The Facebook engineering team has open-sourced Mariana Trench (MT) — a tool that automatically searches to spot and prevent security and privacy bugs in Android and Java applications.
This primarily refers to the mobile apps for Facebook, Instagram and Whatsapp, which comprise millions of lines of code and are subject to constant revision.
They writes, “To handle this volume of code, we build sophisticated systems that help our security engineers detect and review code for potential issues, rather than requiring them to rely on only manual code reviews.” In the first half of this year alone, 50 percent of the security gaps found by the team were due to this automatic system.
Mariana Trench is explicitly designed to scan the large code base and to identify possible problems before they are entered in the main branch of the code. The team in Mariana Trench implements the specific search for possible security gaps by controlling the flow of data. After all, many problems can be modelled in such a way that data goes where it should not go.
For the use of Mariana Trench, the source and destination can then simply be described, and rules can be created to find security-relevant data flows. In its own use of the tool, Facebook, does not focus on minimizing false-positive results. Rather, the team is initially interested in as many positive reports as possible. In this way, rather unusual data flows should also be noticed, which may only rarely occur in productive use, but can still be exploited.
The Facebook team has summarized further details and, above all, instructions on how to get started using Mariana Trench, including documentation on a separate website for the tool.
The open-source code is available for download on Github under MIT license, and the project is also available as a Python package in PyPI.