Ibrahim M. El-Sayed

Security engineer at Meta, United Kingdom

Application & Network Security

Do you speak my language? Make static analysis engines understand each other

With the widespread usage of service-oriented architectures[1 (https://www.nginx.com/blog/microservices-at-netflix-architectural-best-practices/)][2 (https://netflixtechblog.com/a-microscope-on-microservices-923b906103f4)][3 (https://eng.uber.com/service-oriented-architecture/)][4 (https://aws.amazon.com/microservices/)][5 (https://engineering.fb.com/2019/05/29/security/service-encryption/)] , detecting security issues becomes a harder task as vulnerabilities span multiple services, codebases, and programming languages.

At Meta, products and features are written in different languages - for example, the main Facebook.com codebase is written in Hack and the main Instagram.com is written in Python. These products usually need to communicate with each other or with backend systems for processing user requests.

Current security-focused static analysis tools such as CodeQL and RIPS as well as Meta-built like Zoncolan and Pysa can only analyze each codebase/language in isolation. Each tool only sees one part of the data flow, limiting the ability of application security teams to track data flows that cross the language boundary and identify security issues arising from such flows.

This presentation will introduce a novel but generic framework to exchange taint information between two or more static analysis systems and how that can be used to perform cross-language, cross-repo taint-flow analysis. It will showcase how this has been implemented inside Facebook and used at scale by Facebook's security team to detect critical security vulnerabilities spanning multiple codebases.

[1]: https://www.nginx.com/blog/microservices-at-netflix-architectural-best-practices/
[2]: https://netflixtechblog.com/a-microscope-on-microservices-923b906103f4
[3]: https://eng.uber.com/service-oriented-architecture/
[4]: https://aws.amazon.com/microservices/
[5]: https://engineering.fb.com/2019/05/29/security/service-encryption/

Ibrahim Mohamed did his BSc in America University in Cairo (AUC) in computer science and his MSc in Royal Holloway University of London. He used to work as a security consultant doing penetration testing and security reviews for SECFORCE, Deloitte and EG-CERT, then moved to Meta where he worked on detection of security bugs using static analysis. Since 2016 Ibrahim has focused his work on Zoncolan and Pysa which are static analysis tools for both Hack and Python.