meituan.rasp.agent.RaspAgent
Can-Redefine-Classes: true
Can-Retransform-Classes: true
Can-Set-Native-Method-Prefix: true

// java
c+='c'
// javascript
c=c+'c'