Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Architectural: Add Wala Framework Setup #35

Merged
merged 48 commits into from
Nov 28, 2024
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
48 commits
Select commit Hold shift + click to select a range
d8b74e1
Add Wala Framework Setup
sarpsahinalp Oct 21, 2024
18533d7
Merge branch 'main' into feature/wala-implementation
sarpsahinalp Oct 21, 2024
a0ba1d9
Updated archunit tests
sarpsahinalp Oct 28, 2024
c17e30b
Changes in class resolver
sarpsahinalp Oct 29, 2024
ead7c0c
Updated archunit tests
sarpsahinalp Oct 31, 2024
54da5b5
Fix thread creation stuff for archunit
sarpsahinalp Oct 31, 2024
9e49868
Update archunit and wala implementation
sarpsahinalp Oct 31, 2024
4dd34ef
Improve wala tests
sarpsahinalp Oct 31, 2024
f2c0515
Merge branch 'main' into feature/wala-implementation
Oct 31, 2024
a525684
Feedback addressed coderabbit
sarpsahinalp Oct 31, 2024
6762c4d
Changes
sarpsahinalp Nov 3, 2024
82bf8d6
Changes in class resolver
sarpsahinalp Nov 4, 2024
72cfc94
Refactoring of architectural tests
sarpsahinalp Nov 5, 2024
a0a18f1
Fix failing tests
sarpsahinalp Nov 12, 2024
b60311c
Merge remote-tracking branch 'origin/feature/wala-implementation' int…
sarpsahinalp Nov 12, 2024
e257cc2
Add Wala enum for the architecture mode
sarpsahinalp Nov 19, 2024
ee10233
1. Refactor and add a strategy pattern for dynamic allocation of the …
sarpsahinalp Nov 19, 2024
157e936
1. Implemented the test cases for WalaSecurityTestCases
sarpsahinalp Nov 20, 2024
094935e
1. Add german translation for reasons
sarpsahinalp Nov 21, 2024
fc60a59
Macos specific file methods
sarpsahinalp Nov 24, 2024
69ca695
Add linux methods
sarpsahinalp Nov 24, 2024
2335c97
Merge remote-tracking branch 'origin/feature/wala-implementation' int…
sarpsahinalp Nov 24, 2024
f01a37d
Add windows methods to analyze
sarpsahinalp Nov 24, 2024
6b95748
Add methods for Wala framework
sarpsahinalp Nov 24, 2024
824732a
1. Refactor methods, parse methods for Wala framework
sarpsahinalp Nov 25, 2024
3150e2a
Narrowed structural differences between AOP and Architecture
Nov 26, 2024
26b18a5
Narrowed structural differences between AOP and Architecture
Nov 26, 2024
e76c20f
Update src/main/resources/de/tum/cit/ase/ares/api/localization/messag…
sarpsahinalp Nov 26, 2024
aab978f
Update src/main/resources/de/tum/cit/ase/ares/api/localization/messag…
sarpsahinalp Nov 26, 2024
23cb0b3
Update src/main/java/de/tum/cit/ase/ares/api/architecture/Architectur…
sarpsahinalp Nov 26, 2024
eba498f
Update src/main/java/de/tum/cit/ase/ares/api/architecture/java/wala/J…
sarpsahinalp Nov 26, 2024
3b80a18
Improve error messages
sarpsahinalp Nov 26, 2024
934b429
Merge remote-tracking branch 'origin/feature/wala-implementation' int…
sarpsahinalp Nov 26, 2024
3e29c27
Add german translation
sarpsahinalp Nov 26, 2024
6eb557c
Refactoring
sarpsahinalp Nov 26, 2024
6cb9ec1
Narrowed structural differences between Versions of Architecture tests
Nov 26, 2024
79c9c17
Narrowed structural differences between Versions of Architecture tests
Nov 26, 2024
452dae9
Narrowed structural differences between Versions of Architecture tests
Nov 26, 2024
3ced159
Narrowed structural differences between Versions of Architecture tests
Nov 26, 2024
78d52ca
Narrowed structural differences between Versions of Architecture tests
Nov 26, 2024
4950299
Narrowed structural differences between Versions of Architecture tests
Nov 26, 2024
536233d
Change file constant names
sarpsahinalp Nov 26, 2024
64c9a0c
Add localization in ReachabilityChecker
sarpsahinalp Nov 26, 2024
8b8880f
Change german messages to pass the tests
sarpsahinalp Nov 27, 2024
1aba388
Add comment functionality in text files
sarpsahinalp Nov 27, 2024
10df859
Add comment functionality in text files
sarpsahinalp Nov 27, 2024
013b0e7
Add tests for the wala framework fix changes
sarpsahinalp Nov 27, 2024
b7ae64b
Address the changes!
sarpsahinalp Nov 27, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,11 @@
<artifactId>byte-buddy-agent</artifactId>
<version>1.14.19</version>
</dependency>
<dependency>
<groupId>com.ibm.wala</groupId>
<artifactId>com.ibm.wala.core</artifactId>
<version>1.6.7</version>
</dependency>
</dependencies>
<build>
<plugins>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,5 +39,5 @@ public interface ArchitectureSecurityTestCase {
*
* @param classes a set of {@link JavaClasses} representing the codebase to which the test case will be applied.
*/
void executeArchitectureTestCase(JavaClasses classes);
void executeArchitectureTestCase(Object classes);
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
package de.tum.cit.ase.ares.api.architecture.java;

