ACE Seminar: Automatic Learning and Enforcement of Authorization Rules in Online Social Networks

Speaker: Marjori Pomarole

Date/Time: 01-Jun-2017, 16:00 UTC

Venue: Gordon Street (25), Room 500



Authorization bugs, when present in online social networks, are usually caused by missing or incorrect authorization checks and can allow attackers to bypass the online social network’s protections. Unfortunately, there is no practical way to fully guarantee that an authorization bug will never be introduced—even with good engineering practices—as a web application and its data model become more complex. We have designed and implemented IVD to handle the unique challenges posed by modern online social networks. IVD is currently running at Facebook, where it infers and evaluates daily more than 200,000 invariants from a sample of roughly 500 million client requests, and checks the resulting invariants every second against millions of writes made to a graph database containing trillions of entities. Thus far IVD has detected several high impact authorization bugs and has successfully blocked attempts to exploit them before code fixes were deployed.



Marjori Pomarole is from São Paulo, Brazil and has been a Software Engineer at Facebook London for 2.5 years. She worked for 2 years on Security Infrastructure team on projects like IVD (Invariant Detector) and Facebook’s web security frameworks. She is now at Web Foundation helping maintain the health and reliability of Facebook’s front-end clusters.

Add to Calendar

This page was last modified on 27 Mar 2014.