The Owasp Orizon Project: towards version 1.0

1. The Owasp Orizon Project: towards version 1.0 Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org

2. Agenda • where do we leave in Ghent, last May… • road towards version 1.0

3. $ whoami • Senior Security Consultant @ Spike Reply Srl • penetration testing • secure application building • code review & source code assessment • Owasp Orizon Project leader • Active member in • Owasp Italian chapter • Owasp Code Review Project

4. Kickoff • A lot of commercial solutions are available for code reviewing • good in finding bugs • skilled support • Expensive • Open source solutions are available too • limited number of security checks • good support from open source community • open Why do I need Orizon?

5. Some preliminary info • Orizon is code review engine I started back in 2006 • It supports • Static analysis • Dynamic analysis via code execution • Orizon • Language independent • The source is translated in XML and then analized • A library with security checks is provided • The library is self contained in Orizon JAR archive • The checks are gathered in “safe coding recipes” in XML

6. Were do we leave in Ghent, last May… • During Owasp AppSec EU’2008 • Orizon reached v0.90 • Plugins were introduced • A Java SWT Gui were added • Orizon included also Milk embedded into it • Feedbacks were good • Major criticisms (… thanks Dinis) • There is too much noise in translated XML • Building a source object model is a better approach • More effort must be redirected to static analysis

7. Were do we leave in Ghent, last May… Reporting engine Reporting Jericho engine Dawn engine Plugin engine Code reviewing Crawler engine Code crawling XML Translator engine Preprocessing

8. Road towards version 1.0… the needs for a change • Input file management • Scanning a directory recursively is not supported • Library management • Standalone file is difficult to deploy • Hard to find a default location to the library from orizon path • Translated XML files • Too much noise • Hard to retrieve information to build an object model

9. Road towards version 1.0… the stack Reporting engine Session Management Plugin engine Tools Rule engine Crawler engine Static analysis Dynamic analysis XML Translator factory Control Flow Call Graph Data Graph Statistics

10. Road towards version 1.0… the workflow

11. Road towards version 1.0… session initialization • A Session object is created • Properties collected from command line are stored into the session (-o, --orizon key=value) • init() method causes • Each input file is associated with a SessionInfo • Each input file is inspected and the correspondent AST is built

12. Road towards version 1.0… session initialization • Upon creation the XML file names are built • inspect() method will do all the dirty work collecting all the results in the DefaultTranslator object • getStats() and friend will take DefaultTranslator object and creating the XML file

13. Road towards version 1.0… preprocessing • scan() is the method invoked when creating AST • nameService() methods are the ones creating the XML files

14. Road towards version 1.0… static analysis • Source code crawling • Introduced in Orizon v0.70 • The good: a quick an dirty review can be performed • The bad: results are more prone to false potives

15. Road towards version 1.0… static analysis • The new library • Embedded in Orizon Jar file • Same flaw category layout as Owasp Code Review guide • library.xml is used as library descriptor

16. Road towards version 1.0… static analysis • A cookbook is a source flaws family • A file named cookbook.xml must be present and used as cookbook descriptor • A weight is given to each cookbook to better fine tuning code review score

17. Road towards version 1.0… static analysis • Recipes are XML files containing security checks • Each recipe and each check have got their own weight score • Checks are divided in family • Design • Keyword • Execution

18. Road towards version 1.0… static analysis • org.owasp.orizon.core.Source • Reads translated XML files • Initializes Jericho • Fire up core review

19. Road towards version 1.0… plugins • An interface is provided and all plugins must implement it • org.owasp.orizon.plugin.Plugin • A loader class • Extract plugin class from a given jar file • Checks if the plugin is intended for this orizon version • Load the class and returns it to Jericho engine

20. Road towards version 1.0… plugins • Jericho engine will • Instanciate a new object • Run the plugin via start() and stop() methods • The plugin will be called this way <check id="O_EX_1" severity="error" impact="high" description="This check will be handled by an external piece of code" positive_fail="false" external="yes" jar="c:\users\thesp0nge\test.jar" package="" class="Test" > <catch some_code="no" some_code_bogus="foo"/> </check>

21. Road towards version 1.0… plugins public class PluginDemo { public static void main(String args[]) { Loader l = new Loader("c:\\users\\thesp0nge\\test.jar"); try { // Plugin p = (Plugin)l.load("Test").newInstance(); Class c = l.load("Test"); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println("here"); } catch (Exception e) { e.printStackTrace(); System.err.println("main: "+ e.getMessage()); return ; } } }

22. Road towards version 1.0… what’s missing? • Full support for • Local analysis (control flow) • Global analysis (call graph) • Taint propagation • Scoring system in accord to Owasp Code Review Scoring system • GUI for Mac OS X • SWT libraries must be ported to AQUA

23. Roadmap towards version 1.0…

24. some links before we leave… • Orizon site: http://orizon.sourceforge.net • Orizon blog: http://blogs.owasp.org/orizon • Orizon page @ Owasp: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project • Milk site (for milk and arachne): http://milk.sourceforge.net • Contact me: thesp0nge@owasp.org

25. Q&A

26. The Owasp Orizon Projectinternals Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org