├── serial-whitelist-application-trainer
    ├── src
    │   └── main
    │   │   ├── resources
    │   │       └── META-INF
    │   │       │   └── MANIFEST.MF
    │   │   └── java
    │   │       └── swat
    │   │           ├── SwatAgent.java
    │   │           └── WhitelistBuildingTransformer.java
    └── pom.xml
├── .gitignore
├── NOTICE.md
└── README.md


/serial-whitelist-application-trainer/src/main/resources/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Premain-Class: swat.SwatAgent
3 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | *.class
 2 | 
 3 | # Mobile Tools for Java (J2ME)
 4 | .mtj.tmp/
 5 | 
 6 | # Package Files #
 7 | *.jar
 8 | *.war
 9 | *.ear
10 | 
11 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
12 | hs_err_pid*
13 | 


--------------------------------------------------------------------------------
/NOTICE.md:
--------------------------------------------------------------------------------
 1 | Feel free to use or modify this OpenSource agent as it fits your needs.
 2 | 
 3 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 4 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 5 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
 6 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
 7 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
 8 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 9 | OTHER DEALINGS IN THE SOFTWARE.
10 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SWAT (Serial Whitelist Application Trainer)
 2 | 
 3 | This is a simple JVM instrumentation agent, which helps you to build a whitelist
 4 |  for classic Java deserialization occurrences as well as XStream based ones. Once (on a test server) the instrumentation runs, it creates and logs files (under the folder where the JVM process was started from) with the observed deserialization classes. This can be used to build a reasonable whitelist by observing the deserializations on a test server.
 5 | 
 6 | Usage: 
 7 | Add as agent to the JVM start via -javaagent:/pointing/to/this/swat-agent-file.jar
 8 | 
 9 | Resulting whitelist will get logged to stdout and also into file whitelist.swat
10 | 
11 | 


--------------------------------------------------------------------------------
/serial-whitelist-application-trainer/src/main/java/swat/SwatAgent.java:
--------------------------------------------------------------------------------
 1 | package swat;
 2 | 
 3 | import java.io.IOException;
 4 | import java.lang.instrument.ClassFileTransformer;
 5 | import java.lang.instrument.Instrumentation;
 6 | 
 7 | public class SwatAgent {
 8 | 
 9 | 	// invoked when agent is started via -javaagent switch before application
10 | 	public static void premain(String args, Instrumentation instrumentation) throws IOException {
11 | 		System.out.println("Registering SWAT agent through premain");
12 | 		initialize(args, instrumentation);
13 | 	}
14 | 	
15 | 	// invoked when agent is attached via Sun tools API while application is running
16 | 	public static void agentmain(String args, Instrumentation instrumentation) throws IOException {
17 | 		System.out.println("Registering SWAT agent through agentmain");
18 | 		initialize(args, instrumentation);
19 | 	}
20 | 
21 | 	private static void initialize(String args, Instrumentation instrumentation) {
22 | 		ClassFileTransformer classFileTransformer = new WhitelistBuildingTransformer();
23 | 		instrumentation.addTransformer(classFileTransformer);
24 | 	}
25 | 	
26 | 	public static void main(String[] args) {
27 | 		System.out.println("Usage: add as agent to the JVM start via -javaagent:/pointing/to/this/agent-file.jar");
28 | 		System.out.println("Resulting whitelist will get logged to stdout and also into file whitelist.swat");
29 | 	}
30 | 	
31 | }
32 | 


