Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Java Integration]: Fix sample #552

Merged
merged 6 commits into from
Oct 19, 2022
Merged

[Java Integration]: Fix sample #552

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
689da71
Fix testcases
arthurscchan Oct 19, 2022
9497cbf
Fix build script
arthurscchan Oct 19, 2022
19af6b5
Fix readme
arthurscchan Oct 19, 2022
c11b3b2
Fix build script
arthurscchan Oct 19, 2022
0f73d9a
Fix readme
arthurscchan Oct 19, 2022
f83eded
Fix logic to allow JDK8+
arthurscchan Oct 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
254 changes: 246 additions & 8 deletions frontends/java/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,38 @@ This is work in progress.

Download and install java / maven in ubuntu
-----------------------------------------
sudo apt-get install -y openjdk-8-jdk-headless maven
`sudo apt-get install -y openjdk-8-jdk-headless maven`
or
`sudo apt-get install -y openjdk-11-jdk-headless maven`
depends on the application you want to run.

java-callgraph and soot approach could run with OpenJDK+JRE 8 or later, while WALA can only run with OpenJDK+JRE 11 or later.


Prepare your java application for the static analysis
-----------------------------------------
You need to pack your java application (your compiled java bytecode in *.class to jar files in order to use the static analysis.

After you have compiled your *.java source code into *.class bytecode. You could use the following commands to pack them into a jar file

Command: `jar cvf <name of jar file> <all you class file>`

The sample command below will generate an app.jar file which contains main.class sub1.class and sub.class

Sample command: `jar cvf app.jar main.class sub1.class sub2.class`


Sample application for testing
-----------------------------------------
In fuzz-introspector/tests/java directory, there are 5 sample testcases. Each of them contains a sample java application and a build script.

Just go into one of the testcases directories (test1 to test5) and execute the build script, it will automatically generate a jar file for testing.

You could then use the generated file for the static analysis by specifying its full path or move it to the necessary locations.

Example for compiling and packing jar file for testcase test1: `cd path/to/fuzz-introspector/tests/java/test1; ./build.sh`

Example for compiling and packing jar file for testcase test5: `cd path/to/fuzz-introspector/tests/java/test5; ./build.sh`


Using java-callgraph
Expand All @@ -13,35 +44,242 @@ Depends on OpenJDK+JRE 8 or later

Depends on https://github.com/gousiosg/java-callgraph, which has compiled and packed as a jar file (javacg-0.1-SNAPSHOT-static.jar)

It requires the target source code compiled and packed into jar file.
To compile your own javacg-0.1-SNAPSHOT-static.jar, follows the steps below.

>```
git clone https://github.com/gousiosg/java-callgraph
cd java-callgraph
mvn install
```

After compiling the java-callgraph, the needed javacg-0.1-SNAPSHOT-static.jar is in the target directory.

The resulting call tree are shown in stdout.

Example of running: `java -jar javacg-0.1-SNAPSHOT-static.jar <TARGET_JAR_FILE>`
Command:
>```
cd frontends/java/java-callgraph
java -jar javacg-0.1-SNAPSHOT-static.jar <TARGET_JAR_FILE>
```

Example for execution using testcase test1:
>```
cd frontends/java/java-callgraph
java -jar javacg-0.1-SNAPSHOT-static.jar path/to/fuzz-introspector/tests/java/test1/test1.jar
```

Example for execution using testcase test5:
>```
cd frontends/java/java-callgraph
java -jar javacg-0.1-SNAPSHOT-static.jar path/to/fuzz-introspector/tests/java/test5/test5.jar
```


Using IBM's WALA
------------------------------------------
Depends on OpenJDK+JRE 8 or later
Depends on OpenJDK+JRE 11 or later

Depends on Maven 3.3 or later

Depends on IBM's WALA https://github.com/wala/WALA, the maven build process will automatically download and pack the WALA jar libraries.

The resulting call tree are shown in stdout.

Example of running: `./run.sh <-j | --jarFile> <jarFile1:...:javaFileN> <-e | --entryclass> <Public Entry Class Name>`
**Current limitation, the entryclass must contains the main method to build the callgraph.**

Example of running:
>```
cd frontends/java/wala
./run.sh <-j | --jarfile> <jarFile1:...:javaFileN> <-c | --entryclass> <Public Entry Class Name>
```

Example for execution using testcase test1:
>```
cd frontends/java/wala
./run.sh --jarfile path/to/fuzz-introspector/tests/java/test1/test1.jar --entryclass TestFuzzer
```

