Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Hacking Owasp Orizon Paolo Perego Owasp Orizon Project Leader Spike Reply

OWASP Owasp EU Summit 08, Portugal – November 2 Agenda  Internals overview  XML Translator factory  Session Management  Static analysis  Reporting engine  Plugin engine

OWASP Owasp EU Summit 08, Portugal – November $ whoami  Senior Security Spike Reply Srl  penetration testing  secure application building  code review & source code assessment  Owasp Orizon Project leader  Active member in  Owasp Italian chapter  Owasp Code Review Project 3

OWASP Owasp EU Summit 08, Portugal – November Internals Overview  Framework to be used as engine in a static analysis tool creation  Written in Java  Each package devoted to a subsystem  Massive usage of XML  Write security check  Describe the source file 4

OWASP Owasp EU Summit 08, Portugal – November The Orizon 1.0 architecture 5 XML Translator factory Reporting engine Dynamic analysis Static analysis Statistics Control Flow Call Graph Data Graph

OWASP Owasp EU Summit 08, Portugal – November A source code review workflow with Orizon Session initialization Input type is detected A session Object is created For each input file a SessionInfo object is created as well Preprocessing Scan each file to build AST in memory Parse AST and create 4 different XML files Statistical information Methods and subroutine calls Variable instantiation and changes Control flow Static analysis Security checks are applied in accord to the given translated XML element Source code can be crawled to find some dangerous keywords Reporting Results are represented in different formats XML Plain Text 6

OWASP Owasp EU Summit 08, Portugal – November XML TRANSLATOR FACTORY 7

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory  Input: the source code being reviewed  Output: a bunch of XML files  Goals  Describe the source code design  Collect statistics  Draw the flow of data  Collect the call graph  Enumerate keywords 8

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory  Try to describe the source code in an intermediate language  The framework is independent from the programming language (Java, C, C#,…)  Easy to extend 9

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory  scan() method  Parse source file  Build AST in memory  Very language dependent  translate() method  Take AST and for a given service write the correspondent XML file 10

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory - statistics  DefaultTranslator method: statService()  Make some inference with a black box information gathering  Comments  Cyclomatic index  Method lenght 11

OWASP Owasp EU Summit 08, Portugal – November XML Translator Factory – call flow  DefaultTranslator method: callGraphService()  Every method invocation is tracked  The calling class  The return data type  The parameters … 12

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – design analysis  DefaultTranslator method: designService()  Close to stats gathering  Some inference is done looking at  Scope  Methods  Fields  Return type 13

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory - keywords  DefaultTranslator method: keywordService()  Every call is stored with its returning type  Useful during source code crawling 14

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – how do I use it? The dirty way  Create a languageTranslator object  Invoke scan() method  Call the desired factory method  statService()  designService()  … 15 JavaTranslator t = new JavaTranslator(); if (!t.scan(getInFileName())) return System.err.println(“…”); t.dataFlowService(getInFileName(), getDataFlowFileName()); t.statService(getInFileName(), getStatFileName());

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – how do I use it? The suggested way  Create a SkyLine object  Invoke the launch(“init”) method  Framework will be initialized  Scan session is created  Invoke the launch(“translate”) method  Translation is performed  All supported XML files are created SkyLine skyLine = new SkyLine(); … if (!skyLine.launch("init")) { System.err.println(“…"); return; } if (!skyLine.launch(”translate")) { System.err.println(“…"); return; } 16

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – how can I hack it?  Add a service method in DefaultTranslator  eg. public asbstract boolean owaspService(String in, String out)  Implement the new service method in every class implementing DefaultTranslator  Returns true if the file can be created, false otherwise  The first parameter is the source filename  The second parameter is the output XML filename  org.owasp.core.SessionInfo  Create a new public boolean getService() method  If the language translator is initialized than return getService() or false otherwise  org.owasp.core.Session  Create a new public int collectService() method  For each SessionInfo call getService()  Count an return how many SessionInfo failed in getting the translation 17

OWASP Owasp EU Summit 08, Portugal – November HANDS ON XML Translator factory 18

OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – hands on  In a XML file I need the number of declared method.  Suppose the JavaScanner object has a public int countMethod()  Implement the new translation service 19

OWASP Owasp EU Summit 08, Portugal – November SESSION MANAGEMENT 20

OWASP Owasp EU Summit 08, Portugal – November Session Management  Input: user parameters  Output  1 org.owasp.orizon.core.Session object  1+ org.owasp.orizon.core.SessionInfo objects dipending on how many source file you have to review  Goals  Provide an abstraction layer to internals  Make easy to implement the code review workflow 21

