OWASP Orizon Project XML

= The Orizon check XML schema =

A check contained in a safe coding recipe, follows this schema:

&lt;check id=check identifier code severity=[info | warning | error] impact=[low | medium | high | critical | panic ] description=a short description for this check positive_fail=[yes | no] &gt; [method_check | class_check | attribute_check | compare_check |  variable_check | source_check] &lt;/check&gt;

... some ideas ...
Security checks can be divided in:
 * design_check
 * keyword_check
 * execution_check

Design check
Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).

source code statistics
&lt;design subj="stats" name=[loc | loC] verb=[lt | gt | le | ge | ne | eq | ratio] [ direct_object= [loc | loC] ] value=numeric value /&gt;

where:
 * name is the statistics name and can be one of the following:
 * loc: line of code
 * loC: line of Comment


 * verb is the boolean comparison operator between the subject and the value:
 * lt: lesser than
 * gt: grater than
 * le: lesser or equal than
 * ge: greater or equal than
 * ne: not equal than
 * eq: equal than
 * ratio: indicates the ratio subj versus direct_object

&lt;design subj=[class|field|attribute] name=the subject name when appliable verb=[count|has_scope] value=the value being checked /&gt; When intended as String, the value argument can be a "|" separated list of strings ("public|private").

&lt;design subj="class" verb=[extends|implements] value=the value being checked /&gt;

&lt;design subj="class" verb="contains" value="method" &lt;what name="the method name" type="the method return type" modifier="a | separated list of modifier attributes" /&gt; /&gt; &lt;keyword name=keyword name /&gt;
 * keyword_check, about keyword specific checks

&lt;exec caller_class=a class name caller_method=a method name /&gt;
 * execution_check: extra care must be taken for parameter in this desing...

= The Orizon Input file XML schema = Orizon 1.0 will bring 3 new subsystems in Jericho engine: Each of this subsystems will use a different input file provided by the translator, so each source file will be translated in 3 different XML files with different schema of course.
 * local analisys (control flow graph)
 * global analisys (call graph)
 * taint propagation analisys (data graph)

Taint propagation analisys
This subsystem is devoted to analyze variable content and how data is managed by the application.

Here is the schema to be used to describe a generic operation over a variable or a socket or a generic I/O operation.

&lt;taint subj="[variable|socket|sql|file]" name="the variable name" type="the variable data type" verb="[created|modified|deleted|read_data|write_data]" constant="[yes|no]" must_reduce="[yes|no]" value"the value being used to fill the variable" &gt; expression to be reduced...

Here there are some example to understand better how instructions over variable, will be translated to XML.


 * Variable declaration

To better describe variable declaration we must discriminate from simple variable rather than complex objects in OO programming languages.

If we need to declare a brand new integer value, int a; we will obtain 

If we choose to create a new variable with a init value, int b = 3; we will obtain 

Now lets create an object rather than a simple variable. String c = new String("A new string"); The correspondent XML will be  

What happens if some complex constructor call is issued String d = new String((new Integer(3)).toString); This example is quite odd, but it's a common practice to have very complex object constructor calls.    3


 * Generic non constant assignment

Let a be an integer variable. We want to stuff volatile value of '5' into it...   a = 5; it becomes 