//<editor-fold desc="Imports">

import com.ibm.wala.classLoader.IClass;
import com.ibm.wala.classLoader.Language;
import com.ibm.wala.core.java11.Java9AnalysisScopeReader;
import com.ibm.wala.ipa.callgraph.*;
import com.ibm.wala.ipa.callgraph.impl.DefaultEntrypoint;
import com.ibm.wala.ipa.callgraph.impl.Util;
import com.ibm.wala.ipa.callgraph.propagation.InstanceKey;
import com.ibm.wala.ipa.cha.ClassHierarchy;
import com.ibm.wala.ipa.cha.ClassHierarchyException;
import com.ibm.wala.ipa.cha.ClassHierarchyFactory;
import com.ibm.wala.types.ClassLoaderReference;
import com.ibm.wala.types.TypeReference;
import com.tngtech.archunit.core.domain.JavaClass;
import com.tngtech.archunit.core.importer.ClassFileImporter;
import de.tum.cit.ase.ares.api.architecture.java.wala.ReachabilityChecker;

import java.io.IOException;
import java.net.URL;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
//</editor-fold>

/**
* Utility class to build a call graph from a class path.
*/
public class CallGraphBuilderUtils {

private CallGraphBuilderUtils() {
throw new IllegalStateException("Utility class");
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
}

/**
* Class file importer to import the class files.
* This is used to import the class files from the URL.
*/
private static final ClassFileImporter classFileImporter = new ClassFileImporter();

private static final ClassHierarchy classHierarchy;

private static final AnalysisScope scope;

static {
try {
scope = Java9AnalysisScopeReader.instance.makeJavaBinaryAnalysisScope(
System.getProperty("java.class.path"),
null
);

// Build the class hierarchy
classHierarchy = ClassHierarchyFactory.make(scope);
} catch (ClassHierarchyException | IOException e) {
throw new SecurityException("Could not create class hierarchy for student submission", e); // $NON-NLS-1$
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
}
}


/**
* Try to resolve the class by the given type name.
*
* @param typeName The type name of the class to resolve.
* @return The resolved class if it exists.
*/
public static Optional<JavaClass> tryResolve(String typeName) {
// Advice definition uses Reflection and therefor should not be resolved
if (typeName.startsWith("de.tum.cit.ase.ares.api.aop.java.aspectj.adviceandpointcut.JavaAspectJFileSystemAdviceDefinitions")) {
return Optional.empty();
}
URL url = CallGraphBuilderUtils.class.getResource("/" + typeName.replace(".", "/") + ".class");
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
try {
if (url == null) {
return Optional.empty();
}
return Optional.of(classFileImporter.withImportOption(location -> !location.contains("jrt")).importUrl(url).get(typeName));
} catch (IllegalArgumentException e) {
return Optional.empty();
}
}

