Skip to content

chains-project/theo

BranchesTags

Repository files navigation

Build Status

Theo

Theo is a tool designed to monitor access privileges originating from third-party dependencies. By static and dynamic analysis, it captures runtime information and maps resource accesses to specific dependencies. Then it detects changes to these privileges across different versions of the codebase.

How it works

Components: Theo consists of a preprocessor, an agent, a static analyser and a dynamic analyser.

  • Preprocessor is maven plugin that creates a mapping of dependencies and package names at project build time, so that we can identify the dependency at runtime.
  • The agent is a Java agent that is attached to the JVM at runtime. It captures the sensitive APIs that cannot be tracked using the Java Flight Recorder (JFR) default events. It uses AspectJ to weave into sensitive APIS. Once it captures a sensitive API, it creates a new JFR event.
  • The static analyser statically analyses the project to identify the dependencies and their privileges (sensitive API calls). It uses soot to do that.
  • The dynamic analyser processes the jfr recording and maps the sensitive API calls to the dependencies.

Usage

  1. Add the following congfiguration to your pom.xml file: 
        <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-surefire-plugin</artifactId>
        <version>${surefire.version}</version>
        <configuration>
            <argLine>
                ${theo.argLine}
            </argLine>
            <forkCount>1</forkCount>
            <reuseForks>false</reuseForks>
        </configuration>
    </plugin>
  2. Set the configs in the settings.conf file.
  3. Execute the run_theo-analysis.sh.

Here is a breakdown of the script:

  • Runs the maven preprocessor to generate the dependency mapping.
  • Generates a new aop.xml file that contains the third party packages according to the dependency mapping.
  • Adds the generated aop.xml file in to the agent jar.
  • Creates a copy of the previous versions of the static and dynamic analysis reports.
  • Runs tests with the agent and the JFR attached.
  • Runs the static analyser.
  • Runs the dynamic analyser with the JFR recording file generated by the tests.
  • Compares the new reports with the previous versions and generates a diff report.

Work in progress

  • Improve Readme
  • Improve efficiency of the java agent
  • Add tests

About

Mapping runtime access privileges to third-party dependencies

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

7 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages