Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA
Back To Schedule
Thursday, October 11 • 3:30pm - 4:05pm
Defense in depth with semantic static analysis

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Facebook employs a defense-in-depth approach to product security; we use a range of preventative and detection-based approaches to help ensure that our Hack/PHP codebase and its myriad backend services behave as intended. In this context, ‘preventative’ might refer to secure-by-default libraries for doing privacy-aware data fetching. ‘Detection’ might refer to the manual review by a security engineer, automated static analysis before the code is employed in production, runtime detection (e.g. Invariant Detector), or our bug bounty program.

In this talk, I will discuss a static analyzer that we built to surface potential security and privacy issues in the facebook.com codebase. We have developed a bottom-up, inter-procedural, abstract interpreter that focuses on security issues that are difficult to prevent using the type system (i.e., Hack) or secure libraries and frameworks. We designed the tool based on guidance from Facebook’s security engineering teams. When a new class of vulnerabilities is discovered, we evaluate whether it is amenable to static analysis. If that is the case, we prototype the new rule, refine it based on feedback from security engineers, and then evaluate the rule against the whole codebase. In some cases, we are able to generate a patch automatically. Concurrently, we run this tool on every code change, thus preventing the reintroduction of this type of issue.

I will also describe some of the advances in the static analysis that enable the tool to scale to thousands of changes per day in a codebase that measures tens of millions of lines of code with a very low ratio of false positives. 

avatar for Francesco Logozzo

Francesco Logozzo

Software Engineer, Facebook
I am a static analysis junkie. I wrote static analyzers for Facebook and Microsoft, published Academic papers full of Greek symbols, and gave keynote speeches at major conferences.I am also a theoretical and experimental cyclist.

Thursday October 11, 2018 3:30pm - 4:05pm PDT
Regency 1
  Regency Ballroom 1, Advanced
  • NEW FIELD 1 Track 1