The owasp orizon project towards version 1 0
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

The Owasp Orizon Project: towards version 1.0 PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

The Owasp Orizon Project: towards version 1.0. Paolo Perego Owasp Orizon Project Leader Spike Reply [email protected] Agenda. where do we leave in Ghent, last May… road towards version 1.0. $ whoami. Senior Security Consultant @ Spike Reply Srl penetration testing

Download Presentation

The Owasp Orizon Project: towards version 1.0

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The owasp orizon project towards version 1 0

The Owasp Orizon Project: towards version 1.0

Paolo Perego

Owasp Orizon Project Leader

Spike Reply

[email protected]


Agenda

Agenda

  • where do we leave in Ghent, last May…

  • road towards version 1.0


Whoami

$ whoami

  • Senior Security Consultant @ Spike Reply Srl

    • penetration testing

    • secure application building

    • code review & source code assessment

  • Owasp Orizon Project leader

  • Active member in

    • Owasp Italian chapter

    • Owasp Code Review Project


Kickoff

Kickoff

  • A lot of commercial solutions are available for code reviewing

    • good in finding bugs

    • skilled support

    • Expensive

  • Open source solutions are available too

    • limited number of security checks

    • good support from open source community

    • open

Why do I need Orizon?


Some preliminary info

Some preliminary info

  • Orizon is code review engine I started back in 2006

  • It supports

    • Static analysis

    • Dynamic analysis via code execution

  • Orizon

    • Language independent

      • The source is translated in XML and then analized

    • A library with security checks is provided

      • The library is self contained in Orizon JAR archive

      • The checks are gathered in “safe coding recipes” in XML


Were do we leave in ghent last may

Were do we leave in Ghent, last May…

  • During Owasp AppSec EU’2008

    • Orizon reached v0.90

    • Plugins were introduced

    • A Java SWT Gui were added

    • Orizon included also Milk embedded into it

  • Feedbacks were good

  • Major criticisms (… thanks Dinis)

    • There is too much noise in translated XML

    • Building a source object model is a better approach

    • More effort must be redirected to static analysis


Were do we leave in ghent last may1

Were do we leave in Ghent, last May…

Reporting engine

Reporting

Jericho engine

Dawn engine

Plugin engine

Code

reviewing

Crawler engine

Code

crawling

XML Translator engine

Preprocessing


Road towards version 1 0 the needs for a change

Road towards version 1.0… the needs for a change

  • Input file management

    • Scanning a directory recursively is not supported

  • Library management

    • Standalone file is difficult to deploy

    • Hard to find a default location to the library from orizon path

  • Translated XML files

    • Too much noise

    • Hard to retrieve information to build an object model


Road towards version 1 0 the stack

Road towards version 1.0… the stack

Reporting engine

Session

Management

Plugin

engine

Tools

Rule

engine

Crawler

engine

Static analysis

Dynamic analysis

XML Translator factory

Control

Flow

Call

Graph

Data

Graph

Statistics


Road towards version 1 0 the workflow

Road towards version 1.0… the workflow


Road towards version 1 0 session initialization

Road towards version 1.0… session initialization

  • A Session object is created

  • Properties collected from command line are stored into the session (-o, --orizon key=value)

  • init() method causes

    • Each input file is associated with a SessionInfo

    • Each input file is inspected and the correspondent AST is built


Road towards version 1 0 session initialization1

Road towards version 1.0… session initialization

  • Upon creation the XML file names are built

  • inspect() method will do all the dirty work collecting all the results in the DefaultTranslator object

  • getStats() and friend will take DefaultTranslator object and creating the XML file


Road towards version 1 0 preprocessing

Road towards version 1.0… preprocessing

  • scan() is the method invoked when creating AST

  • nameService() methods are the ones creating the XML files


Road towards version 1 0 static analysis

Road towards version 1.0… static analysis

  • Source code crawling

    • Introduced in Orizon v0.70

    • The good: a quick an dirty review can be performed

    • The bad: results are more prone to false potives


Road towards version 1 0 static analysis1

Road towards version 1.0… static analysis

  • The new library

    • Embedded in Orizon Jar file

    • Same flaw category layout as Owasp Code Review guide

    • library.xml is used as library descriptor


Road towards version 1 0 static analysis2

Road towards version 1.0… static analysis

  • A cookbook is a source flaws family

  • A file named cookbook.xml must be present and used as cookbook descriptor

  • A weight is given to each cookbook to better fine tuning code review score


Road towards version 1 0 static analysis3

Road towards version 1.0… static analysis

  • Recipes are XML files containing security checks

  • Each recipe and each check have got their own weight score

  • Checks are divided in family

    • Design

    • Keyword

    • Execution


Road towards version 1 0 static analysis4

Road towards version 1.0… static analysis

  • org.owasp.orizon.core.Source

    • Reads translated XML files

    • Initializes Jericho

    • Fire up core review


Road towards version 1 0 plugins

Road towards version 1.0… plugins

  • An interface is provided and all plugins must implement it

    • org.owasp.orizon.plugin.Plugin

  • A loader class

    • Extract plugin class from a given jar file

    • Checks if the plugin is intended for this orizon version

    • Load the class and returns it to Jericho engine


Road towards version 1 0 plugins1

Road towards version 1.0… plugins

  • Jericho engine will

    • Instanciate a new object

    • Run the plugin via start() and stop() methods

  • The plugin will be called this way

<check id="O_EX_1"

severity="error"

impact="high"

description="This check will be handled by an external piece of code"

positive_fail="false"

external="yes"

jar="c:\users\thesp0nge\test.jar"

package=""

class="Test" >

<catch some_code="no" some_code_bogus="foo"/>

</check>


Road towards version 1 0 plugins2

Road towards version 1.0… plugins

public class PluginDemo {

public static void main(String args[]) {

Loader l = new Loader("c:\\users\\thesp0nge\\test.jar");

try {

// Plugin p = (Plugin)l.load("Test").newInstance();

Class c = l.load("Test");

if (c==null)

return ;

Plugin p = (Plugin)c.newInstance();

p.start();

p.stop();

System.out.println("here");

} catch (Exception e) {

e.printStackTrace();

System.err.println("main: "+ e.getMessage());

return ;

}

}

}


Road towards version 1 0 what s missing

Road towards version 1.0… what’s missing?

  • Full support for

    • Local analysis (control flow)

    • Global analysis (call graph)

    • Taint propagation

  • Scoring system in accord to Owasp Code Review Scoring system

  • GUI for Mac OS X

    • SWT libraries must be ported to AQUA


Roadmap towards version 1 0

Roadmap towards version 1.0…


Some links before we leave

some links before we leave…

  • Orizon site: http://orizon.sourceforge.net

  • Orizon blog: http://blogs.owasp.org/orizon

  • Orizon page @ Owasp: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project

  • Milk site (for milk and arachne): http://milk.sourceforge.net

  • Contact me: [email protected]


The owasp orizon project towards version 1 0

Q&A


The owasp orizon project internals

The Owasp Orizon Projectinternals

Paolo Perego

Owasp Orizon Project Leader

Spike Reply

[email protected]


  • Login