Download presentation
Presentation is loading. Please wait.
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSec NYC’08 http://www.owasp.org The Owasp Orizon Project: towards version 1.0 Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org
2
OWASP Owasp AppSec NYC ’08, New York City – 25th September 2 Agenda where do we leave in Ghent, last May… road towards version 1.0
3
OWASP Owasp AppSec NYC ’08, New York City – 25th September $ whoami Senior Security Consultant @ Spike Reply Srl penetration testing secure application building code review & source code assessment Owasp Orizon Project leader Active member in Owasp Italian chapter Owasp Code Review Project 3
4
OWASP Owasp AppSec NYC ’08, New York City – 25th September Kickoff A lot of commercial solutions are available for code reviewing good in finding bugs skilled support Expensive Open source solutions are available too limited number of security checks good support from open source community open 4 Why do I need Orizon?
5
OWASP Owasp AppSec NYC ’08, New York City – 25th September Some preliminary info Orizon is code review engine I started back in 2006 It supports Static analysis Dynamic analysis via code execution Orizon Language independent The source is translated in XML and then analized A library with security checks is provided The library is self contained in Orizon JAR archive The checks are gathered in “safe coding recipes” in XML 5
6
OWASP Owasp AppSec NYC ’08, New York City – 25th September Were do we leave in Ghent, last May… During Owasp AppSec EU’2008 Orizon reached v0.90 Plugins were introduced A Java SWT Gui were added Orizon included also Milk embedded into it Feedbacks were good Major criticisms (… thanks Dinis) There is too much noise in translated XML Building a source object model is a better approach More effort must be redirected to static analysis 6
7
OWASP Owasp AppSec NYC ’08, New York City – 25th September Were do we leave in Ghent, last May… 7 Preprocessing Code reviewing Reporting Code crawling XML Translator engine Jericho engineDawn engine Reporting engine Crawler engine Plugin engine
8
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… the needs for a change Input file management Scanning a directory recursively is not supported Library management Standalone file is difficult to deploy Hard to find a default location to the library from orizon path Translated XML files Too much noise Hard to retrieve information to build an object model 8
9
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… the stack 9 XML Translator factory Reporting engine Dynamic analysis Static analysis Statistics Control Flow Call Graph Data Graph
10
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… the workflow Session initialization Input type is detected A session Object is created For each input file a SessionInfo object is created as well Preprocessing Scan each file to build AST in memory Parse AST and create 4 different XML files Statistical information Methods and subroutine calls Variable instantiation and changes Control flow Static analysis Security checks are applied in accord to the given translated XML element Source code can be crawled to find some dangerous keywords Reporting Results are represented in different formats XML Plain Text 10
11
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… session initialization A Session object is created Properties collected from command line are stored into the session (-o, -- orizon key=value) init() method causes Each input file is associated with a SessionInfo Each input file is inspected and the correspondent AST is built 11
12
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… session initialization Upon creation the XML file names are built inspect() method will do all the dirty work collecting all the results in the DefaultTranslator object getStats() and friend will take DefaultTranslator object and creating the XML file 12
13
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… preprocessing scan() is the method invoked when creating AST nameService () methods are the ones creating the XML files 13
14
OWASP Owasp AppSec NYC ’08, New York City – 25th September DEMO Preprocessing: the newer XML file format generated by Orizon 14
15
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis Source code crawling Introduced in Orizon v0.70 The good: a quick an dirty review can be performed The bad: results are more prone to false potives 15
16
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis The new library Embedded in Orizon Jar file Same flaw category layout as Owasp Code Review guide library.xml is used as library descriptor 16
17
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis A cookbook is a source flaws family A file named cookbook.xml must be present and used as cookbook descriptor A weight is given to each cookbook to better fine tuning code review score 17
18
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis Recipes are XML files containing security checks Each recipe and each check have got their own weight score Checks are divided in family Design Keyword Execution 18
19
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… static analysis org.owasp.orizon.core. Source Reads translated XML files Initializes Jericho Fire up core review 19
20
OWASP Owasp AppSec NYC ’08, New York City – 25th September DEMO Static analysis 20
21
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… plugins An interface is provided and all plugins must implement it org.owasp.orizon.plugin.Plugin A loader class Extract plugin class from a given jar file Checks if the plugin is intended for this orizon version Load the class and returns it to Jericho engine 21
22
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… plugins Jericho engine will Instanciate a new object Run the plugin via start() and stop() methods The plugin will be called this way 22 <check id="O_EX_1" severity="error" impact="high" description="This check will be handled by an external piece of code" positive_fail="false" external="yes" jar="c:\users\thesp0nge\test.jar" package="" class="Test" >
23
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… plugins 23 public class PluginDemo { public static void main(String args[]) { Loader l = new Loader("c:\\users\\thesp0nge\\test.jar"); try { // Plugin p = (Plugin)l.load("Test").newInstance(); Class c = l.load("Test"); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println("here"); } catch (Exception e) { e.printStackTrace(); System.err.println("main: "+ e.getMessage()); return ; }
![OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… plugins 23 public class PluginDemo { public static void main(String args[]) { Loader l = new Loader( c:\\users\\thesp0nge\\test.jar ); try { // Plugin p = (Plugin)l.load( Test ).newInstance(); Class c = l.load( Test ); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println( here ); } catch (Exception e) { e.printStackTrace(); System.err.println( main: + e.getMessage()); return ; }](http://images.slideplayer.com./23/6866420/slides/slide_23.jpg "OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… plugins 23 public class PluginDemo { public static void main(String args[]) { Loader l = new Loader( c:\\users\\thesp0nge\\test.jar ); try { // Plugin p = (Plugin)l.load( Test ).newInstance(); Class c = l.load( Test ); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println( here ); } catch (Exception e) { e.printStackTrace(); System.err.println( main: + e.getMessage()); return ; }")
24
OWASP Owasp AppSec NYC ’08, New York City – 25th September Road towards version 1.0… what’s missing? Full support for Local analysis (control flow) Global analysis (call graph) Taint propagation Scoring system in accord to Owasp Code Review Scoring system GUI for Mac OS X SWT libraries must be ported to AQUA 24
25
OWASP Owasp AppSec NYC ’08, New York City – 25th September Roadmap towards version 1.0… 25 2 nd October 2008Orizon v1.0rc1 2 nd birthday party, also code reviewers want to have fun Full support for statistics XML file handling Initial support for local analysis over the source Scoring system released in DRAFT version Owasp Orizon Guide November 2008 @ Owasp Meeting in Portugal Orizon v1.0 Full support for local analysis Initial support for taint propagation 2Q 2009Orizon v1.5 Support for O2 Crif input file format
26
OWASP Owasp AppSec NYC ’08, New York City – 25th September some links before we leave… Orizon site: http://orizon.sourceforge.nethttp://orizon.sourceforge.net Orizon blog: http://blogs.owasp.org/orizonhttp://blogs.owasp.org/orizon Orizon page @ Owasp: http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project Milk site (for milk and arachne): http://milk.sourceforge.net http://milk.sourceforge.net Contact me: thesp0nge@owasp.org 26
27
OWASP Owasp AppSec NYC ’08, New York City – 25th September 27 Q&A
28
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSec NYC’08 http://www.owasp.org The Owasp Orizon Project internals Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org
Similar presentations
