Implementing a JeSSVisitor

 

Plugging into JeSS

It is possible to design and use your own visitors with the JeSS plug-in.  In order to do so a visitor of the appropriate form is required.  There is a more detailed description of the requirements is in the following sections.   In order to plug in your visitor you must enable the use of external visitors in the preferences page.  To do so open up the JeSS Preferences page, this can be done through the JeSS menu or WindowˆPreferencesˆJeSS Preferences.  Once in the preference page select the Boolean checkbox corresponding to the ÒUse external visitors found in the JeSS plug-in folderÓ option.

 

JeSS Preferences: Enable the use of external visitors and select

 the directory where they are to be found

 

This causes JeSS to search for visitors in the specified directory.  The next field allows the user to specify the directory that JeSS searches for the visitors in.  The default directory is a folder labeled ÒpluginsÓ in the local JeSS plug-in directory.  For example from the eclipse folder the plugins would be found on the path: 

~/eclipse/plugins/edu.colby.JeSS_1.0/plugins 

If another directory is desired then it can be specified in the Preference page.

 

Requirements

Once the use of external visitors has been enabled there are a few requirements for an external visitor.  JeSS requires the following of an external visitor:

-       The visitor must be a Ò.classÓ file.  JeSS will NOT compile the visitor for you

-       The visitor must extend JeSSVisitor.

-       The visitor must have a constructor that takes type edu.colby.JeSS.scanner.VisitorManager as a parameter.

-       The visitor Ò.classÓ file must be in the directory specified in the preference page

 

Design

 In order to uncover security bugs a JeSSVisitor must be designed to recognize and flag certain code structures that signify the security bug.  The signature that the Visitor searches for is specific for each security bug, but the process of reporting this problem is built into the JeSSVisitor class.  Implementing your own JeSSVisitor can be done very easily.  The basic process can be broken down into the following steps:

á      Identify a security bug and determine what the signature looks like in the AST

á      Create a visitor class that can recognize this signature

á      Make the visitor a subclass of JeSSVisitor and use the reportProblem() method to mark the problematic sections of the code

The hardest part of creating your own visitor is the automated recognition of the problematic AST structure.  An example of a visitor that identifies unhandled exceptions can be found in the following section. However, once this is done it is a simple matter to report a problem using the reportProblem() method.