OWASP Owasp EU Summit 08, Portugal – November Session Management – Session  Manage framework properties  Specified at command line  Hardcoded in the tool  Manage per file scanning information  Call XML translator factory services  Call static code review  Generate the report 22

OWASP Owasp EU Summit 08, Portugal – November Session Management – SessionInfo  Manage a single source code file code review  Fire up:  AST creation: inspect()  Translation:  getVariableDeclaration()  getStats()  getDesign()  …  Code review: staticReview()  Report generation: getReport()  Actions are taken upon source code programming language detection 23

OWASP Owasp EU Summit 08, Portugal – November Session Management - SkyLine  Framework butler  A tool needs will use SkyLine to implement Orizon services  Manage command line  Create the Session  Get the report to the tool  “launch()” services 24

OWASP Owasp EU Summit 08, Portugal – November Session Management Tool creates a SkyLine SkyLine creates a Session Session creates one or more SessionInfo Tool ask SkyLine to “launch()” services 25

OWASP Owasp EU Summit 08, Portugal – November Session Management – how do I use it? The only way  Create a SkyLine object  Eventually give SkyLine command line arguments to process  Invoke launch(“init”) method and all the session management framework is set up SkyLine skyLine = new SkyLine(args); if (skyLine.processCommandLine() skyLine.consumeCommandLine(); if (!skyLine.launch("init")) { System.err.println(“..."); return; } 26

OWASP Owasp EU Summit 08, Portugal – November HANDS ON Session Management 27

OWASP Owasp EU Summit 08, Portugal – November Session Management – hands on  Write down a simple tool that create a scanning session and fire up a translation 28

OWASP Owasp EU Summit 08, Portugal – November Some code… 29

OWASP Owasp EU Summit 08, Portugal – November STATIC ANALYSIS 30

OWASP Owasp EU Summit 08, Portugal – November Static analysis  Input: translator factory output  Output: a security scan report  Goals  Statically analyze the code  Apply security check library to the code  Gathering results in a report 31

OWASP Owasp EU Summit 08, Portugal – November Static analysis Making the heartbeat SkyLine starts Session static analysis service Session loops for SessionInfo object asking to statically analize the code Setting up (SessionInfo) A Source object is created Source object reads the XML files A Jericho object is created The Source is loaded into the scanning engine Do the Job (Jericho) The Library is opened For every CookBook contained the review() method is invoked over the Source Results are collected into a Report Collecting the results (Session) A Folder is created Report objects are collected into the Folder Using a Formatter object the Folder is rendered into a security report 32

OWASP Owasp EU Summit 08, Portugal – November Static analysis – Making the heartbeat  A static analysis starts when the security tool ask to perform the “static analysis” service to SkyLine  SkyLine  Has no intelligence  It will act as butler  Asks the scanning Session it managed to perform a static analysis 33

OWASP Owasp EU Summit 08, Portugal – November Static analysis – Making the heartbeat  SkyLine invoke Session.staticReview()  Session  Has no intelligence as well  It manages SessionInfo objects  It asks the object it manage to make a static analysis  To each object the SessionInfo.staticReview () method is called 34

OWASP Owasp EU Summit 08, Portugal – November Static analysis – Setting up  First step: take the source  A Source object is created  Internal structures need to be filled  Source has some method to read XML translator factory output  XMLs are read 35

OWASP Owasp EU Summit 08, Portugal – November Static analysis – Setting up  Second step: ask Jericho to review it  Create a Jericho object  Passing the Source object as Jericho’s constructor  Call Jericho.review() method  Call Jericho.getReport() method to have the results 36

OWASP Owasp EU Summit 08, Portugal – November Static analysis – do the job  Jericho  Opens the Library  Reads it  Retrieves the cookbook list  Loops for each cookbook  Loads the Source into the cookbook  Asks the Cookbook to review it 37

OWASP Owasp EU Summit 08, Portugal – November Static analysis – do the job  Cookbook upon request  Loops for its Recipes  Asks Recipe to review the source  Recipe upon request  Loop for its Checks  Ask Check to apply themselves to the Source  Report is sent back to Jericho object 38

OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  Library is  A collection of Cookbook  A bunch of directories in the main JAR file  CookBook is  A collection of Recipe  A directory with a cookbook.xml descriptor 39

OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  Recipe is  A collection of Check  An XML file  Check is  An XML written sentence with  Subject  Verb  Direct object  Eventually other params  A safe coding best practice 40

OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  Library  Embedded in Orizon Jar file  Same flaw category layout as Owasp Code Review guide  library.xml is used as library descriptor 41

OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  A cookbook is a source flaws family  A file named cookbook.xml must be present and used as cookbook descriptor  A weight is given to each cookbook to better fine tuning code review score 42

OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  Recipes are XML files containing security checks  Each recipe and each check have got their own weight score  Checks are divided in family  Design  Keyword  Execution 43

OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…   name is the statistics name and can be one of the following:  loc: line of code  loC: line of Comment  verb is the boolean comparison operator between the subject and the value: –lt: lesser than –gt: grater than –le: lesser or equal than –ge: greater or equal than –ne: not equal thaneq: equal than  ratio: indicates the ratio subj versus direct_object 44

OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  45

OWASP Owasp EU Summit 08, Portugal – November Just few words about the library… Keyword check   Used in code crawling Execution check  46

OWASP Owasp EU Summit 08, Portugal – November Collecting the results  Session object  Create a Folder  Collect SessionInfo reports  Make them available to the calling 47

OWASP Owasp EU Summit 08, Portugal – November HANDS ON Static Analysis 48

OWASP Owasp EU Summit 08, Portugal – November Static Analysis – hands on  Write down a simple tool that  Create a scanning session  Fire up a translation  Fire up a static analysis 49

OWASP Owasp EU Summit 08, Portugal – November Some code… 50

OWASP Owasp EU Summit 08, Portugal – November REPORTING ENGINE 51

OWASP Owasp EU Summit 08, Portugal – November Reporting engine  The needs: people wants security reports in different format  Starting from the findings a plain String must contain the report to be printed out  I don’t want to write a “formatThisWay()” method for  PDF  XML  LATEX  …  So? 52

OWASP Owasp EU Summit 08, Portugal – November Reporting engine  A Folder is a bunch of Report objects  A Report is a bunch of Reportable objects  A Reportable objects contains detail about what check has been failed  The idea is  A SessionInfo collects Reportable and build a Report for a single source code  A Session manage a Folder for all file’s Report 53

OWASP Owasp EU Summit 08, Portugal – November Reporting engine  Formatter interface  Provides prototypes used by Report or Folder objects  I don’t care about the implementation  It’s up to the subclasses 54

OWASP Owasp EU Summit 08, Portugal – November Reporting engine  In fact, formatting a report is independent of the formatter you choose  When Session generate the report knows that kind of Formatter has to use 55

OWASP Owasp EU Summit 08, Portugal – November Reporting engine  The magic starts when security tool ask SkyLine for “generate report” service  SkyLine, has no intelligence so asks Session to do it  Session take a Formatter subclass as parameter and apply it to the report Folder 56

OWASP Owasp EU Summit 08, Portugal – November CRAWLER ENGINE 57

OWASP Owasp EU Summit 08, Portugal – November Crawler engine  Until September ‘08  An abstract class DefaultCrawler  Reads the source file (NOT the XML)  Makes a pattern matching search agains a keyword list  Subclasses implement language specific crawlers just passing the list to the Superclass  It doesn’t fit with the framework design 58

OWASP Owasp EU Summit 08, Portugal – November Crawler engine  New design consistent with the framework  The engine is using the “keyword” XML file  Jericho will apply a specific Cookbook for crawling to that XML file  All works as it was a regular security check 59

OWASP Owasp EU Summit 08, Portugal – November PLUGIN ENGINE How plugins work before version

OWASP Owasp EU Summit 08, Portugal – November Plugin engine (Discontinued)  An interface is provided and all plugins must implement it  org.owasp.orizon.plugin.Plugin  A loader class  Extract plugin class from a given jar file  Checks if the plugin is intended for this orizon version  Load the class and returns it to Jericho engine 61

OWASP Owasp EU Summit 08, Portugal – November Plugin engine (Discontinued)  Jericho engine will  Instanciate a new object  Run the plugin via start() and stop() methods  The plugin will be called this way 62 <check id="O_EX_1" severity="error" impact="high" description="This check will be handled by an external piece of code" positive_fail="false" external="yes" jar="c:\users\thesp0nge\test.jar" package="" class="Test" >

OWASP Owasp EU Summit 08, Portugal – November Plugin engine (Discontinued) 63 public class PluginDemo { public static void main(String args[]) { Loader l = new Loader("c:\\users\\thesp0nge\\test.jar"); try { // Plugin p = (Plugin)l.load("Test").newInstance(); Class c = l.load("Test"); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println("here"); } catch (Exception e) { e.printStackTrace(); System.err.println("main: "+ e.getMessage()); return ; }

OWASP Owasp EU Summit 08, Portugal – November some links before we leave…  Orizon site:  Orizon blog:  Orizon Owasp: SP_Orizon_Project SP_Orizon_Project  Contact me: 64

OWASP Owasp EU Summit 08, Portugal – November 65 Q&A

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP The Owasp Orizon Project internals Paolo Perego Owasp Orizon Project Leader Spike Reply