Facebook’s security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications.
Named after the deepest oceanic trench on Earth, Facebook built Mariana Trench internally to handle the analysis of applications at scale, to help significantly reduce the risk of delivering security and privacy errors in production.
Designed to automate code analysis, this is the third static and dynamic analysis tool that Facebook has made public, following the release of Zoncolan and Pysa in 2019 and 2020.
The tool (available on Github) can scan large mobile codebases to identify potential flaws on pull requests and has already been trained by Facebook’s security and software engineers.
Facebook said Mariana Trench works much like Zoncolan and Pysa (which target Hack and Python code, respectively), with the main difference being its optimization for Android and Java applications (through Dalvik bytecode analysis).
According to Facebook, the tool can be customized to hunt for specific vulnerabilities only, even in large codebases, by simply defining rules to tell it where data comes from and where it shouldn’t go.
“A rule could specify, for example, that we want to find intent redirections (issues that allow attackers to intercept sensitive data) by defining a rule that shows us all traces from ‘user-controlled’ sources to an ‘intent redirection’ sink,” the social media giant said.
Part of a broader defense-in-depth approach at Facebook, the tool relies on abstract interpretation (static analysis method) to identify possible paths from each source to its sink.
Results produced by Mariana Trench can be reviewed and analyzed using a standalone processing tool called Static Analysis Post Processor (SAPP), which Facebook first detailed at DefCon last year and which was designed to “visually demonstrate how data can potentially flow from source to sink so it is easier for experts to quickly evaluate whether they agree with the tool’s assessment.”
By illustrating data flow step-by-step, SAPP makes it easy for security engineers to walk through possible paths. However, it can also group traces that are materially similar, and enables engineers to filter and search through results.
Facebook has published a tutorial to help engineers get started with the tool.