Have you ever wondered what system resources the library you are about to include into your software project uses?
When you are developing software and care for the security of your system, you are in a dilemma: Either you use off-the-shelf software components and don’t know what might happen or either inspect the off-the-shelf components (which might take the same time as a rewrite) and probably miss your deadlines. This is not a very enjoyable situation to be in.
We would like to change that and developed a high-level capability inference for Java libraries. It can tell you which system resources it uses, so you can sleep safely again because the math library you use will not leak your sensitive data.
How does it work?
In order to access system functionalities a library written in Java will have to make use of the Java Native Interface (JNI) either directly or through the Java Class Library (JCL). We track those calls backwards through a call graph and can then produce an accurate footprint on the usage of those system capabilities.
And by pointing out excessive capability use, you can actually find vulnerabilities that would severely hurt the security of your system.
Where can I find out more and where can I download it?
We actually provide a website for this project, where you can download anything regarding the project you might ever be interested in… Also we are open source…. Enjoy!
Also you can attend my talk if you are at ESEC/FSE 2015 in Bergamo, Italy today. Just come to the R8.c Java and Object-Oriented Programming Session at 11:30 am in room Alabastro B. For those of you back home, I will provide the slides later on Slideshare.