Presented at
Black Hat USA 2021,
Aug. 4, 2021, 10:20 a.m.
(40 minutes)
<div><span>With the widespread usage of service-oriented architectures[1][2][3][4][5], detecting security issues becomes a harder task as vulnerabilities span multiple services, codebases, and programming languages.</span></div><div><span><br></span></div><div><span>At Facebook, products and features are written in different languages - for example, the main Facebook.com (https://facebook.com/) codebase is written in Hack and the main Instagram.com (https://instagram.com/) is written in Python. These products usually need to communicate with each other or with backend systems for processing user requests.</span></div><div><span><br></span></div><div><span>Current security-focused static analysis tools such as CodeQL, RIPS, and Checkmarx as well as Facebook-built tools like Zoncolan and Pysa can only analyze each codebase/language in isolation. Each tool only sees one part of the data flow, limiting the ability of application security teams to track data flows that cross the language boundary and identify security issues arising from such flows.</span></div><div><span><br></span></div><div><span>This presentation will introduce a novel but generic framework to exchange taint information between two or more static analysis systems and how that can be used to perform cross-language, cross-repo taint-flow analysis. It will showcase how this has been implemented inside Facebook and used at scale by Facebook's security team to detect critical security vulnerabilities spanning multiple codebases. During the presentation, we will show examples of the actual vulnerabilities where the data flow crosses from one language to another.</span></div><div><span><br></span></div><div><span>[1]: https://www.nginx.com/blog/microservices-at-netflix-architectural-best-practices/</span></div><div><span>[2]: https://netflixtechblog.com/a-microscope-on-microservices-923b906103f4</span></div><div><span>[3]: https://eng.uber.com/service-oriented-architecture/</span></div><div><span>[4]: https://aws.amazon.com/microservices/</span></div><div><span>[5]: https://engineering.fb.com/2019/05/29/security/service-encryption/</span></div>
Presenters:
-
Manuel Fahndrich
- Software Engineer, Facebook
Manuel Fahndrich obtained his PhD in Computer Science from UC Berkeley in 1999, studying constraint-based program analysis. He spent 15 years doing program analysis research at Microsoft Research on projects such as Vault, Singularity, and CodeContracts. After a stint at Google working on parallel data processing, he joined Facebook's Product Security group in 2016, where he develops static program analyses for Hack and Python to surface privacy and security issues.
-
Ibrahim Elsayed
- Security Engineer, Facebook
Ibrahim ElSayed is a security engineer, based at Facebook's London HQ. Ibrahim focuses on using static analysis for scale security vulnerabilities detection and prevention. He is leading the work to build Facebook static analysis tools [Zoncolan](https://engineering.fb.com/security/zoncolan/) and [Pysa](https://engineering.fb.com/security/pysa/) to analyze more than 100M lines of code and identify critical bugs on scale. Before Facebook, Ibrahim worked for multiple companies and focused on performing penetration tests and red team engagements. Outside work, Ibrahim used to actively play CTFs with LCBC and BalalaikaCr3w, but now spends most of his time playing and watching football (aka soccer).
Links:
Similar Presentations: