facebook/mariana-trench facebook/mariana-trench

  • Stars
    star
    1,022
  • Rank 43,154 (Top 0.9 %)
  • Language
    C++
  • License
    MIT License
  • Created over 3 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
facebook/mariana-trench
github

facebook

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A security focused static analysis tool for Android and Java applications.

Mariana Trench

logo

MIT License .github/workflows/tests.yml

Mariana Trench is a security focused static analysis platform targeting Android.

This guide will walk you through setting up Mariana Trench on your machine and get you to find your first remote code execution vulnerability in a small sample app. These instructions are also available at our website.

Prerequisites

Mariana Trench requires a recent version of Python. On MacOS you can get a current version through homebrew:

$ brew install python3

On a Debian flavored Linux (Ubuntu, Mint, Debian), you can use apt-get:

$ sudo apt-get install python3 python3-pip python3-venv

This guide also assumes you have the Android SDK installed and an environment variable $ANDROID_SDK pointed to the location of the SDK.

For the rest of this guide, we assume that you are working inside of a virtual environment. You can set this up with

$ python3 -m venv ~/.venvs/mariana-trench
$ source ~/.venvs/mariana-trench/bin/activate
(mariana-trench)$

The name of the virtual environment in front of your shell prompt indicates that the virtual environment is active.

Installing Mariana Trench

Inside your virtual environment installing Mariana Trench is as easy as running

(mariana-trench)$ pip install mariana-trench

Note: pip install is not currently supported for Apple silicon Macs, you can build from source using the instructions in the Developer's Guide.

Running Mariana Trench

We'll use a small app that is part of our documentation. You can get it by running

(mariana-trench)$ git clone https://github.com/facebook/mariana-trench
(mariana-trench)$ cd mariana-trench/

We are now ready to run the analysis

(mariana-trench)$ mariana-trench \
  --system-jar-configuration-path=$ANDROID_SDK/platforms/android-32/android.jar \
  --model-generator-configuration-paths=configuration/default_generator_config.json \
  --lifecycles-paths=configuration/lifecycles.json \
  --rules-paths=configuration/rules.json \
  --apk-path=documentation/sample-app/app/build/outputs/apk/debug/app-debug.apk \
  --source-root-directory=documentation/sample-app/app/src/main/java \
  --model-generator-search-paths=configuration/model-generators/

# ...
INFO Analyzed 68937 models in 7.47s. Found 9 issues!
# ...

The analysis has found 9 issues in our sample app. The output of the analysis is a set of specifications for each method of the application.

Post Processing

The specifications themselves are not meant to be read by humans. We need an additional processing step in order to make the results more presentable. We do this with SAPP PyPi installed for us:

(mariana-trench)$ sapp --tool=mariana-trench analyze .
(mariana-trench)$ sapp --database-name=sapp.db server --source-directory=documentation/sample-app/app/src/main/java
# ...
2021-05-12 12:27:22,867 [INFO]  * Running on http://localhost:13337/ (Press CTRL+C to quit)

The last line of the output tells us that SAPP started a local webserver that lets us look at the results. Open the link and you will see the 4 issues found by the analysis.

Exploring Results

Let's focus on the remote code execution issue found in the sample app. You can identify it by its issue code 1 (for all remote code executions) and the callable void MainActivity.onCreate(Bundle). With only 4 issues to see it's easy to identify the issue manually but once more rules run, the filter functionality at the top right of the page comes in handy.

Single Issue Display

The issue tells you that Mariana Trench found a remote code execution in MainActivity.onCreate where the data is coming from Activity.getIntent one call away, and flows into the constructor of ProcessBuilder 3 calls away. Click on "Traces" in the top right corner of the issue to see an example trace.

The trace surfaced by Mariana Trench consists of three parts.

The source trace represents where the data is coming from. In our example, the trace is very short: Activity.getIntent is called in MainActivity.onCreate directly. Trace Source

The trace root represents where the source trace meets the sink trace. In our example this is the activitie's onCreate method. Trace Root

The final part of the trace is the sink trace: This is where the data from the source flows down into a sink. In our example from onCreate, to onClick, to execute, and finally into the constructor of ProcessBuilder. Trace Sink

Configuring Mariana Trench

You might be asking yourself, "how does the tool know what is user controlled data, and what is a sink?". This guide is meant to quickly get you started on a small app. We did not cover how to configure Mariana Trench. You can read more about that at our website under Configuration.

Contributing

For an in-depth guide on building from source and development on Mariana Trench, see the Developer's Guide at our website.

License

Mariana Trench is licensed under the MIT license.