--------------------------------------------------------------------------------
/serial-whitelist-application-trainer/pom.xml:
--------------------------------------------------------------------------------
 1 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 2 | 	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 3 | 	<modelVersion>4.0.0</modelVersion>
 4 | 	<groupId>swat</groupId>
 5 | 	<artifactId>serial-whitelist-application-trainer</artifactId>
 6 | 	<version>0.0.1-SNAPSHOT</version>
 7 | 	<name>Serial Whitelist Application Trainer</name>
 8 | 
 9 | 	<properties>
10 | 	    <maven.compiler.source>1.7</maven.compiler.source>
11 | 	    <maven.compiler.target>1.7</maven.compiler.target>
12 | 	</properties>
13 | 
14 | 	<dependencies>
15 | 		<dependency>
16 | 			<groupId>org.javassist</groupId>
17 | 			<artifactId>javassist</artifactId>
18 | 			<version>3.20.0-GA</version>
19 | 		</dependency>
20 | 	</dependencies>
21 | 
22 | 	<build>
23 | 		<plugins>
24 | 			<plugin>
25 | 				<artifactId>maven-assembly-plugin</artifactId>
26 | 				<executions>
27 | 					<execution>
28 | 						<phase>package</phase>
29 | 						<goals>
30 | 							<goal>single</goal>
31 | 						</goals>
32 | 					</execution>
33 | 				</executions>
34 | 				<configuration>
35 | 					<descriptorRefs>
36 | 						<descriptorRef>jar-with-dependencies</descriptorRef>
37 | 					</descriptorRefs>
38 | 					<archive>
39 | 						<manifestFile>src/main/resources/META-INF/MANIFEST.MF</manifestFile>
40 | 					</archive>
41 | 				</configuration>
42 | 			</plugin>
43 | 		</plugins>
44 | 	</build>
45 | 
46 | </project>
47 | 


