Over 50% of the security vulnerabilities we found across Meta’s family of apps (Facebook, Instagram, WhatsApp, Messenger, Oculus…) are detected automatically using Abstract Interpretation-based tools. In the talk, I will present the challenges we faced (accuracy, scale, usability, customization, inter-language analysis) and how we achieved that result. We worked in conjunction with the Meta Product Security team to focus on the bugs that matter and to constantly refine the analysis results. We designed new abstract domains, implemented a modular, compositional, non-uniform, parallel, and distributed analysis so to analyze hundreds of millions of lines of code in less than one hour, and flag security vulnerabilities at code review time, preventing security bugs to land in production code. We built a system that let us achieve inter-language analysis and a generic filtering system based on breadcrumbs that enable security engineers to customize the signal-to-noise ratio. For instance, a security engineer was able to increase the signal-to-noise ratio of results from 20% to 70% for SQL injection, by simply adding a filter on integer breadcrumbs. I will conclude the talk by debunking some myths on modular/parallel/distributed analyses, eg that modular implies scalable, and by sharing some directions on theoretical abstract interpretation that will have a huge impact in practice.

I love static static program analysis. I’ve been designing and implementing widely used static analysis tools. I published papers in the most important research conferences and gave talks at main research and industrial conferences as e.g., Build.