In order to check their own software for security relevant errors and security holes, the developers of Instagram use the security tool Pysa (this is the name it unfavorably shares with ransomware). The source code for this tool has now been disclosed and made freely available to Facebook.
Instagram Security: Static analysis with Pysa
Sooner or later every software has errors during its life cycle. Finding and fixing these errors is not always easy, especially when you have millions of lines of code to consider. An automatic, static code analysis helps here. This means that the program code is automatically checked for problems before compilation and execution. Most static checking programs look for a large number of errors and bugs, but the Instagram Security Tool Pysa specializes in security problems. Security-related errors in the program code are particularly critical, as it is precisely these errors that create security holes and can be exploited. For this purpose, Pysa specifically checks which data is processed by the program and how, and should then recognize which data flows contain a security risk. An example where a data flow can become dangerous is “Remote Code Execution” or RCE. This attack becomes possible if the attacker succeeds in smuggling command sequences into a program flow. If the infiltrated program runs with increased privileges, this can have serious consequences!
Not a whole new approach
Already last year Facebook presented the static analysis tool Zoncolan, but this is not open source. Zoncolan is also designed to analyze programs written in “hack”, a language that is largely internal to Facebook. Instagram, however, is not written in Hack, but in Python, so the Instagram Security Tool Pysa is made for the analysis of Python programs, which is much more relevant for the rest of the world. Python is a very popular and widely used programming language, so disclosing the Pysa source code should be of interest to many developers, especially of security related software. Python tools for downloading Instagram Posts have been considered in the past.