This is a top level list of the work I did on O2 during July and August 2009:

July 2009

• CIR: Added support to create CIR data from Java files (currently only available on the O2 Spring MVC module) 
• SpringMVC module: Complete rewrite of most functionality, added following new features:
  • Create Spring MVC ascx control:
    • SpringMvc controllers mappings using imported ‘Jython/jasssist created’ java annotation files, direct view of Controller’s Source Code, view (after recursive calculation) of Spring MVC Auto-Binded controller’s objects, Create Findings from Spring MVC mappings, view Findings that match controllers, load & save of MappedSpringMvcControllers & CirData
  • Exploit Spring MVC ascx control:
    • Load MappedSpringMvcControllers & CirData , add web browsing support (using IE WebBrowser Control), auto browse controllers web pages, auto map controllers to browsed web pages, auto populate DataGridView with loaded page form fields, view (fully recursive) model for AutoBinded Objects for current controller/page, drag & drop autoBinded property into DataGridView, submit form data
• O2 Python: Added python support (via new Code Execution factory & dedicated O2 GUI):
  • IronPyton: to allow direct access (from python) to .NET classes
  • Jython: to allow direct access to (from python and O2 scripts) to Java Objects (for example this is how JASSIST was used to extract Java Metadata from java classes)
• Java Support: using IKVM (& dedicated O2 module to build the required *.jar files) added Java support where it is now possible to write O2 Scripts directly inside Eclipse
• CSharpScipts: Fixed number of bugs and improved ‘Trace creation from Debug Breakpoints’ workflow
• WebInspect PoC: Fixed number of bugs to make demos of its functionality easier and simpler
• Ounce CLI Scanning: Increased support for more ‘Drag & Drop’ auto scan files (*.ppf, *.gaf. *.ewf, *.epf)
• Rule Manager: Improved workflow to create rules from existing Ozasmt files

August 2009

• CIR:  Added Source Code references to CIR
  • Extended CIR Schema
  • Major Refactoring of CIR creation/processing code to reflect new code changes (for example the CirFunciton IsCalledBy list is now a CirFunctionCall object instead of a simple string)
  • added support to jython JASSIST importer to include that information in the exported XML files add respective O2 Importer so that the new Java CIR contains source code references
  • made major changes to the CIR viewer GUI to support the cases where source code references are available
• Findings Viewer & ImportExport:
  • Added support for importing findings from AppScan DE (via XML to XSD  to C# conversion)
  • Added support to find partial source code references in the local disk
• Rule Managed: Added support for importing ‘Function Taint annotations mappings’ files
• O2 Light – Dual Scan: Create PoC that shows how use a simple ‘drag & drop’ interface to fire up two parallel scans (one with Ounce’s engine and one with AppScan DE)
• ClickOnce: Removed auto-new-versions-check (while O2 is running)
• Spring MVC Module: major changes to the following classes/controls: JoinControllersWithFindings, SpringMvcAutoBindClassesView, SpringMvcMappings, CirViewingUtils, CreateFindingsFromMvcData, TraceCreator

Bunch of code fixes and new features on the Spring MVC module:

If you want to recompile O2 and make changes to its source code, here are a number of tips that will make your life easier:

• first get the latest version of the source code from the Files (Binaries, Source and Demos) page. The versions have the publishing date on its name (for example as of today the latest is _SourceCode_O2 - 8th Aug 09.zip (if you need an older version you can get it from old-versions-of-source))
• This zip contains ALL O2 modules and (with the one problem documented below) should build with no problems if:
  • you have Visual Studio 2008 or the latest version of Sharp Develop
  • you have .Net 3.5 SP1 installed
• The only problem you should have is the fact that you will not have my private key on your system that is used to sign the O2 modules published using Click-Once.
  To fix this, in Visual Studio follow these actions:
  1. Open the properties of the O2_Tool_XXXX module you are editing. Note that you shouldn't be using the O2 - All Active Projects.sln solution file since that will take much longer to compile and in most cases what you want to do is to make a change to a specifc project. So for example if you want to make on the "O2 Tool - Findings Viewer" module you should open the \_SourceCode_O2\O2_Tools\O2_Tool_FindingsViewer\O2_Tool_FindingsViewer.sln solution file
  2. Once the property page is open, go to the Signing tab
  3. And uncheck the Sign the ClickONce manifests checkbox (note that only the O2_Tool_xxx and O2_CMD_xxx are configured to be signed)
  4. The code should now compile OK and you should be able to run it

