Mariana Trench (MT) was recently released as open source by Facebook and is designed to help developers identify and prevent security and privacy errors in Android and Java applications.
MT is designed to scan large mobile code bases and identify potential problems with pull requests before they go into production. It was developed as a result of a close collaboration between security and software engineers at Facebook who train MT to look at code and analyze how data flows through it.
The core idea of Mariana Trench is that many data protection problems and security gaps can be modeled as data flow problems, that is, data reaches places where it should not be. This approach is shared by other tools developed at Facebook like Zoncolan and Pysa, which focus on hack and python apps.
A data flow in MT is described by a source and a sink. A code base can have many such sources and sinks, and MT is able to find possible paths from a source to its corresponding sink using a static analysis technique known as abstract interpretation. To use MT, engineers indicate where sensitive data is entering the system, e.g. B. the file system, and where they should not go, e.g. A log file, an API, etc. Again, this process requires some fine-tuning as a thorough review of any problems identified, including a potentially large number of false positives.
When using MT on Facebook, we care about finding more potential issues, even if it means showing more false positives. Because we take care of marginal cases: data flows that are theoretically possible and usable, but rarely occur in production.
This triage will eventually lead to the identification of a set of rules that can be run on any PR.
An important role in this process is played by the results review and analysis, which is facilitated by the Facebook Static Analysis Post Processor (SAPP), another open source tool from Facebook that is able to interpret and interpret MT raw outputs show how data can get from a source to a sink. The following figure shows what a SAPP trace can look like:
In the example above, Mariana Trench found remote code execution in
MainActivity.onCreate with data from
Activity.getIntent and flows into the constructor of
Mariana Trench is available on both GitHub and PyPI. As mentioned earlier, MT can run on any Java repository and is not limited to just Android apps.