Plugin verification / Malicious code scanner

[Osiris-Team]

Problem Plugins or executable jar files in general, kind of can do whatever they want to your system, for example deleting or encrypting your files, and get away with it, undetected by your antivirus.

Solution Add commands which would scan folders for malicious jar files and give each of them a "safety score" from 0-100%.

.scan   | Scans the current working directory for malicious jar files. (Shortcut: .sc)
.scan <folder-path>   | Scans the provided folder for malicious jar files. Folder path can be relative or absolute. (.sc <folder-path>)
.scan plugins   | Scans the ./plugins folder for malicious jar files. (.scp)

Solution details

1. Unpack jar file into a temp directory
2. Decompile its .class files
3. Check each class for specific imports like java.io
4. If the class contains such an import, do an in-depth check of the whole class

How can a Java program harm your system? Ranked from easiest -> hardest to detect.

Description	Detection
The easiest and most obvious way is by using methods/classes provided by the Java API.	Decompile the jars' .class files and search for dangerous Java imports/classes/methods.
You could use Javas' ProcessBuilder to execute/abuse any kind of program installed on your machine.
You could use Javas' ProcessBuilder to execute terminal commands like rmdir <directory-path> (on Linux and if the user under which the Java program is running, has permission).
You could write code in another programming language and execute it.
You could download and inject malicious Java code at runtime.

Dangerous imports/packages provided by the Java API

• java.io to read/delete/create/modify files
• java.nio to read/list files and listen to file events

Note that at the moment these are notes of some brainstorming without deeper research done yet.

[Osiris-Team]

https://github.com/MeGysssTaa/keiko-plugin-inspector Seems to be a good resource to implement.