Let me know if there are problems in getting this to work

Hello, over the first 3 months of 2009 I literary isolated myself and worked (usually 16h a day) on O2 (I spent over 30 days on multiple hotels and worked all weekends (needless to say that my wife was not very happy with it)).

During this period I literally re-wrote the earlier version of O2, and added tons of new capabilities. Here is a list of what I worked on (all exposed on the current and older versions of O2 (downloadable from the O2 website), roughly broken down by month:

January 2009:

• Decoupled Ounce Scanning engine where now it makes direct calls to Ounce’s CLI (Command Line interface) instead of using JNBridge
• Re-Implemented GUI under SharpDevelop GUI (I was after their ‘Visual Studio’ look and feel). After some refactoring and change to SharpDevelop code I was able to create a ‘light’ version of it (in addition to the new GUI, I was also attracted to the extra addons available in Sharp Develop, namely the debug capabilities (I later dropped the use of SharpDevelop since its dependencies proved to hard to deal with))
• Continued writing Unit-Tests for O2 and added multiple features to O2 modules to support it (Unit Tests)
• MAJOR refactoring of O2 code. There is now an O2 Kernel with key functionality moved to specific O2 modules (this removed tons of O2 internal modules dependencies). As part of this refactoring, there are now 'Interface' support for most commonly used O2 objects (most are based on the O2_Kernel.dll module and allow for a much cleaner and robust O2 code)
• Added O2 support for Spring .NET with a wrapper that allowed the creation and loading of O2 modules using XML config files (to implement this, I had to do a huge refactoring of the code since most O2 modules and Objects needed to be created in isolation and its dependencies 'injected' via Spring .NET using pre-defined Interfaces (this is also called in Spring .NET terminology 'Inversion of Control')
• New Assessment, Findings and traces objects which abstract the ozasmt format and provide a simple interface to assessment, finding and trace manipulation. Multiple new GUI modules where implemented that allow the FULL manipulation of ALL findings and trace data. Load and Save from/to ozasmt format was also implemented
• Created a PoC for "WebInspect -> Ounce Ozmast files" conversion. The objective was to show how we could create a mapping between WebInspect results (BlackBox) and Ounce's scans (White-box). I used HacmeBank as a test case and created two versions: one that required no customization between the original scans and the final result (i.e. one click-button mode) and one version that used a bit of scripting to find (from the source code and CIR) the mapping formula between external URLs and Internal code (in the HacmeBank case, this happens via a mapping of a GET parameter to and ASCX control)
• Added support for Microsoft’s CAT.NET engine. There is an O2 MsCatNet module which is able to trigger scans via CAT.NET command line interface, and convert findings into Ozasmt file format
• Researched Microsoft’s PEX to see it could be used as an “method based exploit generator” for testing of validation-routines (it sort of worked, but PoC is not fully working)
• Researched PostSharp Laos and AspectNGS for: AOP, dynamic .Net binary patching and dynamic trace generation (mixed results, see RnD O2 modules)
• Researched Mono Cecil for dynamic .Net binary creation and patching (good results and this is now part of O2 core modules)
• Added support for Firefox Browser engine. New O2 Module that uses Gecko for browser automation (going to be very useful in the future to build modules that build exploit PoCs or want to analyze Javascript behavior)