/**
* Get the immediate subclasses of the given type name.
*
* @param typeName The type name of the class to get the immediate subclasses.
* @return The immediate subclasses of the given type name.
*/
public static Set<JavaClass> getImmediateSubclasses(String typeName) {
TypeReference reference = TypeReference.find(ClassLoaderReference.Application, convertTypeName(typeName));
if (reference == null) {
return Collections.emptySet();
}
IClass clazz = classHierarchy.lookupClass(reference);
if (clazz == null) {
return Collections.emptySet();
}
return classHierarchy
.getImmediateSubclasses(clazz)
.stream()
.map(IClass::getName)
.map(Object::toString)
.map(CallGraphBuilderUtils::tryResolve)
.filter(Optional::isPresent)
.map(Optional::get).collect(Collectors.toSet());
}

/**
* Convert the type name to the format that can be used in the class file.
*
* @param typeName The type name to convert.
* @return The converted type name.
*/
public static String convertTypeName(String typeName) {
if (typeName == null || typeName.isEmpty()) {
throw new IllegalArgumentException("Type name cannot be null or empty");
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
}
return "L" + typeName.replace('.', '/');
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
}

sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
/**
* Build a call graph from a class path.
*/
public static CallGraph buildCallGraph(String classPathToAnalyze, Predicate<CGNode> securityViolationCheck) {
try {
// Create a list to store entry points
List<DefaultEntrypoint> customEntryPoints = ReachabilityChecker.getEntryPointsFromStudentSubmission(classPathToAnalyze, classHierarchy);

// Create AnalysisOptions for call graph
AnalysisOptions options = new AnalysisOptions(scope, customEntryPoints);
options.setTraceStringConstants(false);
options.setHandleZeroLengthArray(false);
options.setReflectionOptions(AnalysisOptions.ReflectionOptions.NONE);

// Create call graph builder (n-CFA, context-sensitive, etc.)
com.ibm.wala.ipa.callgraph.CallGraphBuilder<InstanceKey> builder = Util.makeZeroOneCFABuilder(Language.JAVA, options, new AnalysisCacheImpl(), classHierarchy);

// Generate the call graph
CallGraph callGraph = builder.makeCallGraph(options, null);

List<CGNode> violatingMethods = ReachabilityChecker.findReachableMethods(callGraph, callGraph.getEntrypointNodes().iterator(), securityViolationCheck);

if (violatingMethods != null && !violatingMethods.isEmpty()) {
throw new SecurityException(String.format(
"Security violation: Detected %d unauthorized API call(s):%n%s",
violatingMethods.size(),
violatingMethods.stream()
.map(node -> String.format("- %s", node.getMethod().getSignature()))
.collect(Collectors.joining("%n"))
));
}
return callGraph;
} catch (CallGraphBuilderCancelException e) {
throw new SecurityException("Error building call graph", e); //$NON-NLS-1$
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
}
}
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
}
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package de.tum.cit.ase.ares.api.architecture.java.archunit;
package de.tum.cit.ase.ares.api.architecture.java;

sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
/**
* Supported architecture test cases in Java programming language.
Expand All @@ -7,7 +7,7 @@
* @version 2.0.0
* @since 2.0.0
*/
public enum JavaArchUnitTestCaseSupported {
public enum JavaArchitecturalTestCaseSupported {
/**
* Architecture test case for the file system interaction.
*/
Expand All @@ -27,5 +27,14 @@ public enum JavaArchUnitTestCaseSupported {
/**
* Architecture test case for the package import.
*/
PACKAGE_IMPORT
PACKAGE_IMPORT,
/**
* Architecture test case for the premature jvm termination.
*/
TERMINATE_JVM,
/**
* Architecture test case for the reflection.
*/
REFLECTION,

}
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
package de.tum.cit.ase.ares.api.architecture.java.archunit.postcompile;
package de.tum.cit.ase.ares.api.architecture.java;

import com.tngtech.archunit.base.DescribedPredicate;
import com.tngtech.archunit.core.domain.JavaAccess;
import com.tngtech.archunit.core.domain.JavaClass;
import com.tngtech.archunit.lang.ArchRule;
import com.tngtech.archunit.lang.syntax.ArchRuleDefinition;
import de.tum.cit.ase.ares.api.architecture.java.archunit.FileHandlerConstants;
import de.tum.cit.ase.ares.api.architecture.java.archunit.postcompile.TransitivelyAccessesMethodsCondition;
import de.tum.cit.ase.ares.api.util.FileTools;

