{"id":15024054,"url":"https://github.com/sap/project-fontus","last_synced_at":"2025-10-19T18:31:19.821Z","repository":{"id":223274502,"uuid":"754023265","full_name":"SAP/project-fontus","owner":"SAP","description":"Dynamic tainting framework for Java applications leveraging on-the-fly bytecode rewriting.","archived":false,"fork":false,"pushed_at":"2025-03-25T08:05:04.000Z","size":6031,"stargazers_count":7,"open_issues_count":15,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-10-19T15:56:02.266Z","etag":null,"topics":["bytecode","instrumentation","java","tainting"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SAP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-07T08:49:44.000Z","updated_at":"2025-04-04T03:38:42.000Z","dependencies_parsed_at":"2024-10-23T04:47:08.905Z","dependency_job_id":null,"html_url":"https://github.com/SAP/project-fontus","commit_stats":null,"previous_names":["sap/project-fontus"],"tags_count":1,"template":false,"template_full_name":"SAP/repository-template","purl":"pkg:github/SAP/project-fontus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Fproject-fontus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Fproject-fontus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Fproject-fontus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Fproject-fontus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SAP","download_url":"https://codeload.github.com/SAP/project-fontus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SAP%2Fproject-fontus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279873391,"owners_count":26237970,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-19T02:00:07.647Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bytecode","instrumentation","java","tainting"],"created_at":"2024-09-24T19:59:45.081Z","updated_at":"2025-10-19T18:31:19.357Z","avatar_url":"https://github.com/SAP.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![REUSE status](https://api.reuse.software/badge/github.com/SAP/project-fontus)](https://api.reuse.software/info/github.com/SAP/project-fontus)\n\n# Project Fontus\n\nA modern framework for dynamic taint analysis with string-like classes in the JVM.\n\n## About this project\n\nDynamic tainting framework for Java applications leveraging on-the-fly bytecode rewriting.\nThis framework was developed as part of a research project to test and prevent security and privacy issues in web applications.\n\n### Cite Us!\nThe study was published at [ACM CCS 2023](https://www.sigsac.org/ccs/CCS2023/), and the paper can be found [here](https://www.ias.cs.tu-bs.de/publications/gdpr_tainting.pdf).\nYou can cite our paper using the following bibtex entry:\n\n```\n@inproceedings{KleRolBarKar+23,\n  title = {{General Data Protection Runtime: Enforcing Transparent GDPR Compliance for Existing Applications}},\n  author = {David Klein AND Benny Rolle AND Thomas Barber AND Manuel Karl AND Martin Johns},\n  booktitle = {Proc. of the ACM Conference on Computer and Communications Security (CCS)},\n  year = {2023},\n  doi = {10.1145/3576915.3616604},\n}\n```\n\n\n## Requirements and Setup\n\nFor building the framework execute the gradle task ``shadowJar`` or ``publishToMavenLocal``. Afterwards, you will find the Framework JAR in ``./fontus/build/libs``\n\n## Building additional tools\n\nIn the [tools](./tools) folder some tools related to Fontus are provided. They can be build via `/gradlew tools:TOOLNAME:jar` and the resulting jar is stored in the corresponding build folder of the tool. For Example, to build the SQL definition taint jar, invoke: `./gradlew tools:sql-tainter:jar` and then run it via `java -jar ./tools/sql-tainter/build/libs/sql-tainter.jar \u003cinputfile\u003e`.\n\nThe provided tools are the following:\n\n### [SQL Tainter](./tools/sql-tainter)\n\nTakes a .sql file as input, taints all included statements and writes them to `tainted_\u003cinputfilename\u003e.sql`.\n\n### [GDPR Database query (db-query)](./tools/gdpr-database-query)\n\nQueries a provided database for GDPR tainting related questions. Can be used to realize the following tasks: Subject Access Request, Collect expired PII, contesting wrong data and to collect PII statistics.\n\n### [Converter](./tools/converter)\nConverts a Juturna configuration to a Fontus one. Untested by me, as I have no access to Juturna source code.\n\n### [Generator](./tools/generator)\n\nGenerates a source and sink configuration for the passed classes. No idea how this works either!\n\n## Agent Instrumentation\nThis instrumentation type works on-the-fly with starting the application.\n\n### Execution\nFor instrumenting via java agents just add the following to your VM option parameters:\n```bash\n--add-opens java.base/jdk.internal.misc=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/jdk.internal.vm.annotation=ALL-UNNAMED -javaagent:fontus-0.0.1-SNAPSHOT.jar\n```\n\nThe `--add-opens` are necessary because Fontus is using Java internal classes\n\nA complete java execution command could look like this:\n```bash\njava --add-opens java.base/jdk.internal.misc=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/jdk.internal.vm.annotation=ALL-UNNAMED -jar your-application.jar -javaagent:fontus-0.0.1-SNAPSHOT.jar\n```\n\n### Parameters\nIt is also possible to pass multiple parameters to the agent\n- **verbose**: If this option is set, all instrumented classes are saved to ``./tmp/agent``\n- **taint_persistence**: If set, this flag enables applying the proxies for persisting taints.