Any FOSS Java scanner?

Posted 17 Oct 2009 at 12:58 UTC (updated 18 Oct 2009 at 08:09 UTC) by audriusa Share This

In relation to the Wikipedia applet proposal, I am currently moving through the web in the hopeless search of some FOSS project that would show at least weak interest in scanning of Java source code for bad intents. One of the huge advantages Wikipedia or other public server could provide is that we have the applet sources and can compile on a server side. Among other things this allows to strip the signature easily, maybe we could do more.

One of the valuable tools we have is the Java parser that can be made using javacc or some other similar tool. Hence we do not need to do the real syntax analysis from scratch. Also, I actually do not hope do have a tool that would provide "theoretical 100 % security". To get more security, we likely need to combine the scanner with community related features like code reviews and so on.

While good security is normally provided by the browser itself, it may be that source code scanning could be orthogonal to the security manager that runs during execution: tricks that can foul the security manager could be caught at syntax level more easily. These two then could be orthogonal to manual code review, as it may not be difficult to spot several hundreds or even thousands of lines of strange looking code.


One possibility is PMD, posted 18 Oct 2009 at 21:27 UTC by tcopeland » (Journeyer)

PMD uses a JavaCC-generated parser.

"tricks that can foul the security manager" ??!?, posted 30 Oct 2009 at 14:35 UTC by KlausWuestefeld » (Master)

Such as?

Just fighting urban legend, posted 31 Oct 2009 at 08:59 UTC by audriusa » (Journeyer)

Well, the lack of problem may actually explain the lack of big interest to such a scanner both in FOSS and proprietary communities. Through many years I myself have lost data because of the the trivial hard drive failure even several times but do not remember having any issues with Java applets, despite these were enabled on my desktop all the time. And yet applets are disabled on certain part of machines "for security reasons".

That I want to do is to bring applets into Wikipedia (see article below). As part of this process, if some scanner was ever written, we likely should try to use it as an additional mean. I also checked many sites describing java security problems and found that roughly 90 % of them just raise FUD, providing links to the source code that points nowhere and pages with "proof of concept applets" that in some cases contain no functional applet tag at all. Only very seldom some real problems like calendar serialization bug do still come out. However it seems that the code that tries to compromise a recent security hole will be complex enough to be easily visible. To utilize the (now fixed) calendar bug, it is required to prepare the binary blob containing object that you cannot write easily from the applet because you cannot instantiate it. Even the most primitive scanner or very fast and rudimentary code review can easily see an attempt to serialize / deserialize an object, something that is very seldom needed inside the applet, and if really needed, a human reviewer can check, why. Other issue I found is that something - somehow - do not understand where a problem is - can happen because applets can create files in the temporary folder. Again, this is easily detectable by scanned that warns on using java.io and java.net then human reviewer can check why actually applet needs such a code. Hence the scanner, even not so good, can complement the browser security in an orthogonal way.

another computer science significant research project, posted 1 Nov 2009 at 13:42 UTC by lkcl » (Master)

audriusa, i've already outlined to you repeatedly and in considerable depth the many reasons as to why java is a fucking bad idea to put onto wikipedia, and your efforts would be best focussed, after accepting that, on deploying your skills to achieve the same goal _without_ asking that random java programs be allowed to be compiled on wikipedia's servers and uploaded onto and executed on user's browsers, through wikipedia.

auditing software source code for security vulnerabilities is a significant area of research by computer science experts.

i repeat.

it's a RESEARCH area.

i repeat.

it's a RESEARCH area.

the fact that you cannot find free software security-auditing projects should serve to emphasise and underline this.

the sooner you accept the fact that in the proposal you've put together there are far too many unknowns, risks, hurdles and detrimental factors which contribute to decreasing the reach and accessibility of wikipedia, in direct contravention of the wikipedia charter and the mandate and purpose of the wikipedia strategy process, the better.

then you can focus your skills and talents onto the other proposals which achieve the same aim, making use of your extensive knowledge of java to implement those proposals.

perhaps you might like to look at the wikimedia "tex" extenders, making an implementation (in your favourite programming language) which meets the criteria and standards that you wish to achieve, yes?

Sorry, posted 2 Nov 2009 at 12:02 UTC by audriusa » (Journeyer)

lckl, I know you opinion already. Please leave this topic in peace and maybe allow other to say something.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page