Java has long been one of the more widely used–and widely criticized–technologies on the Web. It’s used virtually everywhere and roundly panned by security researchers for its security shortcomings. Now, a researcher has released a new tool, called JavaSnoop, that’s designed to help people better analyze and understand the behavior of Java applications.
The final release of JavaSnoop 1.0 came on Monday, after months of revisions and fixes since it was first announced at Black Hat this summer. The tool is the creation of Arshan Dabirsiaghi, director of research at Aspect Security, and it’s meant to give developers, researchers and other interested parties the ability to do a number of interesting things with Java applications that normally aren’t possible without having the source code at hand.
“The whole idea of JavaSnoop is to turn theoretical vulnerabilities into real vulnerabilities,” he said in his presentation at Black Hat. “Theoretical vulns don’t really get fixed at the same rate that real vulns do.”
Users can attach JavaSnoop to a desktop Java app and use it to get a detailed look at how the app operates and see what can be done to modify it.
“After 6 release candidates, roughly a thousand bugs fixed, dozens of
improvements and features added, I finally think the tool is ready for
general availability. It’s had over a thousand downloads, which is much
higher than I would have thought after a few months; it’s kind of a
niche tool in a niche space. People are using it for things I didn’t
anticipate, though – things like malware analysis and game hacking. More
important than that, it’s unquestionably the best tool for hacking Java
business applications,” Dabirsiaghi said in a blog post announcing the final release of JavaSnoop.
JavaSnoop isn’t necessarily meant as a tool just for Java developers who need help with security. Instead, Dabirsiaghi says in the documentation for it that the tool should be usable by most developers.
“We wrote a program that lets you ‘intercept’ method calls in a Java
process. Any Java process. To do that, we install stageloading ‘hooks’
with the Java Instrumentation API and some bytecode engineering,” the FAQ for JavaSnoop says. “The coolest part is you don’t really need to know much about
Java to use the program. We made some interfaces to make things super
easy. Don’t get me wrong – a Java expert will really get all the
horsepower out of it, but your everyday Python coder will manage and
your everyday non-OO Perl coder will be kind of lost. A smart person
that understands in general how virtual machines and programs work will
be great. Your everyday .NET expert will probably feel right at home.”
The JavaSnoop code can be downloaded for free is under a GPL license.
