[Owasp-o2-platform] Feedback

Dinis Cruz dinis at ddplus.net
Tue Nov 24 19:35:16 EST 2009


Hi Brad, no you are no SOL :)

There are (at least) two main way to create Findings with traces using O2.

   1. using the CIRViewer (which consumes CIR which is a Common Intermediate
   Representation format (which you can create using O2 from java Classes and
   .NET assemblies) and
   2. using live execution data (i.e. Real-Time-Call-Flow analysis) which
   records the actual code & data flows (only for .NET at the moment)

*On the CIR-driven traces*. The key concept to understand here is that O2
creates Call-Flow traces and not Data-Flow traces. Basically the O2 traces
(and findings) tell you that there is a Path between function A (source) and
Function B (Sink), but not that there is an actually data flow between those
two calls.

The call-flow traces work quite well on certain scenarios and if you guys
start using it, I'm sure that we can fine tune it so that It can be easily
used to find a lot of vulnerabilities.

This functionality is currently implemented in the O2 Rules Manager, and if
you are interested lets work together and document it.

The only tools that I know that are able to create data-flow traces are the
commercial ones (Ounce & Fortify (not sure about the others)) and CAT.NET.
I'm still waiting to see (and consume in O2) data-flow traces from Orizon,
but as far as I understand it, Paolo is not there yet.

There is another OWASP project trying to create data-flow traces which is
the O2 Sub-Project OSSAD (One Security Static Analyzer per Developer) lead
by Stephen Craig Evans and hosted here:
http://www.owasp.org/index.php/OWASP_O2_Platform/Sub-Projects/OSSAD

My request to both Orizon and OSSAD is simply:* "Don't over-engineer your
engines and try to do too much, too soon. If you (engines) focus just on
creating data-flow traces, O2 can handle the rest)"*

*On Real-Time-Call-Flow analysis, *There is a very first rough preview of
this funcionality in  the
O2_Tool_CSharpScripts<http://deploy.o2-ounceopen.com/O2_Tool_CSharpScripts/>
module
(which creates traces from .NET Debug hooks) and I am about to release a new
O2 Module which uses AOP (Aspect Oriented Programming) to create Findings
and allow Virtual Patching of vulnerable functions (if you look at O2's
source code, this is currently at this location
\_SourceCode_O2\Scanners\O2_Scanner_DotNet\O2_Scanner_DotNet.sln )

----

Although I believe that in the medium term we will have an Open Source
engine that will be able to create Data-Flow traces, in the short term, for
the pure "Open Source / Free tools" users out there, the options are:

   - findings created by Call-Flow analysis
   - findings created by Real-Time-Call-Flow analysis
   - findings created by CAT.NET
   - findings created by other security/OWASP tools


(further comments on my next replies to other posts on this thread)

Dinis Cruz



On Wed, Nov 25, 2009 at 12:00 AM, Brad Causey <bradcausey at gmail.com> wrote:

