This tool utilizes JVMTI to collect data of a JVM program for dynamic analysis. It can successfully detect if a path traversal attack on Spring Boot vulnerable to CVE-38819 has been executed. It can also detect if a method vulnerable to SQL injection has been executed. This tool may be able to detect the execution of other vulnerabilities as well.
The downside is, that the monitored application loses performance. Tests have shown that the response time of web servers increase up to 33,000%.
The monitor is located in the directory monitor. This is a C project using the JVMTI API. It collects events and sends them to the collector.
The build tool for the JVMTI agent is CMake. For building the JVMTI agent there are some prerequisites:
- JDK 21 installed with SDKMan!
- Protobuf-c installed on system
The file
CMakeLists.txtcan be edited if the installation location differs on your system. The JVMTI agent can then be built withcmake . && make all.
It is a Kotlin project with Gradle. The Collector is located in the directory collector. It listens to a port where the monitor sends data to using ProtoBuf. The Collector then stores the data into a PostgreSQL DB which can be started with docker-compose.
WatchForAttacker periodically checks the datastore for the occurrence of a given input file.
As an example the file cve-common-common.csv is used for it.
Once all events in that file have occurred in the database, it prints ATTACK, indicating that an
attack has occurred.
The Analyzer performs data analysis with the stored event.
It searches for data that only occurs when a vulnerable method has been called.
The output is a CSV file which is then used for FindSameWithinApp.
FindSameWithinApp is the second part of data analysis.
It takes multiple outputs of the Analyzer and calculates the intersection of the data.
The output is a CSV file that the WatchForAttacker uses to determine when the vulnerable
method has been called.