Recently open-sourced by Facebook, Mariana Trench (MT) aims help developers to identify and prevent security and privacy bugs in Android and Java applications.
MT is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production. It was built as a result of close collaboration between security and software engineers at Facebook who train MT to look at code and analyze how data flows through it.
The key idea behind Mariana Trench is that many privacy issues and vulnerabilities can be modeled as data flow issues, i.e., data reaching places where it should not go. This approach is shared by other tools developed at Facebook such as Zoncolan and Pysa, which focus on Hack and Python apps.
A data flow in MT is described by a source and a sink. A codebase can have many such sources and sinks and MT is able to find possible paths from a source to its corresponding sink using a static analysis technique known as abstract interpretation. To use MT, engineers specify where sensitive data enters the system, e.g., the filesystem, and where it is not meant to go, e.g., a log file, an API, etc. This process will require some amount of fine-tuning as well as a thorough review of all identified issues, including a potentially large number of false positives.
In using MT at Facebook, we prioritize finding more potential issues, even if it means showing more false positives. This is because we care about edge cases: data flows that are theoretically possible and exploitable but rarely happen in production.
This triage will eventually lead to the identification of a set of rules that can be run on every PR.
An important role in this process is played by result review and analysis, which is made easier by Facebook Static Analysis Post Processor (SAPP), another open-source tool by Facebook that is able to interpret MT raw output and show how data can go from a source to a sink. The image below shows how a SAPP trace can look like:
In the example above, Mariana Trench found a remote code execution in MainActivity.onCreate
with data coming from Activity.getIntent
and flowing into the constructor of ProcessBuilder
.
Mariana Trench is available on GitHub as well as on PyPI. As mentioned, MT can be run on any Java repository and is not restricted to Android apps only.