Facebook unveiled few days ago he released the open source static analyzer, Mariana Trench, which is intended to identify vulnerabilities in Android applications and Java programs.
At the ability to analyze projects without source codes is provided, for which only the bytecode for the Dalvik virtual machine is available. Another advantage is the very high speed of execution (the analysis of several million lines of code takes about 10 seconds), which allows you to use Mariana Trench to check all the proposed changes as they are introduced.
The analyzer was developed as part of a project to automate the code review process source of mobile applications from Facebook, Instagram and Whatsapp.
We share details about Mariana Trench (MT), a tool we use to detect and prevent security and privacy errors in Android and Java applications. As part of our effort to help scale security through building automation, we recently opened MT to support security engineers on Facebook and across the industry.
This post is the third in our series of deep dives into static and dynamic analysis tools we trust. MT is the latest system, following Zoncolan and Pysa, built for Hack and Python code respectively.
In the first half of 2021, half of all vulnerabilities in Facebook mobile applications were identified using automated analysis tools. Mariana Trench's code is closely intertwined with other Facebook projects, for example, the Redex bytecode optimizer operation is used to analyze bytecode and the SPARTA library is used for visual interpretation and study of results. static analysis.
Potential vulnerabilities and security issues are identified by analyzing data flows during the execution of the application, which allows to identify situations in which raw external data is processed in dangerous constructs, such as SQL queries, file operations, and calls that lead to the launch of external programs.
MT is designed to be able to scan large mobile code bases and pinpoint potential problems in pull requests before they go into production. It was created as a result of close collaboration between Facebook's security and software engineers, who train MT to look at the code and analyze how data flows through it. Analyzing data flows is useful because many security and privacy issues can be modeled as data flowing where it shouldn't.
The analyzer's job is reduced to determining data sources and dangerous calls, where the original data should not be used: The parser monitors the passage of data through the chain of function calls and connects the initial data to potentially dangerous places in the code.
Since in MT, a data flow can be described by:
- Source: a point of origin. This can be a string controlled by the user entering the application through `Intent.getData`.
- Sink: a destination. On Android, this can be a call to `Log.w` or` Runtime.exec`. For example, data from a call to Intent.getData is considered a source to monitor, and calls to Log.w and Runtime.exec are considered dangerous uses.
A large code base can contain many different types of sources and corresponding receivers. We can tell MT to show us specific flows by defining rules.
A rule could specify, for example, that we want to find intent redirects (problems that allow attackers to intercept sensitive data) by defining a rule that shows us all traces from "user-controlled" sources to a sink of " redirects of intentions.
Finally if you are interested in knowing more about it, you can check the details in the following link.