Example for execution using testcase test5:
>```
cd frontends/java/wala
./run.sh --jarfile path/to/fuzz-introspector/tests/java/test5/test5.jar --entryclass Fuzz.TestFuzzer`
```

Using Soot
------------------------------------------
Depends on OpenJDK+JRE 8 or later
Depends on OpenJDK+JRE 8 or later

Depends on Maven 3.3 or later

Depends on IBM's WALA https://github.com/soot-oss/soot, the maven build process will automatically download and pack the Soot jar libraries.
Depends on Soot https://github.com/soot-oss/soot, the maven build process will automatically download and pack the Soot jar libraries.

The resulting call tree are shown in stdout.

Example of running: `./run.sh <-j | --jarFile> <jarFile1:...:javaFileN> <-c | --entryclass> <Public Entry Class Name> <-m | --entrymethod <Public Entry Method Name>`
Example of running:

>```
cd frontends/java/soot
./run.sh <-j | --jarfile> <jarFile1:...:javaFileN> <-c | --entryclass> <Public Entry Class Name> <-m | --entrymethod <Public Entry Method Name>
```

Example for execution using testcase test1:
>```
cd frontends/java/soot
./run.sh -j path/to/fuzz-introspector/tests/java/test1/test1.jar -c TestFuzzer -m fuzzerTestOneInput
```

Example for execution using testcase test5:
>```
cd frontends/java/soot
./run.sh -j path/to/fuzz-introspector/tests/java/test5/test5.jar -c Fuzz.TestFuzzer -m fuzzerTestOneInput
```


Sample output for testcase test1
------------------------------------------
**java-callgraph**
```
C:TestFuzzer com.code_intelligence.jazzer.api.CannedFuzzedDataProvider
C:TestFuzzer TestFuzzer
C:TestFuzzer java.lang.Object
C:TestFuzzer java.lang.System
C:TestFuzzer java.io.PrintStream
M:TestFuzzer:<init>() (O)java.lang.Object:<init>()
M:TestFuzzer:fuzzerTestOneInput(com.code_intelligence.jazzer.api.FuzzedDataProvider) (M)java.io.PrintStream:println(java.lang.String)
M:TestFuzzer:main(java.lang.String[]) (O)com.code_intelligence.jazzer.api.CannedFuzzedDataProvider:<init>(java.lang.String)
M:TestFuzzer:main(java.lang.String[]) (S)TestFuzzer:fuzzerTestOneInput(com.code_intelligence.jazzer.api.FuzzedDataProvider)
```

**Wala**
```
Node: synthetic < Primordial, Lcom/ibm/wala/FakeRootClass, fakeRootMethod()V > Context: Everywhere
- invokestatic < Primordial, Lcom/ibm/wala/FakeRootClass, fakeWorldClinit()V >@0
-> Node: synthetic < Primordial, Lcom/ibm/wala/FakeRootClass, fakeWorldClinit()V > Context: Everywhere
- invokespecial < Primordial, Ljava/lang/Object, <init>()V >@4
-> Node: < Primordial, Ljava/lang/Object, <init>()V > Context: Everywhere
- invokestatic < Application, LTestFuzzer, main([Ljava/lang/String;)V >@5
-> Node: < Application, LTestFuzzer, main([Ljava/lang/String;)V > Context: Everywhere
Node: synthetic < Primordial, Lcom/ibm/wala/FakeRootClass, fakeWorldClinit()V > Context: Everywhere
- invokestatic < Primordial, Ljava/lang/Object, <clinit>()V >@0
-> Node: < Primordial, Ljava/lang/Object, <clinit>()V > Context: Everywhere
- invokestatic < Primordial, Ljava/lang/String, <clinit>()V >@1
-> Node: < Primordial, Ljava/lang/String, <clinit>()V > Context: Everywhere
Node: < Primordial, Ljava/lang/Object, <clinit>()V > Context: Everywhere
- invokestatic < Primordial, Ljava/lang/Object, registerNatives()V >@0
-> Node: < Primordial, Ljava/lang/Object, registerNatives()V > Context: Everywhere
Node: < Primordial, Ljava/lang/Object, registerNatives()V > Context: Everywhere
Node: < Primordial, Ljava/lang/String, <clinit>()V > Context: Everywhere
- invokespecial < Primordial, Ljava/lang/String$CaseInsensitiveComparator, <init>(Ljava/lang/String$1;)V >@12
-> Node: < Primordial, Ljava/lang/String$CaseInsensitiveComparator, <init>(Ljava/lang/String$1;)V > Context: Everywhere
Node: < Primordial, Ljava/lang/String$CaseInsensitiveComparator, <init>(Ljava/lang/String$1;)V > Context: Everywhere
- invokespecial < Primordial, Ljava/lang/String$CaseInsensitiveComparator, <init>()V >@1
-> Node: < Primordial, Ljava/lang/String$CaseInsensitiveComparator, <init>()V > Context: Everywhere
Node: < Primordial, Ljava/lang/String$CaseInsensitiveComparator, <init>()V > Context: Everywhere
- invokespecial < Primordial, Ljava/lang/Object, <init>()V >@1
-> Node: < Primordial, Ljava/lang/Object, <init>()V > Context: Everywhere
Node: < Primordial, Ljava/lang/Object, <init>()V > Context: Everywhere
Node: < Application, LTestFuzzer, main([Ljava/lang/String;)V > Context: Everywhere
- invokestatic < Application, LTestFuzzer, fuzzerTestOneInput(Lcom/code_intelligence/jazzer/api/FuzzedDataProvider;)V >@9
-> Node: < Application, LTestFuzzer, fuzzerTestOneInput(Lcom/code_intelligence/jazzer/api/FuzzedDataProvider;)V > Context: Everywhere
Node: < Application, LTestFuzzer, fuzzerTestOneInput(Lcom/code_intelligence/jazzer/api/FuzzedDataProvider;)V > Context: Everywhere
```

