The Owasp Orizon project: new
static analysis in HiFi
Paolo Perego
Owasp Orizon Project leader
Spike Reply
thesp0nge@owasp.org
OWASP
EU09 Poland
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org

Agenda
Orizon Framework state of art
Building a model round up: the Mirage engine
Roadmap ’09
OWASP AppSecEU09 Poland 2

$ whoami
Senior consultant @ Spike Reply srl
Offense (Application penetration test)
Defense
 Application Security
 Code review
 SSDLC design
Owasp project leader
Owasp Orizon
Owasp Source code flaws Top 10
Owasp Italy board member
OWASP AppSecEU09 Poland 3

Owasp Orizon framework v1.20
Orizon interface APIs
“engine” based
report
analyze
build a
model
OWASP AppSecEU09 Poland 4

Owasp Orizon framework v1.20: engine
Engine commands Command parser
are described by a is generated from
grammar the grammar
using FreeCC
start() method
Engine is an
contains engine
abstract class
business logic
providing a fixed
set of APIs for all
Orizon engines
OWASP AppSecEU09 Poland 5

Owasp Orizon framework v1.20: the
Language Pack Parser is almost 100%
able to understand the
specific language
Parser is built
using language
grammar and
FreeCC
Ready for Java,
C and PHP.
Collector take
AST from the
Next to come:
parser and
Cobol, C++, C#,
retrieve variables,
Ruby, Jsp
methods, ...
OWASP AppSecEU09 Poland 6

Owasp Orizon framework v1.20: build the
model
Orizon supports
more programming
languages with an
ad hoc “Language
Pack”
Modeler class uses
Language Pack
SourceFinder scans collectors to gather
the input deciding data and building
which files can be the model
processed and the
language pack to
be used OWASP AppSecEU09 Poland 7

Owasp Orizon framework v1.20: analyze
Get the model
Iterate through all
Apply the rules files to be
to the model processed
Rules
management
OWASP AppSecEU09 Poland 8

Owasp Orizon framework v1.20: report
Formatters manage how to
represent the findings in
various formats
Reporting
engine
manages
the findings
to be
represented
as output
OWASP AppSecEU09 Poland 9

It’s showtime...
OWASP AppSecEU09 Poland 10

Spot the difference
v1.0 v1.18 v1.20
EU Summit ’08 AppSec EU ’09 Summer ’09
Heterogeneous engines Engine based with a standard Engine based with a standard
Architecture with a non standard API set of API set of API
Supported Java Java, C, PHP Java, C, PHP, C++, Cobol, C#
languages
Command line with options Command line with a shell
Interface specified as parameters accepting commands (OSH)
Shell + Web based GUI
Sources are translated in
Modeling Sources are parsed with an Sources are parsed with an
XML and analysis are made
approach over there
appropriate Language Pack appropriate Language Pack
Keyword used Keyword + variable tracking
Model None
+ execution flow
Started variable tracking
Security check Written in ORL (Orizon Rule Written in ORL (Orizon Rule
Written in XML
Language) Language)
Crawling Partial Yes Yes
Static analysis Partial No Yes
Dynamic No No No
analysis
OWASP AppSecEU09 Poland 11

Roadmap
 in the short term (3 months): v1.20
collectors must be able to retrieve more information from
ASTs
new Language Packs (C++, Cobol, C#)
 in the mid term (6 to 9 months): v1.50
Modeler will be able to build
 data flow diagram
 execution flow diagram
Owasp Orizon Guide to be released as “alpha” document
 in the long term (12 months): v1.80
static analysis will be working
dynamic analysis will start
OWASP AppSecEU09 Poland 12

Before we leave
Thanks to
OWASP
the Italian chapter and its board
the gang: Nishi, Stephen, Jason, Andrés, Alessio,
Dinis (http://orizon.sourceforge.net/blog/the-owasp-
orizon-team/)
my Mom
my Wife
OWASP AppSecEU09 Poland 13

Some link
FreeCC: used to generate all the parsers in
Orizon (http://code.google.com/p/freecc/)
Owasp Orizon links
Homepage: http://www.owasp.org/index.php/
Category:OWASP_Orizon_Project
Blog: http://orizon.sourceforge.net/blog/
Twitter: http://twitter.com/OWASPOrizon/
OWASP AppSecEU09 Poland 14