All geek questions in one place

Is it possible for a Java JAR file to damage your system and how can you check what it does?

I want to evaluate a software solution in which several people send JAR files to perform a task on Windows.

Can I verify that the JAR file performs any additional unwanted behaviors other than those it claims to execute on your machine?

+4
source share
5 answers

First, you can use the JVM suite with the SecurityManager to launch your application so that it can have limited access to sensitive functions.

You can also set up a sandbox so that the bank does not have permissions outside the sandbox ... you could use chroot or a similar tool in linux / unix environment.

+2
source

1. You can use the software from Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb842062

You can see that the program writes or removes something from the hard drive using HardMon or monitors any changes with RegMon ... Check your site, they have many programs, and you can control almost everything!

2. Or you can install Sandboxie: http://www.sandboxie.com/

and then run the program in the sandbox ("virtual file system"). When you run the program inside the sandbox, you can see what files the program made, and the best thing is that any changes that the program made will be canceled if it exists, so it cannot harm your system. :)

3. Alternatively, you can try decompiling the JAR file: http://www.google.hr/search?sourceid=chrome&ie=UTF-8&q=java+decompiler

+2
source

Try a decompiler, for example, Java Decompiler: http://jd.benow.ca/

It decompiles the .jar file and shows you the source, although keep in mind that this may be copyrighted: alt text

By the way, why don't you ask them to send the source code, not just the .jar files?

Basically, .jar files are similar to zip files, and I believe that even WinRAR can open .jar files. Quote from your site:

Java archive file (compressed file for applets and related files) (.JAR)

Short for Java Archive, a file format used to bind all necessary components using the Java applet. JAR files make it easy to download applets since all components (.class files, images, sounds, etc.) can be packaged into a separate file. In addition, the JAR supports data compression, which further reduces load time.

JAR file support is the same as ZIP file support. JAR = ZIP + manifest. Microsoft VM supports uncompressed and compressed JAR levels of 0 and 1, but not a JAR.

WinRAR provides basic operations for JAR files created by other tools: view contents, extract files, view comments, and archive information.

You can use the conversion function to convert .jar files to .rar format.

You do not need to have any external programs to handle these formats.

After extracting with WinRAR, you can view the source code by specifying this link as an alternative method for JD.

0
source

Yes and no. By default, java programs can perform the same actions as any native program on your system. This includes deleting and replacing any file that it can access, depending on your operating system and your user privileges, this can affect critical system files.

You can limit what Java applications can do; applets and webstart programs are usually protected this way. Alternatively, you can run any program as another / limited user or in the sandbox to limit the damage that it can do.

If you do not trust the library / program, always run it in one of the limited environments mentioned above. He may fall if he does not do something, but he cannot do any damage.

0
source

I tried the solution from jensign.com and it looks like it limits almost everything. The .jar application that I used for testing was not even able to load the website. However, I am not an expert in this, so I can not say if this is a 100% safe solution.

The JAR'd application can be run in a full restrictive sandbox (very similar to the default sandbox for a Java applet):

java -jar -Djava.security.manager PropsFrame.jar

quote from jensign.com

0
source

Source: https://habr.com/ru/post/1336686/

More articles:


All Articles