Offensive Security

Instagram Security Tool Pysa – Facebook publishes Sourcecode

Instagram Security Tool Pysa – Facebook publishes Sourcecode

In order to check their own software for security relevant errors and security holes, the developers of Instagram use the security tool Pysa (this is the name it unfavorably shares with ransomware). The source code for this tool has now been disclosed and made freely available to Facebook.

Instagram Security: Static analysis with Pysa

Sooner or later every software has errors during its life cycle. Finding and fixing these errors is not always easy, especially when you have millions of lines of code to consider. An automatic, static code analysis helps here. This means that the program code is automatically checked for problems before compilation and execution. Most static checking programs look for a large number of errors and bugs, but the Instagram Security Tool Pysa specializes in security problems. Security-related errors in the program code are particularly critical, as it is precisely these errors that create security holes and can be exploited. For this purpose, Pysa specifically checks which data is processed by the program and how, and should then recognize which data flows contain a security risk. An example where a data flow can become dangerous is “Remote Code Execution” or RCE. This attack becomes possible if the attacker succeeds in smuggling command sequences into a program flow. If the infiltrated program runs with increased privileges, this can have serious consequences!

Pysa comes with Pyre
The Instagram Security Tool Pysa comes with Pyre (source: screenshot https://github.com/facebook/pyre-check)

Not a whole new approach

Already last year Facebook presented the static analysis tool Zoncolan, but this is not open source. Zoncolan is also designed to analyze programs written in “hack”, a language that is largely internal to Facebook. Instagram, however, is not written in Hack, but in Python, so the Instagram Security Tool Pysa is made for the analysis of Python programs, which is much more relevant for the rest of the world. Python is a very popular and widely used programming language, so disclosing the Pysa source code should be of interest to many developers, especially of security related software. Python tools for downloading Instagram Posts have been considered in the past.

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.