February 2009

• Dropped support for SharpDevelop and used the WeifenLuo.WinFormsUI.Docking.dll directly to implement the GUI
• Dropped support for Spring .NET DI and implemented similar functionality in O2 Kernel
• Added extended .NET assembly analysis, decompilation, creation and manipulation by using Mono’s Cecil (multiple O2 modules affected, for example the new O2 Reflector Module)
• Added multi-thread support to O2. First major implementation can be see on the TASKS feature which can be used for multi-thread task execution
• Wrote new finding’s analyzer GUI. First called ‘Findings Filter’ (which was wizard based) who after a couple versions become the super fast “Ozasmt Query” O2 module (later renamed to ‘Findings Query)”
• Added Linq support to O2 codebase and used external library to allow “Ozasmt Query” to create dynamic LINQ queries
• More Unit tests and Major refactoring (for example extracted all Ozamst and CIR objects as interfaces and moved them into the O2 Kernel)
• Created multiple WPF (Windows Presentation Foundation) PoCs and added support for it to O2. Unfortunately, due to lack of time, no major O2 modules are current implemented using WPF
• Added extended support for WCF (Windows Communication Foundation) to O2. Current this is at O2 Kernel level and it is ‘exposed’ on the major O2 modules (see Unit tests for PoCs). In the current O2 code base, WCF can be used to control O2 kernels / modules that are located on the same computer or on remote computers.
• Added extended AppDomain support to O2 where it is possible to load multiple O2 modules on different AppDomains (this feature is used by the WCF code).
• Created plans for “O2 in the Cloud” architecture, which the AppDomain and WCF are the first implemented building blocks
• Implemented a generic .NET Application Wrapper with a simplified API to invoke hooked methods
• Made multiple changes to the GUI of O2 Modules in order to make them much easier to use
• Added multiple support features to O2’s main GUI (for example: auto email on O2 Module closure, 1-Click email support, auto email or critical O2 module crash)

March 2009

• Created a global Solution file containing ALL O2 projects which allowed the fixing of all refactoring bugs, and the on-going full compile of all O2 modules (i.e. every week, I now use this solution file to make sure that all projects compile OK and all unit tests are still working)
• New O2 module called ‘Findings Filter’ which is a simplified GUI to perform powerful analysis of Ozmast files
• Added support for the new Ounce 6.1 ozasmt file format
• Added FULL Debug capabilities to O2 (using as a base Microsoft’s MDBG sample application). This is best viewed on the CSharpScripts O2 module. In addition to the normal .NET debug features (start debugged sessions, attached running process, break, step into, step out & step over code, view & edit memory variables, etc...) a number of additional features where implemented: Animated stepping (ala Ollydbg);List of running .net Modules and mass auto breakpoint creation; execution code recording; auto breakpoing hook and run (for the cases where no Debug symbols are available); callbacks into scripted code (which is the feature that allow dynamic patching)
• Added support for Dynamic Patching of .NET code (aka WAF patch). Very useful for PoC creation and proactive demonstration to developers on what they need to do to fix their code.
• Complete rewrite of O2 CIR data support module, with better interfaces to import and manipulate CIR data. This module is also able to directly create CIR from .NET assemblies. There is also an simple O2 module (called “O2 CirViewer”) which can be used to quickly view CirData files
• Moved all Ounce Labs dependent code into independent modules: O2_ImportExport_OunceLabs, O2_Legacy_OunceV6, O2_External_OunceLabsCLI and O2_Rules_OunceLabs.
• More Unit tests and Major refactoring (added extended support for O2 GUI automation using Unit tests)
• More GUI changes to make O2 more user friendly

Following the crazy period above, I slowed down a bit, and 'only' did the following O2 related work in April 2009

• Created new Command Line tool: O2_CmdFindingsFilter (driven by customer requirements)
• Created MSI installers for all major O2 modules
• Major changes to Join Traces modules (there is a new simplified mode and a .NET Webservices join traces wizard (used by Bruce and Ian of several PoCs))
• Implemented first version of new rules manager which contains a number of very following powerful features: new O2RulePack scriptable object, Visualization of rules, export and import of rules
• Added support for Findings creation from CIR data
• Multiple updates to existing modules (for example DotNetCallbacks maker, HostLocalSite)
• Started writing PoC to analyze WSDL files (for automatic callback creation)

(under development)

Spring.NET rocks!

I have been several time exposed to Java Apps built on top of the Spring Framework  (there is basic Spring MVC analyzer O2 module) and have always been impressed on the quality of the code and application architecture that developers who use it create.

After a bit of research over christmas (where I read the SpringNet documentation) I was converted to the concept that O2 should be built on top of SpringNet (there is too many good things about it, but the one I really, really want to use it to, is to decouple the O2 modules and use DI (Dependency Injection) to configure them).

So here is my first attempt at making it work (check out the latest code drop for the rest of the code).

The code sample below are from a new ScanQueue module that I'm working on:

program.cs

using System;
using o2.core.SpringNet;

namespace o2.Tool.ScanQueue
{
    static class Program
    {        
        [STAThread]
        static void Main()
            {
            SpringExec.loadDefaultConfigFile();
            //SpringExec.loadConfigAndStartGUI("O2_Tool_ScanQueue.xml");
        }
    }
}

SpringNet.cs - code that loads the Xml config file and creates the Spring context

public class SpringExec
    {
        public static void loadDefaultConfigFile()
        {
            var configFile = Path.Combine(Config.sCurrentExecutableDirectory, Config.getCurrentExecutableFileName() + ".xml");
            loadConfigAndStartGUI(configFile);
        }

        public static void loadConfigAndStartGUI(String springConfigFileToLoad)
        {
            try
            {
                if (false == File.Exists(springConfigFileToLoad))
                {
                    var errorMessage = "Could not find SpringNet config file: " + springConfigFileToLoad;
                    DebugMsg._Error(errorMessage);
                    DebugMsg.showMessageBox(errorMessage);
                    return;
                }

                Application.EnableVisualStyles();                           // need to setup these here or we will have an error if we try to create windows objects via DI
                Application.SetCompatibleTextRenderingDefault(false);

                new XmlApplicationContext(new[] { springConfigFileToLoad });                
            }
            catch (Exception ex)
            {
                DebugMsg._Error("In LoadConfig: {0}", ex.Message);
            }            
        }

Spring Xml Config file - this should be the name of the O2 Module executable + ".xml"

<objects xmlns="http://www.springframework.net" >

  <object id="main" type="o2.core.core.O2DockPanel, O2_CoreLib">
    <constructor-arg>
      <list element-type="o2.core.core.O2DockContent, O2_CoreLib"> 
            <object type="o2.core.core.O2DockContent, O2_CoreLib" >
                   <constructor-arg name="controlToLoad" value="o2.Tool.ScanQueue.Ascx.ascx_ScanQueue"/>
            </object>
            <ref local="LogViewer"/>
            <ref local="TempDirectory"/>
     </list>
   </constructor-arg>
  </object>


  <object id="LogViewer" type="o2.core.core.O2DockContent, O2_CoreLib" >
    <constructor-arg name="controlToLoad" value="o2.core.ascx.ascx_LogViewer"/>
    <constructor-arg name="controlDockState" value="DockRightAutoHide"/>
    <constructor-arg name="controlName" value="O2 Log"/>
  </object>


  <object id="TempDirectory" type="o2.core.core.O2DockContent, O2_CoreLib" >
     <constructor-arg name="controlToLoad" value="o2.core.ascx.ascx_Directory, O2_DataViewers"/>
     <constructor-arg name="controlDockState" value="DockLeftAutoHide"/>
     <constructor-arg name="controlName" value="O2 Temp Files"/>
  </object>

  <object id="WebBrowser" type="o2.core.core.O2DockContent, O2_CoreLib">
     <constructor-arg name="controlToLoad" value="o2.core.ascx.ascx_WebBrowser, O2_DataViewers"/>
     <constructor-arg name="controlDockState" value="DockLeftAutoHide"/>
  </object>
</objects>