|Facebook Open Sources Mariana Trench|
|Written by Kay Ewbank|
|Friday, 15 October 2021|
Facebook has open sourced Mariana Trench, a tool used at Facebook to identify and prevent security and privacy bugs in Android and Java applications.
The tool is described on GitHub as "a security focused static analysis platform targeting Android". While Mariana Trench is aimed at Java, Facebook has recently described other tools, specifically Zoncolan and Pysa, that are used for similar purposes for Hack and Python code respectively.
Describing Mariana Trench, Facebook's Dominik Gabi said that the company's mobile applications, including Facebook, Instagram, and Whatsapp, run on millions of lines of code, and to handle these volumes of code, the company needed to create systems to help the security engineers detect and review code for potential issues, rather than requiring them to rely on only manual code reviews:
"In the first half of 2021, over 50 percent of the security vulnerabilities we found across our family of apps were detected using automated tools."
Mariana Trench is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production. It was built as a result of close collaboration between security and software engineers at Facebook who train MT to look at code and analyze how data flows through it. Gabi said that analyzing data flows is useful because many security and privacy issues can be modeled as data flowing into a place it shouldn’t.
In Mariana Trench, data flows are specified in terms of a source and a sink, where the source is a point of origin such as a user-controlled string entering the app, while the sink is the destination, so in Android could be a call to a runtime or log.
Mariana Trench lets user specify rules to illustrate specific data flows, so security analysts might look for data flows that are "intent redirections", issues that allow attackers to intercept sensitive data. One example might be SQL injections, where text entered into one of the Android apps shouldn't end up at an API that constructs SQL queries.
Mariana Trench finds possible paths from each source to its corresponding sink, by computing a model for each Java method it sees in the codebase. The models are computed using a static analysis technique called abstract interpretation.
The rules are set refined to identify 'high signal' results to minimize false positives, though Gabi says that in using Mariana Trench at Facebook, they prioritize finding more potential issues, even if it means showing more false positives:
"This is because we care about edge cases: data flows that are theoretically possible and exploitable but rarely happen in production."
Once a rule has been created and has proved effective, it is promoted to run on every pull request, and when it finds a data flow that violates the rule, the flow is brought to the attention of the security engineers.
In addition to building the static analysis systems, Facebook has also created an open source tool to review and analyze the results produced. This is the Static Analysis Post Processor (SAPP).
SAPP takes the raw output from Mariana Trench and Pysa, and visually demonstrates how data can potentially flow from source to sink so it is easier for experts to quickly evaluate whether they agree with the tool’s assessment.
Both Mariana Trench and SAPP are available on GitHub now.
or email your comment to: email@example.com
|Last Updated ( Friday, 15 October 2021 )|