> Ahah!! I do not have the Ounce Security Analyst.
>
> Does this mean I'm SOL?
> I have used Analyst and it is a fantastic tool! Unfortunately I'm
> restricted to open source.
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
>
>
> On Tue, Nov 24, 2009 at 5:55 PM, Matt Parsons <mparsons1980 at gmail.com>wrote:
>
>>  I use Ounce and set the setting on Ounce Labs in Preferences to scan jar
>> files.  See attached screen shots.
>>
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Matt Parsons, MSM, CISSP
>>
>> 315-559-3588 Blackberry
>>
>> 817-294-3789 Home office
>>
>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>
>> http://www.parsonsisconsulting.com
>>
>> http://www.o2-ounceopen.com/o2-power-users/
>>
>> http://www.linkedin.com/in/parsonsconsulting
>>
>>
>>
>> [image: CISSP_logo]
>>
>>
>>
>>
>>
>> *[image: mattcropped]*
>>
>>
>>
>> *From:* Brad Causey [mailto:bradcausey at gmail.com]
>> *Sent:* Tuesday, November 24, 2009 5:43 PM
>>
>> *To:* Matt Parsons
>> *Cc:* Dinis Cruz; owasp-o2-platform at lists.owasp.org
>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>
>>
>>
>> Matt,
>>
>> This is good stuff, but it assumes you already have a findings file. Once
>> I get there, this will be most helpful.
>>
>> Lets start with what tool you are using from the O2 binaries to ingest EAR
>> files?
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>>  On Tue, Nov 24, 2009 at 5:00 PM, Matt Parsons <mparsons1980 at gmail.com>
>> wrote:
>>
>> Brad,
>>
>> If you can get this attached is a presentation that I created off of one
>> of Dinis classes.  Please let me know if you have any questions and if you
>> receive it.
>>
>>
>>
>> Dinis,
>>
>> Feel free to modify this and post on the 02 website if you see value to
>> it.
>>
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>>
>>
>>
>> Matt Parsons, MSM, CISSP
>>
>> 315-559-3588 Blackberry
>>
>> 817-294-3789 Home office
>>
>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>
>> http://www.parsonsisconsulting.com
>>
>> http://www.o2-ounceopen.com/o2-power-users/
>>
>> http://www.linkedin.com/in/parsonsconsulting
>>
>>
>>
>> [image: CISSP_logo]
>>
>>
>>
>>
>>
>> *[image: mattcropped]*
>>
>>
>>
>> *From:* Brad Causey [mailto:bradcausey at gmail.com]
>> *Sent:* Tuesday, November 24, 2009 4:47 PM
>> *To:* Matt Parsons
>> *Cc:* Dinis Cruz; owasp-o2-platform at lists.owasp.org
>>
>>
>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>
>>
>>
>> Matt and Dinis,
>>
>> Forgive me, but are there "super stupid basic" tutorials out there? I
>> briefly scoured the sight, and I've got a decent handle on 2 or 3 of the
>> tools from just playing around with it. Ideally, a getting started document
>> would be great.
>>
>> Matt - What o2 tool do you use, and what are you basic steps to get it
>> into an oz file so you can view it in O2?
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>> On Tue, Nov 24, 2009 at 2:34 PM, Matt Parsons <mparsons1980 at gmail.com>
>> wrote:
>>
>> I use Ounce Labs out of the box to scan wars, jars and ears.  I then use
>> O2 to filter my findings for my clients.   I also scan Dot-net source as
>> long as it compiles; with Ounce Labs out of the box.   The generic pdf
>> reports can be created from Ounce Labs.   When I do an assessment I break
>> the findings up into required, requested, informational, too be
>> investigated, validation required, validation encoding required and
>> potentially malicious.    These are all broken up using bundles.
>>
>>
>>
>> The reports can be tweaked using O2.  But I generally create reports by
>> API with five lines above and five lines below each context of line of
>> code.   Let me know if that helps.
>>
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>> 1. Scan java source. Such as WAR, JAR,  and EAR.
>> 2. Scan Dot-net source. Compiled and otherwise.
>> 3. Create a report from these scans that allows us to prioritize, browse,
>> etc.
>>
>>
>>
>> Matt Parsons, MSM, CISSP
>>
>> 315-559-3588 Blackberry
>>
>> 817-294-3789 Home office
>>
>> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>>
>> http://www.parsonsisconsulting.com
>>
>> http://www.o2-ounceopen.com/o2-power-users/
>>
>> http://www.linkedin.com/in/parsonsconsulting
>>
>>
>>
>> [image: CISSP_logo]
>>
>>
>>
>>
>>
>> *[image: mattcropped]*
>>
>>
>>
>> *From:* owasp-o2-platform-bounces at lists.owasp.org [mailto:
>> owasp-o2-platform-bounces at lists.owasp.org] *On Behalf Of *Brad Causey
>> *Sent:* Tuesday, November 24, 2009 12:21 PM
>> *To:* Dinis Cruz
>> *Cc:* owasp-o2-platform at lists.owasp.org
>> *Subject:* Re: [Owasp-o2-platform] Feedback
>>
>>
>>
>> See Inline
>>
>> On Tue, Nov 24, 2009 at 12:07 PM, Dinis Cruz <dinis at ddplus.net> wrote:
>>
>> This is great news Brad, please dump as much info here regarding what are
>> your requirements, objectives and deliverables (you can also use the O2
>> Power-User Blogs which you have an account :) ).
>>
>>
>>
>>  The best way to 'consume' O2 is to have a very explicit set of problems
>> that we can use O2 to solve. So Brad, are you able to list 5 items that you
>> would like to do with O2?
>>
>>
>>
>> This I can handle:
>>
>> 1. Scan java source. Such as WAR, JAR,  and EAR.
>> 2. Scan Dot-net source. Compiled and otherwise.
>> 3. Create a report from these scans that allows us to prioritize, browse,
>> etc.
>>
