Difference between revisions of "OWASP Orizon Project XML"

From OWASP
Jump to: navigation, search
Line 82: Line 82:
 
== Global analisys ==
 
== Global analisys ==
 
== Taint propagation analisys ==
 
== Taint propagation analisys ==
   ;  
+
This subsystem is devoted to analyze variable content and how data is managed by the application.
  foo
+
 
   ;
+
Here is the schema to be used to describe a generic operation over a variable or a socket or a generic I/O operation.
 +
 
 +
   <taint
 +
      subj="[variable|socket|sql|file]"
 +
      verb="[created|modified|deleted|read_data|write_data]"
 +
      value"the value being used to fill the variable"
 +
   />

Revision as of 10:07, 31 July 2008

Contents

The Orizon check XML schema

A check contained in a safe coding recipe, follows this schema:

<check

  id=check identifier code 
  severity=[info | warning | error] 
  impact=[low | medium | high | critical | panic ]
  description=a short description for this check
  positive_fail=[yes | no]

>

  [method_check | class_check | attribute_check | compare_check | variable_check | source_check]

</check>

... some ideas ...

Security checks can be divided in:

  • design_check
  • keyword_check
  • execution_check

Design check

Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).

source code statistics

<design

   subj="stats"
   name=[loc | loC]
   verb=[lt | gt | le | ge | ne | eq | ratio]
   [ direct_object= [loc | loC] ]
   value=numeric value

/>

where:

  • name is the statistics name and can be one of the following:
    • loc: line of code
    • loC: line of Comment
  • verb is the boolean comparison operator between the subject and the value:
    • lt: lesser than
    • gt: grater than
    • le: lesser or equal than
    • ge: greater or equal than
    • ne: not equal than
    • eq: equal than
    • ratio: indicates the ratio subj versus direct_object


<design

   subj=[class|field|attribute]
   name=the subject name when appliable
   verb=[contains|count|has_scope]
   value=the value being checked

/>

<design

   subj="class"
   verb=[extends|implements]
   value=the value being checked

/>


  • keyword_check, about keyword specific checks

<keyword

   name=keyword name

/>

  • execution_check: extra care must be taken for parameter in this desing...

<exec

   caller_class=a class name
   caller_method=a method name

/>

The Orizon Input file XML schema

Orizon 1.0 will bring 3 new subsystems in Jericho engine:

  • local analisys (control flow graph)
  • global analisys (call graph)
  • taint propagation analisys (data graph)

Each of this subsystems will use a different input file provided by the translator, so each source file will be translated in 3 different XML files with different schema of course.

Local analisys

Global analisys

Taint propagation analisys

This subsystem is devoted to analyze variable content and how data is managed by the application.

Here is the schema to be used to describe a generic operation over a variable or a socket or a generic I/O operation.

 <taint
      subj="[variable|socket|sql|file]"
      verb="[created|modified|deleted|read_data|write_data]"
      value"the value being used to fill the variable"
 />