Using abstract interpretation to scale security at Meta - Social Metaverse Company (previous facebook)

Abstract: Over 50% of the security vulnerabilities we found across Meta’s family of apps (Facebook, Instagram, WhatsApp, Messenger, Oculus…) are detected automatically using Abstract Interpretation-based tools. In the talk, I will present the challenges we faced (accuracy, scale, usability, customization, inter-language analysis) and how we achieved that result. We worked in conjunction with the Meta Product Security team to focus on the bugs that matter and to constantly refine the analysis results. We designed new abstract domains, implemented a modular, compositional, non-uniform, parallel, and distributed analysis so to analyze hundreds of millions of lines of code in less than one hour, and flag security vulnerabilities at code review time, preventing security bugs to land in production code. We built a system that let us achieve inter-language analysis and a generic filtering system based on breadcrumbs that enable security engineers to customize the signal-to-noise ratio. For instance, a security engineer was able to increase the signal-to-noise ratio of results from 20% to 70% for SQL injection, by simply adding a filter on integer breadcrumbs. I will conclude the talk by debunking some myths on modular/parallel/distributed analyses, eg that modular implies scalable, and by sharing some directions on theoretical abstract interpretation that will have a huge impact in practice.

Speaker: Francesco Logozzo is a theoretical and experimental abstract interpretation lover. He had his degree in Pisa in Computer Science, Diploma at Scuola Normale  PhD and post-doc at Ecole Normal Superior under the direction of Dr. Radhia Cousot and Patrick Cousot. Then moved to Microsoft Research, Redmond. In 2015 he joined Facebook (now Meta) to lead the design and the development of static analysis tools for security. Today, those static analyzers automatically detect more than 50% of the security bugs in the Meta family of apps.