This project contains the logic to track method invocations that can be mapped to the use of features of interest. It creates (upon running mvn package) an agent that intercepts method invocations.
ProvenanceTracker -- this is basically a simple in-memory databaseThreadLocalProvenanceTracker, tracks methods by thread, using ThreadLocal in order to support concurrency and therefore better throughout. Filters and servlets are guaranteed to execute in the same thread (servlet spec 3.0, sect. 6.2.3). The catch is that this will miss invocations if request handling uses additional threads ! Alternative implementations are possible, as usual, tradeoffs between recall (tracked methods), precision (of assigning tracked records to requests) and performance must be made here.ProvenanceTrackerFilterprovenance to the response that can be used to construct a URL (by the fuzzing client) in order to pick up the recorded methods with a separate GET request. The pickup servlet is JsonProvenanceInfoPickupServlet, this must be injected and mapped to an URL in the target application.-javaagent:aspectjweaver.jar to the container -- Tomcat, Jetty, .. JVM starts -- a few options how to do this for Tomcat are discussed here. The precompiled weaver jar can be found here, this has been tested with version 1.9.6.WEB-INF/lib). A war is just a zip file, so this can be done by unzip -> add content -> zip. nz.ac.wgtn.veracity.provenance.injector.tracker.jee.ProvenanceTrackerFilter, this should apply to all requests to be tracked (e.g., using the /* URL pattern). Details how to do this by editing WEB-INF/web.xml in the web app can be found herenz.ac.wgtn.veracity.provenance.injector.tracker.jee.JsonProvenanceInfoPickupServlet. Details how to do this by editing WEB-INF/web.xml in the web app can be found here. For instance, if the URL was __provenance, and the provenance header value returned was 42, then __provenance/42 can be used to pick up the JSON-encoded provenance information.First build and locally install the approv repo using git clone git@github.com:veracitylab/approv.git && cd approv/veracity-java-binding-api && mvn install. This only needs to be done once.
Then build this project (provenance-injector) with mvn package, which will create target/provenance-injector-<version>.jar .
src/ (package nz.ac.wgtn.veracity.provenance.injector.jee.instrumentation) and rebuildingsrc/main/resources/META-INF/aop.xml and rebuilding , this is useful for including / excluding classes, or to register additional aspectsJava 8 must be set as the default JRE, otherwise aspect-j cannot find tools.jar / com.sun:tools:jar:<version>.
For instance, on OSX, if Java 8 is installed, this can be achieved with:
export JAVA_HOME=`/usr/libexec/java_home -v 1.8`This can then be verified with java -version.
Aspect-J seems to sometimes run out of memory. Increasing heap space by passing -Xmx.. to ajc does not solve this. Check for details in the ajcore.<timestamp>.txt files generated by ajc.
Since execution is used to instrument, native methods are instrumented. This is a limitation of the current approach, instrumenting call sites could overcome this.
Test packages start with test. to avoid exclusion by patterns defined in src/main/resources/META-INF/aop.xml and the actual point cuts.