>> Thats about it really. I've looked at findbugs and Yasca but findbugs is
>> just Java and Yasca's plugins appear broken on the latest release.
>>
>>
>>
>> Regarding training, there are already a couple commercial options that are
>> available to you: Bruce or Ian from IBM/Ounce , Cigital (talk to John Steven
>> since he knows the best ones),  Matt Parsons, and (if you fly them from
>> Brazil) Wagner from Conviso. There are a couple others power-users out
>> there, but I'm not sure I can mention their names :)
>>
>>
>>
>> I would prefer to go through OWASP for this, thoughts?
>>
>>
>>
>>
>> On the topic of O2 Users and Companies providing commercial services on
>> top of O2, I've started a page here (
>> http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/Active_O2_Users)
>> and please feel free to add your name (It's a WIKI, just get an account and
>> start editing)
>>
>>
>> Assuming we finalize our process and make this an authorized tool, we just
>> might do that. =)
>>
>>
>>
>>
>> Dinis
>>
>>
>>
>> On Mon, Nov 23, 2009 at 2:19 PM, Brad Causey <bradcausey at gmail.com>
>> wrote:
>>
>> I'm firing this into the open forum because hopefully other folks will be
>> able to get something from it.
>>
>> I am creating a standardized code review process manual for my employer.
>> This will include step-by-step (yay for the reqs in the financial sector)
>> guide on what needs to be done. Now because we don't have a shi-ton of
>> coders on our team, we need a tool to assist us. We primarly deal in java
>> and dot-net. Because of this, O2 came to mind, and I'm proud to say I've
>> convinced my boss to let me attempt to make O2 the "authorized" tool for
>> code review, across the organization.
>>
>> I will probably end up having to hire a trainer and bring them in to train
>> the team on O2, but this also drives home the need for some simplistic
>> interfaces, and good docs.
>>
>> I'd like to get with you Dinis, and make this happen, and share what we
>> create/learn with the O2 mailing list. Anonomized of course. =)
>>
>>
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>> On Sat, Nov 21, 2009 at 10:04 AM, dinis cruz <dinis.cruz at owasp.org>
>> wrote:
>>
>> First of all, a big* Thank You to Rohit*, since feedback like this is not
>> easy to do, and he is also providing a number of very good ideas (which I
>> will implement in the very short term)
>>
>> I also completely agree with Rohit (and probably most of you that have
>> tried O2) *that O2's GUI sucks from the point of view of a new user*.
>>
>> I really like the idea of 'information hiding' for new users suggested by
>> Rohit, in fact once I made a bunch of 'analog' (i.e. on paper) sketches
>> based on the idea of 'rewarding user with features once he 'achieves' a
>> certain task (just like the games on the iPhone (which my kids play) which
>> only let you go to the next level once you completed the current one.
>>
>> I'm going to provide a much more detailed answer to Rohit (including with
>> a PoC of the GUI that he described), but please keep feedback like this
>> coming
>>
>> And if you want to be track your requests, you can add them here:
>> http://code.google.com/p/o2platform/issues/list
>>
>> Dinis Cruz
>>
>> 2009/11/19 Rohit Sethi <rklists at gmail.com>
>>
>>
>>
>> Dinis et al, this project is very promising. Although I've known about
>> O2 for a while now, today was the first time I actually installed the
>> tool. Dinis, when you demonstrate the capabilities of O2 it's
>> awe-inspiring, but I imagine many people feel the same way as I do
>> when they actually install the tool: overwhelmed. I suggest you apply
>> the principle of "information hiding" to the design of the application
>> - provide people with a basic, simple view of the application and give
>> them the option to expand on more advanced features when needed. I
>> have some ideas for you, but I'm ashamed to say I don't have the
>> bandwidth to actually implement them :(
>>
>> A few specific suggestions:
>> •       Is there a public bug tracking system? If not this is an
>> invaluable
>> tool to solicit feedback and track bugs on an ongoing basis. You
>> should provide a link to the bug-tracker from the main OWASP O2 page
>>
>> •       What was the rationale for creating a new GUI? In particular, why
>> didn’t you just piggyback off an existing, pluggable IDE like Eclipse?
>> I'd guess the answer is because O2 is developed (I’m assuming) in .Net
>> and probably through Visual Studio in order to facilitate GUI widget
>> development. You’ve created a new look and feel which then requires
>> the end user to understand the new look and feel in order to make
>> sense of the application. Although I can appreciate the choice to go
>> use .Net instead of Java, I wonder if copying some of the GUI
>> conventions of Eclipse might be useful (more on this later). Note that
>> I’m no usability expert, but I’d like to share my thoughts anyway. I
>> would seriously suggest freezing new feature development for a while
>> and focus on improving usability; once the application is easier to
>> use, hopefully the user base will grow and so will the pool of
>> developers willing to pitch in. In general try to minimize the amount
>> of information in each dialogue box, and provide expandable, grouped
>> advanced options.
>>
>> •       I think O2 would be better served as one application with various
