Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?


Application Security

Facebook Open-Sources ‘Mariana Trench’ Code Analysis Tool

Facebook’s security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications.

Facebook’s security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications.

Named after the deepest oceanic trench on Earth, Facebook built Mariana Trench internally to handle the analysis of applications at scale, to help significantly reduce the risk of delivering security and privacy errors in production.

Designed to automate code analysis, this is the third static and dynamic analysis tool that Facebook has made public, following the release of Zoncolan and Pysa in 2019 and 2020.

The tool (available on Github) can scan large mobile codebases to identify potential flaws on pull requests and has already been trained by Facebook’s security and software engineers.

Facebook said Mariana Trench works much like Zoncolan and Pysa (which target Hack and Python code, respectively), with the main difference being its optimization for Android and Java applications (through Dalvik bytecode analysis).

According to Facebook, the tool can be customized to hunt for specific vulnerabilities only, even in large codebases, by simply defining rules to tell it where data comes from and where it shouldn’t go.

[READ: Microsoft Introduces Free Source Code Analyzer ]

“A rule could specify, for example, that we want to find intent redirections (issues that allow attackers to intercept sensitive data) by defining a rule that shows us all traces from ‘user-controlled’ sources to an ‘intent redirection’ sink,” the social media giant said.

Advertisement. Scroll to continue reading.

Part of a broader defense-in-depth approach at Facebook, the tool relies on abstract interpretation (static analysis method) to identify possible paths from each source to its sink.

Results produced by Mariana Trench can be reviewed and analyzed using a standalone processing tool called Static Analysis Post Processor (SAPP), which Facebook first detailed at DefCon last year and which was designed to “visually demonstrate how data can potentially flow from source to sink so it is easier for experts to quickly evaluate whether they agree with the tool’s assessment.”

By illustrating data flow step-by-step, SAPP makes it easy for security engineers to walk through possible paths. However, it can also group traces that are materially similar, and enables engineers to filter and search through results.

Facebook has published a tutorial to help engineers get started with the tool.

Related: Facebook Open Sources Analysis Tool for Python Code

Related: Microsoft Introduces Free Source Code Analyzer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.