More Repositories

1

react

The library for web and native user interfaces.
JavaScript
221,340
star
2

react-native

A framework for building native applications using React
C++
115,446
star
3

create-react-app

Set up a modern web app by running one command.
JavaScript
101,534
star
4

docusaurus

Easy to maintain open source documentation websites.
TypeScript
52,585
star
5

jest

Delightful JavaScript Testing.
TypeScript
41,554
star
6

rocksdb

A library that provides an embeddable, persistent key-value store for fast storage.
C++
27,271
star
7

folly

An open-source C++ library developed and used at Facebook.
C++
26,731
star
8

flow

Adds static typing to JavaScript to improve developer productivity and code quality.
OCaml
22,040
star
9

zstd

Zstandard - Fast real-time compression algorithm
C
21,685
star
10

relay

Relay is a JavaScript framework for building data-driven React applications.
Rust
18,099
star
11

hhvm

A virtual machine for executing programs written in Hack.
C++
17,960
star
12

prophet

Tool for producing high quality forecasts for time series data that has multiple seasonality with linear or non-linear growth.
Python
17,624
star
13

fresco

An Android library for managing images and the memory they use.
Java
17,026
star
14

lexical

Lexical is an extensible text editor framework that provides excellent reliability, accessibility and performance.
TypeScript
16,985
star
15

yoga

Yoga is a cross-platform layout engine which implements Flexbox. Follow https://twitter.com/yogalayout for updates.
C++
16,729
star
16

infer

A static analyzer for Java, C, C++, and Objective-C
OCaml
14,599
star
17

flipper

A desktop debugging platform for mobile developers.
TypeScript
13,124
star
18

watchman

Watches files and records, or triggers actions, when they change.
C++
12,124
star
19

react-devtools

An extension that allows inspection of React component hierarchy in the Chrome and Firefox Developer Tools.
11,024
star
20

hermes

A JavaScript engine optimized for running React Native.
C++
9,167
star
21

chisel

Chisel is a collection of LLDB commands to assist debugging iOS apps.
Python
9,072
star
22

jscodeshift

A JavaScript codemod toolkit.
JavaScript
8,850
star
23

buck

A fast build system that encourages the creation of small, reusable modules over a variety of platforms and languages.
Java
8,568
star
24

stylex

StyleX is the styling system for ambitious user interfaces.
JavaScript
7,988
star
25

proxygen

A collection of C++ HTTP libraries including an easy to use HTTP server.
C++
7,978
star
26

facebook-ios-sdk

Used to integrate the Facebook Platform with your iOS & tvOS apps.
Swift
7,644
star
27

litho

A declarative framework for building efficient UIs on Android.
Java
7,633
star
28

pyre-check

Performant type-checking for python.
OCaml
6,620
star
29

facebook-android-sdk

Used to integrate Android apps with Facebook Platform.
Kotlin
6,020
star
30

redex

A bytecode optimizer for Android apps
C++
5,951
star
31

componentkit

A React-inspired view framework for iOS.
Objective-C++
5,740
star
32

sapling

A Scalable, User-Friendly Source Control System.
Rust
5,635
star
33

fishhook

A library that enables dynamically rebinding symbols in Mach-O binaries running on iOS.
C
5,061
star
34

PathPicker

PathPicker accepts a wide range of input -- output from git commands, grep results, searches -- pretty much anything. After parsing the input, PathPicker presents you with a nice UI to select which files you're interested in. After that you can open them in your favorite editor or execute arbitrary commands.
Python
5,033
star
35

metro

πŸš‡ The JavaScript bundler for React Native
JavaScript
4,996
star
36

prop-types

Runtime type checking for React props and similar objects
JavaScript
4,427
star
37

idb

idb is a flexible command line interface for automating iOS simulators and devices
Objective-C
4,356
star
38

Haxl

A Haskell library that simplifies access to remote data, such as databases or web-based services.
Haskell
4,220
star
39

FBRetainCycleDetector

iOS library to help detecting retain cycles in runtime.
Objective-C++
4,178
star
40

memlab

A framework for finding JavaScript memory leaks and analyzing heap snapshots
TypeScript
4,088
star
41

duckling

Language, engine, and tooling for expressing, testing, and evaluating composable language rules on input strings.
Haskell
3,995
star
42

fbt

A JavaScript Internationalization Framework
JavaScript
3,836
star
43

regenerator

Source transformer enabling ECMAScript 6 generator functions in JavaScript-of-today.
JavaScript
3,795
star
44

mcrouter

Mcrouter is a memcached protocol router for scaling memcached deployments.
C++
3,186
star
45

buck2

Build system, successor to Buck
Rust
3,177
star
46

wangle

Wangle is a framework providing a set of common client/server abstractions for building services in a consistent, modular, and composable way.
C++
3,016
star
47

wdt

Warp speed Data Transfer (WDT) is an embeddedable library (and command line tool) aiming to transfer data between 2 systems as fast as possible over multiple TCP paths.
C++
2,827
star
48

igl

Intermediate Graphics Library (IGL) is a cross-platform library that commands the GPU. It provides a single low-level cross-platform interface on top of various graphics APIs (e.g. OpenGL, Metal and Vulkan).
C++
2,674
star
49

fbthrift

Facebook's branch of Apache Thrift, including a new C++ server.
C++
2,513
star
50

mysql-5.6

Facebook's branch of the Oracle MySQL database. This includes MyRocks.
C++
2,423
star
51

