Facebook open-sources one of Instagram’s security tools


Facebook has formally launched today one of Instagram’s secret tools for finding and fixing bugs in the app’s vast Python codebase.

Named Pysa, the tool is a so-called static analyzer. It works by scanning code in a “static” form, before the code is run/compiled, looking for known patterns that may indicate a bug, and then flagging potential issues with the developer.

Facebook says the tool was developed internally, and, through constant refinement, Pysa has now reached maturity. For example, Facebook said that in the first half of 2020, Pysa detected 44% of all security bugs in Instagram’s server-side Python code.


Behind this success stands the work of the Facebook security team. Even though Pysa was based on the open-source code of the Pyre project, the tool has been built around the needs of a security team.


While most static analyzers look for a wide range of bugs, Pysa was specifically developed to look for security-related issues. More particularly, Pysa tracks “flows of data through a program.”

How data flows through a program’s code is very important. Most security exploits today take advantage of unfiltered or uncontrolled data flows.

For example, a remote code execution (RCE), one of today’s worst types of bugs, when stripped down, is basically a user input that reaches unwanted portions of a codebase.

Under the hood, Pysa aims to bring some insight into how data travels across codebases, and especially large codebases made up of hundreds of thousands or millions of lines of code.

This concept isn’t new and is something that Facebook has already perfected with Zoncolan, a static analyzer that Facebook released in August 2019 for Hack — the PHP-like language variation that Facebook uses for the main Facebook app’s codebase.

Both Pysa and Zoncolan look for “sources” (where data enters a codebase) and “sinks” (where data ends up). Both tools track how data moves across a codebase, and find dangerous “sinks,” such as functions that can execute code or retrieve sensitive user data.

When a connection is found between a source and a dangerous sink, Pysa (and Zoncolan) warn developers to investigate…Read more>>



Register Form

Email Address
Phone No