Facebook has introduced a new open static analyzer Mariana Trench aimed at identifying vulnerabilities in applications for the Android platform and Java programs. The ability to analyze projects without source code is provided, for which only bytecode for the Dalvik virtual machine is available. It also has a very high execution speed (analysis of several million lines of code takes about 10 seconds), which allows using Mariana Trench to check all proposed changes as they come. The project code is written in C++ and distributed under the MIT license.
The analyzer was developed as part of a project to automate the process of reviewing the source code for Facebook, Instagram and Whatsapp mobile applications. In the first half of 2021, half of all Facebook mobile app vulnerabilities were identified using automated analysis tools. Mariana Trench's code is closely intertwined with other Facebook projects, for example, the Redex bytecode optimizer was used to parse the bytecode, and the SPARTA library was used to visually interpret and study the results of static analysis.
Potential vulnerabilities and privacy issues are identified through run-time data flow analysis to identify situations where uncleaned external data is processed in dangerous constructs such as SQL queries, file operations, and calls that cause external programs to run.
The work of the analyzer is reduced to determining the sources of data and dangerous calls in which the source data should not be used - the analyzer traces the passage of data along the chain of function calls and associates the source data with potentially dangerous places in the code. For example, the source that needs to be traced is the data received through the call to Intent.getData, and the calls Log.w and Runtime.exec are considered dangerous uses.
Source: opennet.ru