The Owasp Orizon project: new
        static analysis in HiFi



                   Paolo Perego
                   Owasp ...
Agenda

Orizon Framework state of art
Building a model round up: the Mirage engine
Roadmap ’09




                    ...
$ whoami

Senior consultant @ Spike Reply srl
  Offense (Application penetration test)
  Defense
      Application Sec...
Owasp Orizon framework v1.20
                           Orizon interface APIs
“engine” based


     report

    analyze

 ...
Owasp Orizon framework v1.20: engine


Engine commands                           Command parser
are described by a        ...
Owasp Orizon framework v1.20: the
 Language Pack                   Parser is almost 100%
                                 ...
Owasp Orizon framework v1.20: build the
  model


Orizon supports
more programming
languages with an
ad hoc “Language
Pack...
Owasp Orizon framework v1.20: analyze
                  Get the model




                                                ...
Owasp Orizon framework v1.20: report
                          Formatters manage how to
                          represen...
It’s showtime...




                   OWASP AppSecEU09 Poland   10
Spot the difference
                             v1.0                      v1.18                          v1.20
          ...
Roadmap

 in the short term (3 months): v1.20
   collectors must be able to retrieve more information from
    ASTs
   ...
Before we leave

Thanks to
  OWASP
  the Italian chapter and its board
  the gang: Nishi, Stephen, Jason, Andrés, Ales...
Some link

FreeCC: used to generate all the parsers in
 Orizon (http://code.google.com/p/freecc/)
Owasp Orizon links
  ...
Upcoming SlideShare
Loading in …5
×

Owasp Orizon New Static Analysis In Hi Fi

1,618 views

Published on

Slideshow used in Owasp AppSec EU '09 in Poland to show Owasp Orizon internals and roadmap

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,618
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide














  • Owasp Orizon New Static Analysis In Hi Fi

    1. 1. The Owasp Orizon project: new static analysis in HiFi Paolo Perego Owasp Orizon Project leader Spike Reply thesp0nge@owasp.org OWASP EU09 Poland Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
    2. 2. Agenda Orizon Framework state of art Building a model round up: the Mirage engine Roadmap ’09 OWASP AppSecEU09 Poland 2
    3. 3. $ whoami Senior consultant @ Spike Reply srl Offense (Application penetration test) Defense  Application Security  Code review  SSDLC design Owasp project leader Owasp Orizon Owasp Source code flaws Top 10 Owasp Italy board member OWASP AppSecEU09 Poland 3
    4. 4. Owasp Orizon framework v1.20 Orizon interface APIs “engine” based report analyze build a model OWASP AppSecEU09 Poland 4
    5. 5. Owasp Orizon framework v1.20: engine Engine commands Command parser are described by a is generated from grammar the grammar using FreeCC start() method Engine is an contains engine abstract class business logic providing a fixed set of APIs for all Orizon engines OWASP AppSecEU09 Poland 5
    6. 6. Owasp Orizon framework v1.20: the Language Pack Parser is almost 100% able to understand the specific language Parser is built using language grammar and FreeCC Ready for Java, C and PHP. Collector take AST from the Next to come: parser and Cobol, C++, C#, retrieve variables, Ruby, Jsp methods, ... OWASP AppSecEU09 Poland 6
    7. 7. Owasp Orizon framework v1.20: build the model Orizon supports more programming languages with an ad hoc “Language Pack” Modeler class uses Language Pack SourceFinder scans collectors to gather the input deciding data and building which files can be the model processed and the language pack to be used OWASP AppSecEU09 Poland 7
    8. 8. Owasp Orizon framework v1.20: analyze Get the model Iterate through all Apply the rules files to be to the model processed Rules management OWASP AppSecEU09 Poland 8
    9. 9. Owasp Orizon framework v1.20: report Formatters manage how to represent the findings in various formats Reporting engine manages the findings to be represented as output OWASP AppSecEU09 Poland 9
    10. 10. It’s showtime... OWASP AppSecEU09 Poland 10
    11. 11. Spot the difference v1.0 v1.18 v1.20 EU Summit ’08 AppSec EU ’09 Summer ’09 Heterogeneous engines Engine based with a standard Engine based with a standard Architecture with a non standard API set of API set of API Supported Java Java, C, PHP Java, C, PHP, C++, Cobol, C# languages Command line with options Command line with a shell Interface specified as parameters accepting commands (OSH) Shell + Web based GUI Sources are translated in Modeling Sources are parsed with an Sources are parsed with an XML and analysis are made approach over there appropriate Language Pack appropriate Language Pack Keyword used Keyword + variable tracking Model None + execution flow Started variable tracking Security check Written in ORL (Orizon Rule Written in ORL (Orizon Rule Written in XML Language) Language) Crawling Partial Yes Yes Static analysis Partial No Yes Dynamic No No No analysis OWASP AppSecEU09 Poland 11
    12. 12. Roadmap  in the short term (3 months): v1.20 collectors must be able to retrieve more information from ASTs new Language Packs (C++, Cobol, C#)  in the mid term (6 to 9 months): v1.50 Modeler will be able to build  data flow diagram  execution flow diagram Owasp Orizon Guide to be released as “alpha” document  in the long term (12 months): v1.80 static analysis will be working dynamic analysis will start OWASP AppSecEU09 Poland 12
    13. 13. Before we leave Thanks to OWASP the Italian chapter and its board the gang: Nishi, Stephen, Jason, Andrés, Alessio, Dinis (http://orizon.sourceforge.net/blog/the-owasp- orizon-team/) my Mom my Wife OWASP AppSecEU09 Poland 13
    14. 14. Some link FreeCC: used to generate all the parsers in Orizon (http://code.google.com/p/freecc/) Owasp Orizon links Homepage: http://www.owasp.org/index.php/ Category:OWASP_Orizon_Project Blog: http://orizon.sourceforge.net/blog/ Twitter: http://twitter.com/OWASPOrizon/ OWASP AppSecEU09 Poland 14

    ×