Facebook Mariana Trench Helps Developers to Find Vulnerabilities in Android and Java Apps

Recently open-sourced by Facebook, Mariana Trench (MT) goals to assist builders to determine and stop safety and privateness bugs in Android and Java purposes.

MT is designed to have the option to scan massive cell codebases and flag potential points on pull requests earlier than they make it into manufacturing. It was constructed on account of shut collaboration between safety and software program engineers at Facebook who practice MT to take a look at code and analyze how information flows by means of it.

The key concept behind Mariana Trench is that many privateness points and vulnerabilities may be modeled as information movement points, i.e., information reaching locations the place it mustn’t go. This method is shared by different instruments developed at Facebook resembling Zoncolan and Pysa, which give attention to Hack and Python apps.

A knowledge movement in MT is described by a supply and a sink. A codebase can have many such sources and sinks and MT is in a position to discover potential paths from a supply to its corresponding sink utilizing a static evaluation method often called summary interpretation. To use MT, engineers specify the place delicate information enters the system, e.g., the filesystem, and the place it isn’t meant to go, e.g., a log file, an API, and so on. This course of would require some quantity of fine-tuning in addition to a radical overview of all recognized points, together with a doubtlessly massive variety of false positives.

In utilizing MT at Facebook, we prioritize discovering extra potential points, even when it means exhibiting extra false positives. This is as a result of we care about edge circumstances: information flows which might be theoretically potential and exploitable however not often occur in manufacturing.

This triage will finally lead to the identification of a algorithm that may be run on each PR.

An necessary function in this course of is performed by consequence overview and evaluation, which is made simpler by Facebook Static Analysis Post Processor (SAPP), one other open-source device by Facebook that’s in a position to interpret MT uncooked output and present how information can go from a supply to a sink. The picture under reveals how a SAPP hint can appear to be:

In the instance above, Mariana Trench discovered a distant code execution in MajorActivity.onCreate with information coming from Activity.getIntent and flowing into the constructor of ProcessBuilder.

Mariana Trench is accessible on GitHub in addition to on PyPI. As talked about, MT may be run on any Java repository and will not be restricted to Android apps solely.

Recommended For You