Facebook ya gabatar da sabon budaddiyar mai nazari mai suna Mariana Trench, da nufin gano lahani a aikace-aikacen dandamali na Android da shirye-shiryen Java. Yana yiwuwa a bincika ayyukan ba tare da lambobin tushe ba, wanda kawai bytecode don na'ura mai kama da Dalvik yana samuwa. Wani fa'ida shine saurin aiwatar da shi sosai (binciken layukan layukan miliyan da yawa yana ɗaukar kusan daƙiƙa 10), wanda ke ba ku damar amfani da Mariana Trench don bincika duk canje-canjen da aka gabatar yayin isowa. An rubuta lambar aikin a cikin C++ kuma an rarraba a ƙarƙashin lasisin MIT.
An ƙirƙiri na'urar tantancewa a matsayin wani ɓangare na aikin sarrafa tsarin yin bitar tushen rubutun aikace-aikacen wayar hannu na Facebook, Instagram da Whatsapp. A cikin rabin farko na 2021, an gano rabin duk raunin da ke cikin aikace-aikacen wayar hannu ta Facebook ta amfani da kayan aikin bincike na atomatik. Lambar Mariana Trench tana da alaƙa da sauran ayyukan Facebook; alal misali, an yi amfani da Redex bytecode ingantawa don rarraba bytecode, kuma an yi amfani da ɗakin karatu na SPARTA don fassarar gani da nazarin sakamakon bincike na tsaye.
Ana gano mawuyatan lahani da batutuwan sirri ta hanyar nazarin kwararar bayanai yayin aiwatar da aikace-aikacen don gano yanayin da ake sarrafa ɗanyen bayanan waje a cikin gini masu haɗari, kamar tambayoyin SQL, ayyukan fayil, da kira waɗanda ke haifar da shirye-shiryen waje.
Ayyukan mai nazari ya zo ne don gano tushen bayanai da kuma kira masu haɗari waɗanda bai kamata a yi amfani da bayanan tushen ba - mai nazari yana bin hanyar bayanan ta hanyar jerin kira na aiki kuma ya haɗa bayanan tushe tare da wurare masu haɗari a cikin lambar. . Misali, bayanan da aka karɓa ta hanyar kira zuwa Intent.getData ana ɗaukarsu suna buƙatar bin diddigin tushe, kuma ana ɗaukar kira zuwa Log.w da Runtime.exec amfani masu haɗari.
source: budenet.ru