ThreadFix has several modules, including one for Hybrid Analysis Mapping. Using HAM as a module provides us a good degree of flexibility in several areas:
1. Decoupling data types from ThreadFix allows database-free unit testing
2. The module can be pulled into a small command line frontend
3. We are able to include HAM functionality in our plugins for Java products
When building HAM functionality, I realized that I would need a lot of unit tests in order to ensure that the parsers remained functional. This also meant I could verify the HAM engine against a lot of different projects very quickly. The complicated and behind-the-scenes nature of the HAM library makes unit testing very valuable.
For each HAM integration there are a few different unit test types.
In Spring MVC, there are a variety of files that we need to parse in order to generate the application’s attack surface. The HAM engine contains a parser for each one, which means that we need to unit test each one individually. I built tests for a variety of example files intended to exercise different parts of each parser. When I found a file that the parser broke against, I included that file as another unit test. The tests just run the parser against the file and verify that the resulting data structures are correct. This also allowed me to edit the files in order to test specific corner cases–different syntax for Java annotations and things of that nature.
In addition to single parsers, we needed to test the code that combines those results into an attack surface. These tests run the generic HAM database generator against as many open source projects for each framework as we could find, forcing us to work with different methods of configuration for each framework. This brought us a ton of bugs. For example:
1. Spring offers an XML-free way to configure the application. We now support this because I added some open source projects that use it to the unit test suite.
2. Spring allows users to put their configuration in arbitrarily named XML files, so we made the parser support all of them.
3. .NET WebForms allows a wide variety of formats for its pages. We now support all the ones I could find in the Microsoft Examples
I discovered a TON of bugs by using the unit tests. Source code parsing is complicated.
That was pretty cool, because I didn’t have a lot of QA help on this section of ThreadFix. I was also able to verify that those bugs were fixed and stayed fixed. I highly recommend having a robust unit test suite.
We were able to build a command-line version of the HAM parser fairly easily once we had HAM in its own module. This command-line tool doesn’t have any of the baggage of the full ThreadFix webapp, so it’s fast and relatively small. The tool takes one argument, the base directory for the application. It will figure out what framework the application uses and print out its application surface. Hurray! Users can now access HAM functionality without needing to install ThreadFix or run a server.
More information available at the wiki page.
Perhaps the coolest use of the HAM module comes in the form of a feature in the Burp and ZAP plugins (AppScan is on its way.) With the ThreadFix plugins, these scanners can now generate the application’s attack surface and then use that to perform a better scan, all without a running ThreadFix server. Security professionals pressed for time can still take advantage of the advantages HAM affords to dynamic scanners as long as they have access to the source code.
More information available at the scanner wiki page.
Do you have an idea for something that might benefit from this type of source analysis? Let us know! We’d love to build out more tools with the HAM technology.