>> features and extensions, rather than a loosely coupled collection of
>> modules. Not only will this help lower the learning curve to the
>> application, it will help clarify the user interface. Going back to
>> the Eclipse point, why not start with the concept of a “Project”? Each
>> project relates to an individual application, and is comprised of
>> several child elements. You can even have a Project Explorer /
>> Navigation similar to what Eclipse has. Rather than dragging and
>> dropping source files into different module windows, there should be
>> one location of source files within the projects and the modules can
>> reference those source files.
>> Here’s an example of a potential Project structure:
>> Project
>>   -Input
>>       -Scanner Results (e.g. .ozmat)
>>       -Source Files (e.g. .class, .xml)
>>   -Analysis
>>       -Findings (e.g. Ounce findings)
>>       -Rules (e.g. Ounce rules)
>>       -Scripts (e.g. Python, Java, C# scripts, etc.)
>>       -Intermediate Representation (e.g. CIR objects)
>>
>> •       I appreciate the flexibility in offering discrete modules of O2
>> functionality; however, in its current format, I had a hard time
>> distinguishing between which functions are "Core O2 functions" and
>> what were really extensions. I suggest that you create a single GUI
>> which users can identify as the "O2 application". Similar to IDEs like
>> Eclipse, users could open the GUI and then select different views or
>> perspectives based on the features they wish to use. Similarly, I
>> suggest creating a single Windows installer that installs all Core O2
>> functions along with the single GUI (e.g. Rules Manager, Join Traces,
>> O2 Scripts, Findings Query, Findings Viewer, Findings Filter, Search
>> Assessment Run, etc.). Provide an option for custom installation in
>> case people want to scale down the features. Provide an interface to
>> install "extensions" such as Spring MVC or support for CSharpScripts,
>> etc.
>> Here’s what I’d recommend for the top level menus of the Core O2
>> application:
>>
>> File
>>   -New /** starts a new project, perhaps with a wizard to help guide
>> the user */
>>   -Open
>>   -Save
>>   --------
>>   -Import /** import findings from various scanners */
>>   ---------
>>   -Exit
>> /** Get rid of restart modules - this might be a useful debugging
>> concept but doesn't make sense to end users. Somebody should open and
>> close the app if they need to do this */
>>
>>
>> Edit
>>  -Cut
>>  -Copy
>>  -Paste
>>  -------
>>  -Configuration /** opens a dialog window with top level choices on
>> the left and details on the right, similar to Eclipse Preferences */
>>      -File System /** Top level choice */
>>         -File Location
>>         -Install Directory
>>         -Temp Directory
>>         -Executable Directory
>>      -Module Specific /** One top level choice for each module that
>> requires configuraiton */
>>      -Advanced /** Top level choice */
>>         -(other configuration items from the KO2Config)
>> /** Provide a radio button on the top to allow users to toggle between
>> Main configuration and user-specific configuration */
>> /** Provide standard Save and Cancel buttons on the bottom of the
>> dialogue window */
>>
>>
>> Modules /** Each should bring up a different dialog box */
>>   -Search
>>   -Rules Manager /** don't distinguish between XRules and other kinds
>> of rules - this is confusing */
>>   -Log Viewer
>>   -Trace Joiner
>>   -Code Reflector
>>   -Script Editor /** should support  C-Sharp, Python and Java */
>>   -Findings Manager /** includes Filter and Viewer */
>>   -Intermediate Representation Viewer  /** or IR Viewer for short,
>> rather than CIR since this is now platform agnostic */
>>   -Technology-Specific Modules
>>       -Spring MVC
>>       -.Net /**Should include the .Net debugger (the web server
>> should be part of this functionality rather than a separate module),
>> .Net Callbacks Maker */
>>
>> Windows /** no idea what functionality is supposed to be here */
>>
>> Help
>>  -Online Knowledgebase (or Wiki) /** Link to owasp site */
>>  -Request Help from O2 Developers
>>  -About /** include version, developers names and the email address
>> to provide feedback, don’t need the Send Comment feature */
>>
>> •       Do you really need the modules that allow people to run the
>> scanner
>> from within O2? I argue this causes too much confusion for it’s actual
>> value
>> •       If you use the above-suggested layout, Web Inspect Converter and
>> other Blackbox scanner import tools should be Wizards to import data
>> into a project’s Scanner Results rather than new modules
>>
>> Cheers,
>>
>> --
>> Rohit Sethi
>> Security Compass
>> http://www.securitycompass.com
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>>
>>
>> --
>>
>> Dinis Cruz
>>
>> Blog: http://diniscruz.blogspot.com
>> Twitter: http://twitter.com/DinisCruz
>> Web: http://www.owasp.org/index.php/O2
>>
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/e918d46c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/e918d46c/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/e918d46c/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/e918d46c/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/e918d46c/attachment-0007.jpe 


More information about the Owasp-o2-platform mailing list