import java.io.IOException;
Expand All @@ -26,7 +27,7 @@ public class JavaArchitectureTestCaseCollection {
* This method checks if any class in the given package accesses the file system.
*/
public static final ArchRule NO_CLASS_SHOULD_ACCESS_FILE_SYSTEM = createNoClassShouldHaveMethodRule(
"accesses file system",
"Accesses file system",
FileHandlerConstants.JAVA_FILESYSTEM_INTERACTION_METHODS
);
//</editor-fold>
Expand All @@ -36,7 +37,7 @@ public class JavaArchitectureTestCaseCollection {
* This method checks if any class in the given package accesses the network.
*/
public static final ArchRule NO_CLASSES_SHOULD_ACCESS_NETWORK = createNoClassShouldHaveMethodRule(
"accesses network",
"Accesses network",
FileHandlerConstants.JAVA_NETWORK_ACCESS_METHODS
);
//</editor-fold>
Expand All @@ -47,7 +48,7 @@ public class JavaArchitectureTestCaseCollection {
* This method checks if any class in the given package uses the command line.
*/
public static final ArchRule NO_CLASSES_SHOULD_TERMINATE_JVM = createNoClassShouldHaveMethodRule(
"terminates JVM",
"Terminates JVM",
FileHandlerConstants.JAVA_JVM_TERMINATION_METHODS
);
//</editor-fold>
Expand Down Expand Up @@ -101,7 +102,8 @@ public static ArchRule noClassesShouldImportForbiddenPackages(Set<String> allowe
public boolean test(JavaClass javaClass) {
return allowedPackages.stream().noneMatch(allowedPackage -> javaClass.getPackageName().startsWith(allowedPackage));
}
});
})
.as("Imports forbidden packages");
}
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved

private static ArchRule createNoClassShouldHaveMethodRule(
Expand All @@ -126,7 +128,8 @@ public boolean test(JavaAccess<?> javaAccess) {
.startsWith(method)
);
}
}));
}))
.as(ruleName);
}
//</editor-fold>

Expand All @@ -135,21 +138,21 @@ public boolean test(JavaAccess<?> javaAccess) {
* This method checks if any class in the given package uses reflection.
*/
public static final ArchRule NO_CLASSES_SHOULD_USE_REFLECTION = createNoClassShouldHaveMethodRule(
"uses Reflection",
"Uses Reflection",
FileHandlerConstants.JAVA_REFLECTION_METHODS
);
//</editor-fold>

//<editor-fold desc="Command Execution related rule">
public static final ArchRule NO_CLASSES_SHOULD_EXECUTE_COMMANDS = createNoClassShouldHaveMethodRule(
"executes commands",
"Executes commands",
FileHandlerConstants.JAVA_COMMAND_EXECUTION_METHODS
);
//</editor-fold>

//<editor-fold desc="Thread Creation related rule">
public static final ArchRule NO_CLASSES_SHOULD_CREATE_THREADS = createNoClassShouldHaveMethodRule(
"creates threads",
"Manipulates threads",
FileHandlerConstants.JAVA_THREAD_CREATION_METHODS
);
//</editor-fold>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,15 @@
//<editor-fold desc="Imports">
import com.tngtech.archunit.core.domain.JavaClasses;
import de.tum.cit.ase.ares.api.architecture.ArchitectureSecurityTestCase;
import de.tum.cit.ase.ares.api.architecture.java.archunit.postcompile.JavaArchitectureTestCaseCollection;
import de.tum.cit.ase.ares.api.architecture.java.JavaArchitecturalTestCaseSupported;
import de.tum.cit.ase.ares.api.architecture.java.JavaArchitectureTestCaseCollection;
import de.tum.cit.ase.ares.api.policy.SecurityPolicy.PackagePermission;

import java.util.HashSet;
import java.util.Set;
import java.util.stream.Collectors;

import static de.tum.cit.ase.ares.api.architecture.java.archunit.postcompile.JavaArchitectureTestCaseCollection.getArchitectureRuleFileContent;
import static de.tum.cit.ase.ares.api.architecture.java.JavaArchitectureTestCaseCollection.getArchitectureRuleFileContent;
import static de.tum.cit.ase.ares.api.localization.Messages.localized;
//</editor-fold>

