Any FOSS Java scanner?
Posted 17 Oct 2009 at 12:58 UTC (updated 18 Oct 2009 at 08:09 UTC) by audriusa
In relation to the Wikipedia applet proposal, I am currently moving
through the web in the hopeless search of some FOSS project that would
show at least weak interest in scanning of Java source code for bad
intents. One of the huge advantages Wikipedia or other public server
could provide is that we have the applet sources and can compile on a
server side. Among other things this allows to strip the signature
easily, maybe we could do more.
One of the valuable tools we have is the Java parser that can be made
using javacc or some other similar tool. Hence we do not need to do the
real syntax analysis from scratch. Also, I actually do not hope do have
a tool that would provide "theoretical 100 % security". To get more
security, we likely need to combine the scanner with community related
features like code reviews and so on.
While good security is normally provided by the browser itself, it may
be that source code scanning could be orthogonal to the security manager
that runs during execution: tricks that can foul the security manager
could be caught at syntax level more easily. These two then could be
orthogonal to manual code review, as it may not be difficult to spot
several hundreds or even thousands of lines of strange looking code.
Well, the lack of problem may actually explain the lack of big interest
to such a scanner both in FOSS and proprietary communities. Through many
years I myself have lost data because of the the trivial hard drive
failure even several times but do not remember having any issues with
Java applets, despite these were enabled on my desktop all the time. And
yet applets are disabled on certain part of machines "for security
That I want to do is to bring applets into Wikipedia (see article
below). As part of this process, if some scanner was ever written, we
likely should try to use it as an additional mean. I also checked many
sites describing java security problems and found that roughly 90 % of
them just raise FUD, providing links to the source code that points
nowhere and pages with "proof of concept applets" that in some cases
contain no functional applet tag at all. Only very seldom some real
problems like calendar serialization bug do still come out. However it
seems that the code that tries to compromise a recent security hole will
be complex enough to be easily visible. To utilize the (now fixed)
calendar bug, it is required to prepare the binary blob containing
object that you cannot write easily from the applet because you cannot
instantiate it. Even the most
primitive scanner or very fast and rudimentary code review can
easily see an attempt to serialize / deserialize an object, something
that is very seldom needed inside the applet, and if really needed, a
human reviewer can check, why. Other
issue I found is that something - somehow - do not understand where a
problem is - can happen because applets can create files in the
temporary folder. Again, this is easily detectable by scanned that warns
on using java.io and java.net then human reviewer can check why actually
applet needs such a code. Hence the scanner, even not so good, can
complement the browser security in an orthogonal way.
audriusa, i've already outlined to you repeatedly and in considerable depth the many reasons as to why java is a fucking bad idea to put onto wikipedia, and your efforts would be best focussed, after accepting that, on deploying your skills to achieve the same goal _without_ asking that random java programs be allowed to be compiled on wikipedia's servers and uploaded onto and executed on user's browsers, through wikipedia.
auditing software source code for security vulnerabilities is a significant area of research by computer science experts.
it's a RESEARCH area.
it's a RESEARCH area.
the fact that you cannot find free software security-auditing projects should serve to emphasise and underline this.
the sooner you accept the fact that in the proposal you've put together there are far too many unknowns, risks, hurdles and detrimental factors which contribute to decreasing the reach and accessibility of wikipedia, in direct contravention of the wikipedia charter and the mandate and purpose of the wikipedia strategy process, the better.
then you can focus your skills and talents onto the other proposals which achieve the same aim, making use of your extensive knowledge of java to implement those proposals.
perhaps you might like to look at the wikimedia "tex" extenders, making an implementation (in your favourite programming language) which meets the criteria and standards that you wish to achieve, yes?
Sorry, posted 2 Nov 2009 at 12:02 UTC by audriusa »
lckl, I know you opinion already. Please leave this topic in peace and maybe allow other to say something.