Facebook ya bayyana kwanakin baya ya saki mai binciken tushen a tsaye mai bincike, Mariana Trench, wanda aka yi niyya don gano rauni a cikin aikace -aikacen Android da shirye -shiryen Java.
A an ba da ikon nazarin ayyukan ba tare da lambobin tushe ba, wanda kawai lambar lamba don injin dalvik na Dalvik ke samuwa. Wani fa'ida shine babban saurin aiwatarwa (nazarin layuka miliyan da yawa na lambar yana ɗaukar daƙiƙa 10), wanda ke ba ku damar amfani da Mariana Trench don bincika duk canje -canjen da aka gabatar yayin da aka gabatar da su.
Mai nazari an haɓaka shi azaman wani ɓangare na aikin don sarrafa tsarin duba lambar ta atomatik tushen aikace -aikacen hannu na Facebook, Instagram da Whatsapp.
Muna raba cikakkun bayanai game da Mariana Trench (MT), kayan aikin da muke amfani da shi don ganowa da hana kurakuran tsaro da tsare sirri a aikace -aikacen Android da Java. A matsayin wani ɓangare na ƙoƙarinmu don taimakawa haɓaka tsaro ta hanyar sarrafa kai tsaye, kwanan nan mun buɗe MT don tallafawa injiniyoyin tsaro akan Facebook da ko'ina cikin masana'antar.
Wannan post ɗin shine na uku a cikin jerin zurfin nutsewa a cikin kayan aikin bincike na tsaye da ƙarfi da muka dogara. MT shine sabon tsarin, yana bin Zoncolan da Pysa, waɗanda aka gina don lambar Hack da Python bi da bi.
A farkon rabin shekarar 2021, an gano rabin raunin da ke cikin aikace -aikacen wayar hannu ta Facebook ta amfani da kayan aikin bincike na atomatik. Lambar Mariana Trench tana da alaƙa da sauran ayyukan Facebook, alal misali, ana amfani da aikin haɓakawa na Redex bytecode don bincika bytecode kuma ana amfani da ɗakin karatu na SPARTA don fassarar gani da nazarin sakamakon. Bincike na tsaye.
Ana gano raunukan da ke iya yiwuwa da matsalolin tsaro ta hanyar nazarin kwararar bayanai yayin aiwatar da aikace -aikacen, wanda ke ba da damar gano yanayi wanda ake sarrafa bayanai na waje na waje a cikin gine -gine masu haɗari, kamar tambayoyin SQL, ayyukan fayil, da kira wanda ke haifar da ƙaddamar da shirye -shirye na waje.
An tsara MT don samun damar bincika manyan asusu na lambar wayar hannu da tutocin matsalolin da ke cikin buƙatun jan hankali kafin su fara samarwa. An ƙirƙira shi ne sakamakon haɗin gwiwa tsakanin jami'an tsaro na Facebook da injiniyoyin software, waɗanda ke horar da MT don duba lambar da yin nazarin yadda bayanai ke gudana ta ciki. Yin nazarin kwararar bayanai yana da amfani saboda yawancin abubuwan tsaro da na sirri za a iya tsara su azaman bayanan da ke gudana a inda bai kamata ba.
An rage aikin mai nazarin don tantance hanyoyin bayanai da kira masu haɗari, inda bai kamata a yi amfani da bayanan asali ba: Mai fashin yana sa ido kan wucewar bayanai ta hanyar jerin ayyukan kira kuma yana haɗa bayanan farko zuwa wurare masu haɗari a cikin lambar.
Tunda a cikin MT, ana iya bayyana kwararar bayanai ta:
- Source: tushen asali. Wannan na iya zama kirtani wanda mai amfani ke shigar da aikace -aikacen ta hanyar 'Intent.getData'.
- Sink: manufa. A kan Android, wannan na iya zama kira zuwa 'Log.w` ko' Runtime.exec '. Misali, bayanai daga kira zuwa Intent.getData ana daukar su a matsayin tushen sa ido, kuma ana kiran kira zuwa Log.w da Runtime.exec amfani masu haɗari.
Babban tushe na lamba na iya ƙunsar nau'ikan maɓuɓɓuka daban -daban da masu karɓa daidai. Za mu iya gaya wa MT don nuna mana takamaiman kwarara ta hanyar ayyana dokoki.
Ka'ida na iya ƙayyade, alal misali, muna son samun juzu'in niyya (matsalolin da ke ba wa masu kai hari damar kutsawa bayanai masu mahimmanci) ta hanyar ayyana dokar da ke nuna mana dukkan alamu daga tushen "mai amfani" zuwa nutsewar "jujjuyawar niyya.
Finalmente idan kuna sha'awar ƙarin sani game da shi, zaka iya duba cikakkun bayanai a cikin mahaɗin mai zuwa.