Expand All @@ -28,7 +29,7 @@ public class JavaArchUnitSecurityTestCase implements ArchitectureSecurityTestCas
/**
* Selects the supported architecture test case in the Java programming language.
*/
private final JavaArchUnitTestCaseSupported javaArchitectureTestCaseSupported;
private final JavaArchitecturalTestCaseSupported javaArchitectureTestCaseSupported;

/**
* List of allowed packages to be imported.
Expand All @@ -42,13 +43,13 @@ public class JavaArchUnitSecurityTestCase implements ArchitectureSecurityTestCas
*
* @param javaArchitectureTestCaseSupported Selects the supported architecture test case in the Java programming language
*/
public JavaArchUnitSecurityTestCase(JavaArchUnitTestCaseSupported javaArchitectureTestCaseSupported) {
public JavaArchUnitSecurityTestCase(JavaArchitecturalTestCaseSupported javaArchitectureTestCaseSupported) {
super();
this.javaArchitectureTestCaseSupported = javaArchitectureTestCaseSupported;
this.allowedPackages = new HashSet<>();
}

public JavaArchUnitSecurityTestCase(JavaArchUnitTestCaseSupported javaArchitectureTestCaseSupported, Set<PackagePermission> packages) {
public JavaArchUnitSecurityTestCase(JavaArchitecturalTestCaseSupported javaArchitectureTestCaseSupported, Set<PackagePermission> packages) {
super();
this.javaArchitectureTestCaseSupported = javaArchitectureTestCaseSupported;
this.allowedPackages = packages.stream().map(PackagePermission::importTheFollowingPackage).collect(Collectors.toSet());
Expand All @@ -74,32 +75,47 @@ public String writeArchitectureTestCase() {
* Runs the architecture test case in the Java programming language.
*/
@Override
public void executeArchitectureTestCase(JavaClasses classes) {
public void executeArchitectureTestCase(Object classes) {
// check if instance of object
if (!(classes instanceof JavaClasses javaClasses)) {
throw new IllegalArgumentException(localized("security.archunit.invalid.argument"));
}

try {
switch (this.javaArchitectureTestCaseSupported) {
case PACKAGE_IMPORT ->
JavaArchitectureTestCaseCollection
.noClassesShouldImportForbiddenPackages(allowedPackages)
.check(classes);
.check(javaClasses);
case REFLECTION ->
JavaArchitectureTestCaseCollection
.NO_CLASSES_SHOULD_USE_REFLECTION
.check(javaClasses);
case TERMINATE_JVM ->
JavaArchitectureTestCaseCollection
.NO_CLASSES_SHOULD_TERMINATE_JVM
.check(javaClasses);
case FILESYSTEM_INTERACTION ->
JavaArchitectureTestCaseCollection
.NO_CLASS_SHOULD_ACCESS_FILE_SYSTEM
.check(classes);
.check(javaClasses);
case NETWORK_CONNECTION ->
JavaArchitectureTestCaseCollection
.NO_CLASSES_SHOULD_ACCESS_NETWORK
.check(classes);
.check(javaClasses);
case THREAD_CREATION ->
JavaArchitectureTestCaseCollection.NO_CLASSES_SHOULD_CREATE_THREADS.check(classes);
JavaArchitectureTestCaseCollection.NO_CLASSES_SHOULD_CREATE_THREADS.check(javaClasses);
case COMMAND_EXECUTION ->
JavaArchitectureTestCaseCollection.NO_CLASSES_SHOULD_EXECUTE_COMMANDS.check(classes);
JavaArchitectureTestCaseCollection.NO_CLASSES_SHOULD_EXECUTE_COMMANDS.check(javaClasses);
default -> throw new UnsupportedOperationException("Not implemented yet");
sarpsahinalp marked this conversation as resolved.
Show resolved Hide resolved
}
} catch (AssertionError e) {
String[] split = null;
if (e.getMessage() == null || e.getMessage().split("\n").length < 2) {
throw new SecurityException(localized("security.archunit.illegal.execution", e.getMessage()));
}
throw new SecurityException(localized("security.archunit.illegal.execution", e.getMessage().split("\n")[1]));
split = e.getMessage().split("\n");
throw new SecurityException(localized("security.archunit.violation.error", split[0].replaceAll(".*?'(.*?)'.*\r", "$1"), split[1]));
}
}
//</editor-fold>
Expand Down
Loading
Loading