Ax

Adaptive Experimentation Platform
Python
2,226
star
52

jsx

The JSX specification is a XML-like syntax extension to ECMAScript.
HTML
1,941
star
53

fbjs

A collection of utility libraries used by other Meta JS projects.
JavaScript
1,939
star
54

react-native-website

The React Native website and docs
JavaScript
1,875
star
55

screenshot-tests-for-android

Generate fast deterministic screenshots during Android instrumentation tests
Java
1,727
star
56

idx

Library for accessing arbitrarily nested, possibly nullable properties on a JavaScript object.
JavaScript
1,687
star
57

TextLayoutBuilder

An Android library that allows you to build text layouts more easily.
Java
1,464
star
58

mvfst

An implementation of the QUIC transport protocol.
C++
1,384
star
59

SoLoader

Native code loader for Android
Java
1,269
star
60

facebook-python-business-sdk

Python SDK for Meta Marketing APIs
Python
1,211
star
61

ThreatExchange

Trust & Safety tools for working together to fight digital harms.
C++
1,092
star
62

CacheLib

Pluggable in-process caching engine to build and scale high performance services
C++
1,018
star
63

fatal

Fatal is a library for fast prototyping software in modern C++. It provides facilities to enhance the expressive power of C++. The library is heavily based on template meta-programming, while keeping the complexity under-the-hood.
C++
993
star
64

transform360

Transform360 is an equirectangular to cubemap transform for 360 video.
C
991
star
65

openr

Distributed platform for building autonomic network functions.
C++
879
star
66

fboss

Facebook Open Switching System Software for controlling network switches.
C++
842
star
67

facebook-php-business-sdk

PHP SDK for Meta Marketing API
PHP
787
star
68

ktfmt

A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions.
Kotlin
776
star
69

winterfell

A STARK prover and verifier for arbitrary computations
Rust
691
star
70

pyre2

Python wrapper for RE2
C++
629
star
71

openbmc

OpenBMC is an open software framework to build a complete Linux image for a Board Management Controller (BMC).
C
607
star
72

SPARTA

SPARTA is a library of software components specially designed for building high-performance static analyzers based on the theory of Abstract Interpretation.
C++
604
star
73

chef-cookbooks

Open source chef cookbooks.
Ruby
561
star
74

IT-CPE

Meta's Client Platform Engineering tools. Some of the tools we have written to help manage our fleet of client systems.
Ruby
553
star
75

time

Meta's Time libraries
Go
471
star
76

facebook-nodejs-business-sdk

Node.js SDK for Meta Marketing APIs
JavaScript
464
star
77

facebook-sdk-for-unity

The facebook sdk for unity.
C#
461
star
78

lexical-ios

Lexical iOS is an extensible text editor framework that integrates the APIs and philosophies from Lexical Web with a Swift API built on top of TextKit.
Swift
446
star
79

Rapid

The OpenStreetMap editor driven by open data, AI, and supercharged features
JavaScript
425
star
80

FAI-PEP

Facebook AI Performance Evaluation Platform
Python
379
star
81

facebook-java-business-sdk

Java SDK for Meta Marketing APIs
Java
374
star
82

chef-utils

Utilities related to Chef
Ruby
287
star
83

opaque-ke

An implementation of the OPAQUE password-authenticated key exchange protocol
Rust
262
star
84

dns

Collection of Meta's DNS Libraries
Go
251
star
85

facebook360_dep

Facebook360 Depth Estimation Pipeline - https://facebook.github.io/facebook360_dep
HTML
238
star
86

akd

An implementation of an auditable key directory
Rust
207
star
87

tac_plus

A Tacacs+ Daemon tested on Linux (CentOS) to run AAA via TACACS+ Protocol via IPv4 and IPv6.
C
205
star
88

facebook-ruby-business-sdk

Ruby SDK for Meta Marketing API
Ruby
200
star
89

dotslash

Simplified executable deployment
Rust
165
star
90

usort

Safe, minimal import sorting for Python projects.
Python
161
star
91

grocery-delivery

The Grocery Delivery utility for managing cookbook uploads to distributed Chef backends.
Ruby
151
star
92

taste-tester

Software to manage a chef-zero instance and use it to test changes on production servers.
Ruby
144
star
93

TestSlide

A Python test framework
Python
139
star
94

homebrew-fb

OS X Homebrew formulas to install Meta open source software
Ruby
122
star
95

sapp

Post Processor for Facebook Static Analysis Tools.
Python
122
star
96

squangle

SQuangLe is a C++ API for accessing MySQL servers
C++
119
star
97

threat-research

Welcome to the Meta Threat Research Indicator Repository, a dedicated resource for the sharing of Indicators of Compromise (IOCs) and other threat indicators with the external research community
Python
115
star
98

ocamlrep

Sets of libraries and tools to write applications and libraries mixing OCaml and Rust. These libraries will help keeping your types and data structures synchronized, and enable seamless exchange between OCaml and Rust
Rust
97
star
99

bpfilter

BPF-based packet filtering framework
C
79
star
100

facebook-business-sdk-codegen

Codegen project for our business SDKs
PHP
74
star