Pysa : The Static Analyzer

Pysa, the Python Static Analyzer provided by Facebook

 

 

Facebook has released an open source static analyzer called "Pysa" (Python Static Analyzer) designed to find possible vulnerabilities in Python code.

 

Pysa offers data flow analysis as a result of code execution, helping you to recognize several possible vulnerabilities and privacy concerns related to the use of data at places where they do not appear.

For example, Pysa can monitor the use of raw external data in calls running external programs, in file operations, and in SQL constructs.

Today, we 're sharing information about Pysa, an open source static analysis tool experts've developed to detect and prevent security and privacy issues in Python code. Last year, they discussed how they developed Zoncolan, a static analysis tool that lets us evaluate more than 100 million lines of hack code and helped engineers avoid thousands of possible security issues. The performance motivated everybody to create Pysa, an acronym for Python Static Analyzer.

Pysa uses the same algorithms to perform a static analysis and also share code with Zoncolan. Unlike Zoncolan, Pysa monitors the data flow through the system.

 

The consumer identifies both sources (places where essential data originates) and sinks (places where the source data does not end).

 

 For security applications, the most common types of sources are places where the application is accessed by user-controlled data, such as the Django dictionary.

Receivers appear to be much more diverse, but can include APIs that execute code, such as eval, or APIs that access the file system, such as os.open.

Pysa conducts iterative analysis rounds to compile summaries to decide which functions return data from the source and which functions have parameters that ultimately reach the sink. When Pysa discovers that the source ultimately connects to the drain, the issue is identified.

The role of the analyzer is reduced to finding dangerous incoming data sources and calls where the original data can not be used.

Pysa tracks the flow of data across the function call chain and connects the original data with potentially unsafe positions in the code.

Since we use open source Python server frameworks like Django and Tornado for our own goods, Pysa will start tackling security issues in projects that use these frameworks from the very first sprint. Using Pysa for frames they don't have coverage yet is usually as easy as adding a few configuration lines to tell Pysa where the data is going to the server.

 

 

A specific weakness found by Pysa is an open redirect problem (CVE-2019-19775) on the Zulip Messaging Platform, triggered by passing unclean external parameters while viewing thumbnails.

The data flow monitoring features of Pysa can be used to verify the use of additional frames and to assess compliance with user data management policies.

For example, Pysa can be used without additional settings to validate projects using the Django and Tornado frameworks. Pysa can also recognise common vulnerabilities in web applications, such as SQL substitution and cross-site scripting (XSS).

 

 

The analyzer is used on Facebook to check the Instagram service code. During the first quarter of 2020, Pysa helped recognize 44 percent of all the problems Facebook engineers find in Instagram's server-side code base.

A total of 330 issues were found in the automated change verification phase using Pysa, of which 49 (15 per cent) were classified as serious and 131 (40 per cent) were not hazardous. In 150 cases (45%) the issues were due to false positives.

The new parser is designed to complement the Pyre type verification toolkit and is put in your repository. The code will be published under the MIT license.

That's all, guys. Let me know what do you think about this Pysa by comments here. Next time, I'll come up with another topic. Till then, stay safe. PEACE !!!