Is it possible for a Java JAR file to damage your system and how can you check what it's doing?

I want to evaluate a software solution where multiple people have submitted JAR files to perform a task on Windows.

Is it possible to check whether the JAR file performs any additional unwanted behaviors besides those it claims to perform on开发者_运维知识库 your machine?

First, you can use a JVM set with SecurityManager to do run your application in a way that it can have limited access to sensitive functions.

You can also set up a "sandbox" so the jar cannot have permissions outside of the sandbox... you could use chroot or a similar tool in a linux/unix environment.

1. You could use software from Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb842062

You can see is program's writing or deleting something from hard drive with HardMon, or monitor any changes with RegMon... Check out their website, they have much programs and you can monitor practically everything!

2. Or you could install Sandboxie: http://www.sandboxie.com/

and then run you program within sandbox ("virtual filesystem"). When you run a program inside of sandbox, you can see what files did the program make, and the best thing is that any changes that the program did will be undone when it exists, so it can't harm your system. :)

3. Also, you could try to decompile JAR file: http://www.google.hr/search?sourceid=chrome&ie=UTF-8&q=java+decompiler

Yes and No. By default java programs can do the same things any native program on your system can do. This includes deleting and replacing any file it can access, depending on your operating system and your user privileges this may affect system critical files.

It is possible to restrict what java applications can do, applets and webstart programs usually are secured this way. Alternatively you can run any program as a different/restricted user or in a sandbox to limit the damage it can do.

If you do not trust the library/program always run it in one of the restricted environments mentioned above. It may crash if it does something it should not do, but it will be unable to do any damage.

I tried the solution from jensign.com and it looks like it restricts almost everything. The .jar application that I used to test wasn't even able to download a website. However I'm not an expert at this stuff so I can't tell if it is a 100% safe solution.

The JAR'd application can be launched under fully restrictive sandbox conditions (very similar to Java applet default security sandboxing):

     java -jar -Djava.security.manager PropsFrame.jar

cite from jensign.com

Try a decompiler, like Java Decompiler: http://jd.benow.ca/

It decompiles the .jar file, and shows you the source, though keep in mind it might be copyrighted:

By the way, why don't you ask for them to submit the source code as well, instead of just the .jar files?

Basically, .jar files are like souped-up zip files, and I believe even WinRAR can open .jar files. A quote from their site:

Java Archive File (a compressed file for applets and related files) (.JAR)

Short for Java Archive, a file format used to bundle all components required by a Java applet. JAR files simplify the downloading of applets since all the components (.class files, images, sounds, etc.) can be packaged into a single file. Additionally, JAR supports data compression, which further decreases download times.

JAR file support is the same as ZIP file support. JAR = ZIP + manifest. The Microsoft VM supports uncompressed and compressed JAR levels 0 and 1, but not signed JAR.

WinRAR provides basic operations for JAR files created by other tools: view contents, extract files, show comments and archive information.

You can use the convert function to convert .jar files into .rar format.

You do not need to have any external programs to handle these formats.

After extracting with WinRAR, you can view the source by following this link as an alternate method to JD.