For some years Facebook has been working on the tool Zoncolan, which uses the company for static code analysis. For the first time, the responsible development team has publicly presented details of the project in the Facebook engineering blog. The performance of Zoncolan is particularly impressive.
Because according to the publication, the web code of Facebook currently covers more than 100 million lines of code in the language hack. Thanks to the tool, it can be completely checked in less than 30 minutes. In the performance, the team emphasizes this massive scalability, but also points out that, of course, not all the errors could be found with the procedure, but only certain error classes. The mission has nevertheless prevented thousands of potential security vulnerabilities.
Zoncolan acts as a parser for the code, creating a representation of the code’s control flow graph and a call graph, which is the behavior of the functions and their interactions with each other. The idea of Zoncolan is to use this abstraction to track the history of input data. The process is compared with a large set of rules. If Zoncolan attacks one of the stored rules, a developer from the security team checks the affected code.
Facebook claims that Zoncolan uses a technique called “abstract interpretation” to track user-controlled entries in the code base. Analyzing the code, it is capable of constructing structures representing the functions of the code on the one hand, with a flow control chart , and on the other how they interact, in a call chart. Zoncolan then creates a summary of the behavior of each function, and records only properties relevant to potentially dangerous information flows.
Facebook describes the tool as an integral part of its development work. The name of the tool evidently derives from a mountain in Italy. The Monte Zoncolan is one of the steepest climbs in Europe for cyclists. Both the Giro d’Italia men’s race and the Giro Rosa women’s variant used the mountain as a stage destination.