High-level Capability Inference

Ever wondered what system resources the library you are about to include into your software project uses?

As part of the PEAKS project we developed an inference system to detect the use of high-level capabilities in Java code. It traces the use of native calls that provide access to system resources backwards through a call graph and aggregate them to provide an accurate capability footprint of libraries or client code.


Developing software from reusable libraries lets developers face a security dilemma: Either be efficient and reuse libraries as they are or inspect them, know about their resource usage, but possibly miss deadlines as reviews are a time consuming process.

As library code runs in the same security context as application code a developer automatically entrusts the library code with the same privileges the end user has provided to the application. She implicitly transfers the users trust towards her to the developers of the library. Thus, any capability the complete application may use is available to library code as well.

Where can I get it?

Git RepositoryWe maintain the source code of the analysis as a GitHub project. You are invited to use it, build opon it, fork it or contribute to it via pull requests. However, we cannot provide any guarantee whatsoever.

Paper ArtifactAs part of the scientific publication from this project we also provided a package to reproduce our evaluation. It includes a pre-built copy of the analysis and example code to run it on.

How can I use it?


Getting the Source Code

If you want to install the latest version from git, clone the repository with

git clone https://github.com/stg-tud/peaks-capmodel.git

Compiling and packaging

If you want to compile and package the source code, enter:

sbt compile
sbt assembly

Afterwards, you will find the compiled application as well as a runnable JAR in the target/scala-2.11 folder.


After pulling new sources you might need to execute:

sbt clean clean-files update copyResources

Running the application

Copy the PEAKS_JavaCapAnalysis.jar file from folder target/scala-2.11 to the root folder of your clone (where the resource folder is located). Then run it using Java.

mv target/scala-2.11/PEAKS_JavaCapAnalysis.jar .
java -jar PEAKS_JavaCapAnalysis.jar -cp=<targetJAR or targetFolder>

If you pass a folder to the analysis every class file and jar in this folder will be included to the analysis. If you start the analysis, there will be a menu.

[1] Start capability analysis for libraries.
[2] Sliced capability analysis for projects.
[3] Help.

How does it work?


In order to access system functionalities a library written in Java will have to make use of the Java Native Interface (JNI) either directly or through the Java Class Library (JCL). We track those calls backwards through a call graph and can then produce an accurate footprint on the usage of those system capabilities.


We conducted an experiment where we checked the inference algorithm against expectation that was derived from documentation. In this process we found that it agrees to these expectations on most parts and even exceeds them. As the inference is run against library code we may consider it as more accurate. You will find the results of this experiment on the right side. (Javascript and SVG required)

© Ben Hermann 2012-2016