the owasp orizon project: towards version 1.0
DESCRIPTION
The Owasp Orizon Project: towards version 1.0. Paolo Perego Owasp Orizon Project Leader Spike Reply [email protected]. Agenda. where do we leave in Ghent, last May… road towards version 1.0. $ whoami. Senior Security Consultant @ Spike Reply Srl penetration testing - PowerPoint PPT PresentationTRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP AppSec NYC’08
http://www.owasp.org
The Owasp Orizon Project: towards version 1.0
Paolo PeregoOwasp Orizon Project Leader
Spike Reply
OWASPOwasp AppSec NYC ’08, New York City – 25th September
2
Agenda
where do we leave in Ghent, last May… road towards version 1.0
OWASPOwasp AppSec NYC ’08, New York City – 25th September
$ whoami
Senior Security Consultant @ Spike Reply Srlpenetration testingsecure application buildingcode review & source code assessment
Owasp Orizon Project leader Active member in
Owasp Italian chapterOwasp Code Review Project
3
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Kickoff
A lot of commercial solutions are available for code reviewinggood in finding bugsskilled supportExpensive
Open source solutions are available too limited number of security checksgood support from open source communityopen
4
Why do I need Orizon?
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Some preliminary info
Orizon is code review engine I started back in 2006
It supportsStatic analysisDynamic analysis via code execution
OrizonLanguage independent
The source is translated in XML and then analized
A library with security checks is provided The library is self contained in Orizon JAR archive The checks are gathered in “safe coding recipes” in
XML 5
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Were do we leave in Ghent, last May…
During Owasp AppSec EU’2008Orizon reached v0.90Plugins were introducedA Java SWT Gui were addedOrizon included also Milk embedded into it
Feedbacks were good Major criticisms (… thanks Dinis)
There is too much noise in translated XMLBuilding a source object model is a better
approachMore effort must be redirected to static analysis
6
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Were do we leave in Ghent, last May…
7
Preprocessing
Code reviewing
Reporting
Code crawling
XML Translator engine
Jericho engine Dawn engine
Reporting engine
Crawler engine
Plugin engine
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… the needs for a change
Input file managementScanning a directory recursively is not
supported
Library managementStandalone file is difficult to deployHard to find a default location to the library
from orizon path
Translated XML filesToo much noiseHard to retrieve information to build an object
model8
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… the stack
9
XML Translator factory
Reporting engine
Static analysis
Statistics
ControlFlow
CallGraph
DataGraph
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… the workflow
10
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… session initialization
A Session object is created
Properties collected from command line are stored into the session (-o, --orizon key=value)
init() method causes Each input file is
associated with a SessionInfo
Each input file is inspected and the correspondent AST is built
11
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… session initialization
Upon creation the XML file names are built
inspect() method will do all the dirty work collecting all the results in the DefaultTranslator object
getStats() and friend will take DefaultTranslator object and creating the XML file
12
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… preprocessing
scan() is the method invoked when creating AST
nameService() methods are the ones creating the XML files
13
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… static analysis
Source code crawling Introduced in Orizon v0.70The good: a quick an dirty review can be performedThe bad: results are more prone to false potives
15
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… static analysis
The new libraryEmbedded in Orizon Jar fileSame flaw category layout as Owasp Code
Review guide library.xml is used as library descriptor
16
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… static analysis
A cookbook is a source flaws family A file named cookbook.xml must be
present and used as cookbook descriptor A weight is given to each cookbook to
better fine tuning code review score
17
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… static analysis Recipes are XML files containing security checks Each recipe and each check have got their own weight
score Checks are divided in family
Design Keyword Execution
18
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… static analysis
org.owasp.orizon.core.SourceReads translated
XML files Initializes JerichoFire up core review
19
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… plugins
An interface is provided and all plugins must implement itorg.owasp.orizon.plugin.Plugin
A loader classExtract plugin class from a given jar fileChecks if the plugin is intended for this orizon
versionLoad the class and returns it to Jericho engine
21
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… plugins
Jericho engine will Instanciate a new objectRun the plugin via start() and stop() methods
The plugin will be called this way
22
<check id="O_EX_1" severity="error" impact="high" description="This check will be handled by an external piece of code" positive_fail="false" external="yes" jar="c:\users\thesp0nge\test.jar" package="" class="Test" >
<catch some_code="no" some_code_bogus="foo"/></check>
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… plugins
23
public class PluginDemo {public static void main(String args[]) {Loader l = new Loader("c:\\users\\thesp0nge\\test.jar");
try {
// Plugin p = (Plugin)l.load("Test").newInstance();Class c = l.load("Test");if (c==null)
return ;Plugin p = (Plugin)c.newInstance();p.start();p.stop();System.out.println("here");
} catch (Exception e) {e.printStackTrace();System.err.println("main: "+ e.getMessage());return ;
}}
}
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Road towards version 1.0… what’s missing?
Full support forLocal analysis (control flow)Global analysis (call graph)Taint propagation
Scoring system in accord to Owasp Code Review Scoring system
GUI for Mac OS XSWT libraries must be ported to AQUA
24
OWASPOwasp AppSec NYC ’08, New York City – 25th September
Roadmap towards version 1.0…
25
2nd October 2008 Orizon v1.0rc1
2nd birthday party, also code reviewers want to have fun
•Full support for statistics XML file handling•Initial support for local analysis over the source•Scoring system released in DRAFT version•Owasp Orizon Guide
November 2008
@ Owasp Meeting
in Portugal
Orizon v1.0•Full support for local analysis
•Initial support for taint propagation
2Q 2009 Orizon v1.5 •Support for O2 Crif input file format
OWASPOwasp AppSec NYC ’08, New York City – 25th September
some links before we leave…
Orizon site: http://orizon.sourceforge.net Orizon blog: http://blogs.owasp.org/orizon Orizon page @ Owasp:
http://www.owasp.org/index.php/Category:OWASP_Orizon_Project
Milk site (for milk and arachne): http://milk.sourceforge.net
Contact me: [email protected]
26
OWASPOwasp AppSec NYC ’08, New York City – 25th September
27
Q&A
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP AppSec NYC’08
http://www.owasp.org
The Owasp Orizon Projectinternals
Paolo PeregoOwasp Orizon Project Leader
Spike Reply