Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP AppSec NYC’08

http://www.owasp.org

The Owasp Orizon Project: towards version 1.0

Paolo PeregoOwasp Orizon Project Leader

Spike Reply

thesp0nge@owasp.org

OWASPOwasp AppSec NYC ’08, New York City – 25th September

2

Agenda

where do we leave in Ghent, last May… road towards version 1.0

OWASPOwasp AppSec NYC ’08, New York City – 25th September

$ whoami

Senior Security Consultant @ Spike Reply Srlpenetration testingsecure application buildingcode review & source code assessment

Owasp Orizon Project leader Active member in

Owasp Italian chapterOwasp Code Review Project

3

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Kickoff

A lot of commercial solutions are available for code reviewinggood in finding bugsskilled supportExpensive

Open source solutions are available too limited number of security checksgood support from open source communityopen

4

Why do I need Orizon?

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Some preliminary info

Orizon is code review engine I started back in 2006

It supportsStatic analysisDynamic analysis via code execution

OrizonLanguage independent

The source is translated in XML and then analized

A library with security checks is provided The library is self contained in Orizon JAR archive The checks are gathered in “safe coding recipes” in

XML 5

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Were do we leave in Ghent, last May…

During Owasp AppSec EU’2008Orizon reached v0.90Plugins were introducedA Java SWT Gui were addedOrizon included also Milk embedded into it

Feedbacks were good Major criticisms (… thanks Dinis)

There is too much noise in translated XMLBuilding a source object model is a better

approachMore effort must be redirected to static analysis

6

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Were do we leave in Ghent, last May…

7

Preprocessing

Code reviewing

Reporting

Code crawling

XML Translator engine

Jericho engine Dawn engine

Reporting engine

Crawler engine

Plugin engine

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… the needs for a change

Input file managementScanning a directory recursively is not

supported

Library managementStandalone file is difficult to deployHard to find a default location to the library

from orizon path

Translated XML filesToo much noiseHard to retrieve information to build an object

model8

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… the stack

9

XML Translator factory

Reporting engine

Static analysis

Statistics

ControlFlow

CallGraph

DataGraph

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… the workflow

10

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… session initialization

A Session object is created

Properties collected from command line are stored into the session (-o, --orizon key=value)

init() method causes Each input file is

associated with a SessionInfo

Each input file is inspected and the correspondent AST is built

11

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… session initialization

Upon creation the XML file names are built

inspect() method will do all the dirty work collecting all the results in the DefaultTranslator object

getStats() and friend will take DefaultTranslator object and creating the XML file

12

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… preprocessing

scan() is the method invoked when creating AST

nameService() methods are the ones creating the XML files

13

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… static analysis

Source code crawling Introduced in Orizon v0.70The good: a quick an dirty review can be performedThe bad: results are more prone to false potives

15

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… static analysis

The new libraryEmbedded in Orizon Jar fileSame flaw category layout as Owasp Code

Review guide library.xml is used as library descriptor

16

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… static analysis

A cookbook is a source flaws family A file named cookbook.xml must be

present and used as cookbook descriptor A weight is given to each cookbook to

better fine tuning code review score

17

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… static analysis Recipes are XML files containing security checks Each recipe and each check have got their own weight

score Checks are divided in family

Design Keyword Execution

18

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… static analysis

org.owasp.orizon.core.SourceReads translated

XML files Initializes JerichoFire up core review

19

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… plugins

An interface is provided and all plugins must implement itorg.owasp.orizon.plugin.Plugin

A loader classExtract plugin class from a given jar fileChecks if the plugin is intended for this orizon

versionLoad the class and returns it to Jericho engine

21

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… plugins

Jericho engine will Instanciate a new objectRun the plugin via start() and stop() methods

The plugin will be called this way

22

<check id="O_EX_1" severity="error" impact="high" description="This check will be handled by an external piece of code" positive_fail="false" external="yes" jar="c:\users\thesp0nge\test.jar" package="" class="Test" >

<catch some_code="no" some_code_bogus="foo"/></check>

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… plugins

23

public class PluginDemo {public static void main(String args[]) {Loader l = new Loader("c:\\users\\thesp0nge\\test.jar");

try {

// Plugin p = (Plugin)l.load("Test").newInstance();Class c = l.load("Test");if (c==null)

return ;Plugin p = (Plugin)c.newInstance();p.start();p.stop();System.out.println("here");

} catch (Exception e) {e.printStackTrace();System.err.println("main: "+ e.getMessage());return ;

}}

}

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Road towards version 1.0… what’s missing?

Full support forLocal analysis (control flow)Global analysis (call graph)Taint propagation

Scoring system in accord to Owasp Code Review Scoring system

GUI for Mac OS XSWT libraries must be ported to AQUA

24

OWASPOwasp AppSec NYC ’08, New York City – 25th September

Roadmap towards version 1.0…

25

2nd October 2008 Orizon v1.0rc1

2nd birthday party, also code reviewers want to have fun

•Full support for statistics XML file handling•Initial support for local analysis over the source•Scoring system released in DRAFT version•Owasp Orizon Guide

November 2008

@ Owasp Meeting

in Portugal

Orizon v1.0•Full support for local analysis

•Initial support for taint propagation

2Q 2009 Orizon v1.5 •Support for O2 Crif input file format

OWASPOwasp AppSec NYC ’08, New York City – 25th September

some links before we leave…

Orizon site: http://orizon.sourceforge.net Orizon blog: http://blogs.owasp.org/orizon Orizon page @ Owasp:

http://www.owasp.org/index.php/Category:OWASP_Orizon_Project

Milk site (for milk and arachne): http://milk.sourceforge.net

Contact me: thesp0nge@owasp.org

26

OWASPOwasp AppSec NYC ’08, New York City – 25th September

27

Q&A

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP AppSec NYC’08

http://www.owasp.org

The Owasp Orizon Projectinternals

Paolo PeregoOwasp Orizon Project Leader

Spike Reply

thesp0nge@owasp.org