--------------------------------------------------------------------------------
/serial-whitelist-application-trainer/src/main/java/swat/WhitelistBuildingTransformer.java:
--------------------------------------------------------------------------------
  1 | package swat;
  2 | 
  3 | import java.lang.instrument.ClassFileTransformer;
  4 | import java.lang.instrument.IllegalClassFormatException;
  5 | import java.security.ProtectionDomain;
  6 | 
  7 | import javassist.ClassPool;
  8 | import javassist.CtClass;
  9 | import javassist.CtField;
 10 | import javassist.CtMethod;
 11 | import javassist.LoaderClassPath;
 12 | 
 13 | public class WhitelistBuildingTransformer implements ClassFileTransformer {
 14 | 
 15 | 	public byte[] transform(ClassLoader loader, String className, Class<?> classBeingRedefined,
 16 | 			ProtectionDomain protectionDomain, byte[] classfileBuffer) throws IllegalClassFormatException {
 17 | 		if ("java/io/ObjectInputStream".equals(className)) {
 18 | 			return applyWhitelistBuildingCodeOIS(loader, classfileBuffer);
 19 | 		} else if ("com/thoughtworks/xstream/mapper/DefaultMapper".equals(className)) {
 20 | 			return applyWhitelistBuildingCodeXStream(loader, classfileBuffer);
 21 | 		}
 22 | 		return null;
 23 | 	}
 24 | 
 25 | 	
 26 | 	private byte[] applyWhitelistBuildingCodeOIS(ClassLoader loader, byte[] classfileBuffer) {
 27 | 		try {
 28 | 			ClassPool classPool = ClassPool.getDefault();
 29 | 			classPool.appendClassPath(new LoaderClassPath(loader));
 30 | 			CtClass ctClass = classPool.get("java.io.ObjectInputStream");
 31 | 
 32 | 			ctClass.addField( CtField.make("private static java.util.Set whitelist = new java.util.HashSet();", ctClass) );
 33 | 			ctClass.addField( CtField.make("private static java.io.FileWriter exportWriter = new java.io.FileWriter(\"whitelist-ois.swat\");", ctClass) );
 34 | 			ctClass.addField( CtField.make("private static java.io.FileWriter exportWithStacktracesWriter = new java.io.FileWriter(\"whitelist-ois-with-stacktraces.swat\");", ctClass) );
 35 | 			
 36 | 			ctClass.addMethod( CtMethod.make("protected static synchronized void addToWhitelist(Object what) {"
 37 | 					+ "  if (what != null && what instanceof java.io.ObjectStreamClass) {"
 38 | 					+ "    java.io.ObjectStreamClass candidate = (java.io.ObjectStreamClass)what;"
 39 | 					+ "    if (!whitelist.contains(candidate.getName())) {"
 40 | 					+ "      whitelist.add(candidate.getName());"
 41 | 					+ "      String name = candidate.getName();"
 42 | 					+ "      System.out.println(\"Adding to SWAT OIS whitelist:\"+name);"
 43 | 					+ "      exportWriter.write(name+\"\\n\");"
 44 | 					+ "      exportWriter.flush();"
 45 | 					+ "      exportWithStacktracesWriter.write(name+\"\\n---\\n\");"
 46 | 					+ "      StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();"
 47 | 					+ "      for (int i=2; i<stackTrace.length; i++) {"
 48 | 					+ "        exportWithStacktracesWriter.write(String.valueOf(stackTrace[i]));"
 49 | 					+ "        exportWithStacktracesWriter.write(\"\\n\");"
 50 | 					+ "      }"
 51 | 					+ "      exportWithStacktracesWriter.write(\"\\n\\n=============================\\n\\n\");"
 52 | 					+ "      exportWithStacktracesWriter.flush();"
 53 | 					+ "    }"
 54 | 					+ "  }"
 55 | 					+ "}", ctClass) );
 56 | 			
 57 | 			CtMethod ctMethod = ctClass.getDeclaredMethod("resolveClass");
 58 | 			ctMethod.insertBefore("addToWhitelist($args[0]);");
 59 | 			
 60 | 			byte[] byteCode = ctClass.toBytecode();
 61 | 			ctClass.detach();
 62 | 			return byteCode;
 63 | 		} catch (Exception ex) {
 64 | 			System.err.println("Unable to instrument OIS");
 65 | 			ex.printStackTrace();
 66 | 		}
 67 | 		return null;
 68 | 	}
 69 | 	
 70 | 	
 71 | 	private byte[] applyWhitelistBuildingCodeXStream(ClassLoader loader, byte[] classfileBuffer) {
 72 | 		try {
 73 | 			ClassPool classPool = ClassPool.getDefault();
 74 | 			classPool.appendClassPath(new LoaderClassPath(loader));
 75 | 			CtClass ctClass = classPool.get("com.thoughtworks.xstream.mapper.DefaultMapper");
 76 | 			ctClass.addField( CtField.make("private static java.util.Set whitelist = new java.util.HashSet();", ctClass) );
 77 | 			ctClass.addField( CtField.make("private static java.io.FileWriter exportWriter = new java.io.FileWriter(\"whitelist-xstream.swat\");", ctClass) );
 78 | 			ctClass.addField( CtField.make("private static java.io.FileWriter exportWithStacktracesWriter = new java.io.FileWriter(\"whitelist-xstream-with-stacktraces.swat\");", ctClass) );
 79 | 			
 80 | 			ctClass.addMethod( CtMethod.make("protected static synchronized void addToWhitelist(Object what) {"
 81 | 					+ "  if (what != null && what instanceof java.lang.String) {"
 82 | 					+ "    java.lang.String candidate = (java.lang.String)what;"
 83 | 					+ "    if (!whitelist.contains(candidate)) {"
 84 | 					+ "      whitelist.add(candidate);"
 85 | 					+ "      System.out.println(\"Adding to SWAT XStream whitelist:\"+candidate);"
 86 | 					+ "      exportWriter.write(candidate+\"\\n\");"
 87 | 					+ "      exportWriter.flush();"
 88 | 					+ "      exportWithStacktracesWriter.write(candidate+\"\\n---\\n\");"
 89 | 					+ "      StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();"
 90 | 					+ "      for (int i=2; i<stackTrace.length; i++) {"
 91 | 					+ "        exportWithStacktracesWriter.write(String.valueOf(stackTrace[i]));"
 92 | 					+ "        exportWithStacktracesWriter.write(\"\\n\");"
 93 | 					+ "      }"
 94 | 					+ "      exportWithStacktracesWriter.write(\"\\n\\n=============================\\n\\n\");"
 95 | 					+ "      exportWithStacktracesWriter.flush();"
 96 | 					+ "    }"
 97 | 					+ "  }"
 98 | 					+ "}", ctClass) );
 99 | 			CtMethod ctMethod = ctClass.getDeclaredMethod("realClass");
100 | 			ctMethod.insertBefore("addToWhitelist($args[0]);");
101 | 
102 | 			byte[] byteCode = ctClass.toBytecode();
103 | 			ctClass.detach();
104 | 			return byteCode;
105 | 		} catch (Exception ex) {
106 | 			System.err.println("Unable to instrument XStream");
107 | 			ex.printStackTrace();
108 | 		}
109 | 		return null;
110 | 	}
111 | }
112 | 


--------------------------------------------------------------------------------