Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/chains-project/theo

Mapping runtime access privileges to third-party dependencies

https://github.com/chains-project/theo

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (10.0%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Mapping runtime access privileges to third-party dependencies

Basic Info
  • Host: GitHub
  • Owner: chains-project
  • License: mit
  • Language: Java
  • Default Branch: main
  • Homepage:
  • Size: 84.6 MB
Statistics
  • Stars: 0
  • Watchers: 7
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created over 2 years ago · Last pushed 10 months ago
Metadata Files
Readme License

README.md

Build Status

Theo

Theo is a tool designed to monitor access privileges originating from third-party dependencies. By static and dynamic analysis, it captures runtime information and maps resource accesses to specific dependencies. Then it detects changes to these privileges across different versions of the codebase.

How it works

Components: Theo consists of a preprocessor, an agent, a static analyser and a dynamic analyser.

  • Preprocessor is maven plugin that creates a mapping of dependencies and package names at project build time, so that we can identify the dependency at runtime.
  • The agent is a Java agent that is attached to the JVM at runtime. It captures the sensitive APIs that cannot be tracked using the Java Flight Recorder (JFR) default events. It uses AspectJ to weave into sensitive APIS. Once it captures a sensitive API, it creates a new JFR event.
  • The static analyser statically analyses the project to identify the dependencies and their privileges (sensitive API calls). It uses soot to do that.
  • The dynamic analyser processes the jfr recording and maps the sensitive API calls to the dependencies.

Usage

  1. Add the following congfiguration to your pom.xml file: xml <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-surefire-plugin</artifactId> <version>${surefire.version}</version> <configuration> <argLine> ${theo.argLine} </argLine> <forkCount>1</forkCount> <reuseForks>false</reuseForks> </configuration> </plugin>
  2. Set the configs in the settings.conf file.
  3. Execute the run_theo-analysis.sh.

Here is a breakdown of the script: - Runs the maven preprocessor to generate the dependency mapping. - Generates a new aop.xml file that contains the third party packages according to the dependency mapping. - Adds the generated aop.xml file in to the agent jar. - Creates a copy of the previous versions of the static and dynamic analysis reports. - Runs tests with the agent and the JFR attached. - Runs the static analyser. - Runs the dynamic analyser with the JFR recording file generated by the tests. - Compares the new reports with the previous versions and generates a diff report.

Work in progress

  • Improve Readme
  • Improve efficiency of the java agent
  • Add tests

Owner

  • Name: CHAINS research project at KTH Royal Institute of Technology
  • Login: chains-project
  • Kind: organization

"Consistent Hardening and Analysis of Software Supply Chains" at KTH, funded by SSF

GitHub Events

Total
  • Push event: 6
  • Create event: 5
Last Year
  • Push event: 6
  • Create event: 5

Committers

Last synced: about 1 year ago

All Time
  • Total Commits: 8
  • Total Committers: 1
  • Avg Commits per committer: 8.0
  • Development Distribution Score (DDS): 0.0
Past Year
  • Commits: 2
  • Committers: 1
  • Avg Commits per committer: 2.0
  • Development Distribution Score (DDS): 0.0
Top Committers
Name Email Commits
yogyagamage y****e@g****m 8

Issues and Pull Requests

Last synced: about 1 year ago

All Time
  • Total issues: 0
  • Total pull requests: 1
  • Average time to close issues: N/A
  • Average time to close pull requests: less than a minute
  • Total issue authors: 0
  • Total pull request authors: 1
  • Average comments per issue: 0
  • Average comments per pull request: 0.0
  • Merged pull requests: 1
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 1
  • Average time to close issues: N/A
  • Average time to close pull requests: less than a minute
  • Issue authors: 0
  • Pull request authors: 1
  • Average comments per issue: 0
  • Average comments per pull request: 0.0
  • Merged pull requests: 1
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
Pull Request Authors
  • yogyagamage (2)
Top Labels
Issue Labels
Pull Request Labels