**Soot**
```
--------------------------------------------------
Class #1: TestFuzzer
Class #1 Method #1: <TestFuzzer: void <init>()>
> No calls to this method.

Total: 0 internal calls.

> No calls from this method.

Total: 0 external calls.

Class #1 Method #2: <TestFuzzer: void fuzzerTestOneInput(com.code_intelligence.jazzer.api.FuzzedDataProvider)>
> No calls to this method.

Total: 0 internal calls.

> calls <java.lang.System: void <clinit>()> on Line 21
> calls <java.io.PrintStream: void println(java.lang.String)> on Line 21
> calls <java.lang.Object: void <clinit>()> on Line 21

Total: 3 external calls.

Class #1 Method #3: <TestFuzzer: void main(java.lang.String[])>
> No calls to this method.

Total: 0 internal calls.

> No calls from this method.

Total: 0 external calls.

--------------------------------------------------
Total Edges:3
--------------------------------------------------
---
filename: "TestFuzzer"
functionConfig:
listName: "All functions"
functionElements:
- functionName: "<init>"
functionSourceFile: "TestFuzzer"
linkageType: null
functionLinenumber: 18
functionDepth: null
returnType: "void"
argCount: 0
argTypes: []
constantsTouched: []
argNames: []
iCount: null
edgeCount: 0
functionReached: []
functionUses: 0
branchProfiles: null
bbcount: null
cyclomaticComplexity: null
- functionName: "fuzzerTestOneInput"
functionSourceFile: "TestFuzzer"
linkageType: null
functionLinenumber: 20
functionDepth: null
returnType: "void"
argCount: 1
argTypes:
- "com.code_intelligence.jazzer.api.FuzzedDataProvider"
constantsTouched: []
argNames: []
iCount: null
edgeCount: 3
functionReached:
- "<java.lang.System: void <clinit>()>; Line: 21"
- "<java.io.PrintStream: void println(java.lang.String)>; Line: 21"
- "<java.lang.Object: void <clinit>()>; Line: 21"
functionUses: 0
branchProfiles: null
bbcount: null
cyclomaticComplexity: null
- functionName: "main"
functionSourceFile: "TestFuzzer"
linkageType: null
functionLinenumber: 24
functionDepth: null
returnType: "void"
argCount: 1
argTypes:
- "java.lang.String[]"
constantsTouched: []
argNames: []
iCount: null
edgeCount: 0
functionReached: []
functionUses: 0
branchProfiles: null
bbcount: null
cyclomaticComplexity: null
```

26 changes: 21 additions & 5 deletions frontends/java/soot/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,27 @@
</properties>

<dependencies>
<dependency>
<groupId>org.soot-oss</groupId>
<artifactId>soot</artifactId>
<version>4.3.0</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>2.0.3</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>2.0.3</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.soot-oss</groupId>
<artifactId>soot</artifactId>
<version>4.3.0</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-yaml</artifactId>
<version>2.14.0-rc2</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion frontends/java/soot/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,4 @@ fi

# Build and execute the call graph generator
mvn clean package
java -Xmx6144M -cp "target/ossf.fuzz.introspector.soot-1.0.jar:$JARFILE" ossf.fuzz.introspector.soot.CallGraphGenerator $ENTRYCLASS $ENTRYMETHOD
java -Xmx6144M -cp "target/ossf.fuzz.introspector.soot-1.0.jar" ossf.fuzz.introspector.soot.CallGraphGenerator $JARFILE $ENTRYCLASS $ENTRYMETHOD
Loading