\n- **logging_enabled**: If this option is set, a log file of the instrumentation process will be created in the working dir named ``asm-{datetime}.log`` \n- **taintmethod**: Specifying the used taint method. For all options see [Available Tainting Methods](#available-tainting-methods). The default is *boolean*\n- **use_caching**: Possible values: *true* or *false*. Default is true. Enables/Disables caching of taint evaluation results for lazy tainting methods\n- **layer_threshold**: Specifies a maximum depth of layers for lazybasic tainting. If this threshold is exceeded the taint is calculated and new layers will be stacked on top again. Default value is *30*. If caching is disabled, the threshold is also disabled.\n- **collect_stats**: Possible values: *true* or *false*. Default is false. If this option is enabled, the stats about taints in strings will be collected. This only applies iff taintmethod *range* is used and can cause massive overhead.\n- **config**: Specifies a path for a config file\n- **blacklisted_main_classes**: Specifies a filepath to a file which contains blacklisted main classes\n- **abort**: Specifies what happens if a tainted string reaches a sink. For all options see [Abort types](#Abort types). The default is *stderr_logging*\n- **taintloss_handler**: Specifies what happens if a method is called which potentially causes taintloss (e.g. String.toCharArray()). For all options see [Taintloss handler types](#Taintloss handler types). By default, no taintloss handler is used \n\nThe arguments are appended to the agent path like this: ``-javaagent:jarpath[=options]``. Therefore, options are defined as ``key=value`` pair and ``,`` is used as delimiter between key-value-pairs.\n\nAn example for parameters passed to the agent ``-javaagent:\"fontus-0.0.1-SNAPSHOT.jar=taintmethod=range,use_caching=false,verbose\"``.\n\n## Available Tainting Methods\nCurrently, there are 5 different tainting mechanisms available:\n- **boolean**: Only tainting per string. Differentiation which character is tainted is *not* possible. Very fast, little memory overhead, but more false positives\n- **array**: Naive tainting per character. Differentiation which character is tainted *is* possible. Linear overhead regarding length for CPU and memory (slow and expensive), nearly no false positives.\n- **range**: Optimized tainting per character. Differentiation which character is tainted *is* possible. Linear overhead regarding count of taints per string for CPU and memory (most times a lot more efficient than *array*). As precise as *array*.\n- **lazybasic**: Optimized range approach. Differentiation which character is tainted *is* possible. As long as no taint evaluation is done, faster than range. Memory overhead mostly correlates with the number of string manipulations. As precise as *array*.\n- **lazycomplex**: Optimized lazybasic approach. Differentiation which character is tainted *is* possible. Less computation effort during runtime and during taint evaluation. Memory overhead mostly correlates with the number of string manipulations. As precise as *array*.\n- **untainted**: An wrapper class is used to redirect all calls to the original classes. No taint calculation is performed! The taint is always \"false\"\n\n## Abort types\nCurrently, there are four possibilities what can happen, if a tainted string reaches a sink:\n\n- **exit**: Exits the application through System.exit(int). Beforehand the string is printed to stderr\n- **nothing**: Nothing happens if a tainted string reaches a sink\n- **stderr_logging**: Logs the tainted string to stderr as well as a stacktrace\n- **json_logging**: Logs the tainted string to a JSON file in ``./fontus-results.json``\n\n## Taintloss handler types\n- **stderr_logging**: Logs to stderr if a potentially taintlossy method is called\n- **file_logging**: Logs to file``./taintloss.log`` formatted in the same way as stderr_logging\n- **statistics_logging**: Logs to the statistics MXBean in the format \"Caller.method -\u003e Taintloss.method: Hits\"\n\n## Inspect Bytecode of a class\n\nTo see the Bytecode for a class file, run ``javap -l -v -p -s TestString.class``\n\n## Troubleshoot\n\nHave a look in the [docs](./docs) folder, if anything is still unclear please open an issue.\n\n## Support, Feedback, Contributing\n\nThis project is open to feature requests/suggestions, bug reports etc. via [GitHub issues](https://github.com/SAP/project-fontus/issues). Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our [Contribution Guidelines](CONTRIBUTING.md).\n\n## Security / Disclosure\nIf you find any bug that may be a security problem, please follow our instructions at [in our security policy](https://github.com/SAP/project-fontus/security/policy) on how to report it. Please do not create GitHub issues for security-related doubts or problems.\n\n## Code of Conduct\n\nWe as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its [Code of Conduct](https://github.com/SAP/.github/blob/main/CODE_OF_CONDUCT.md) at all times.\n\n## Licensing\n\nCopyright 2024 SAP SE or an SAP affiliate company and project-fontus contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/SAP/project-fontus).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsap%2Fproject-fontus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsap%2Fproject-fontus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsap%2Fproject-fontus/lists"}