7 - Security II
Tutorial objectives
- Advanced techniques in security auditing
- Static analysis tools
- Introduction to fuzz testing
Tutorial pre-requisites
- Solidity, Python, Git fundamentals
- Installed Wake framework (https://ackee.xyz/wake/docs/latest/), Solidity (Wake) VSCode Extension (VS Marketplace Link) and Foundry toolchain (https://book.getfoundry.sh/).
- Wake is automatically installed with the VSCode extension.
For manual installation, use the following:
pip3 install eth-wake
curl -L https://foundry.paradigm.xyz | bash # insecure install, you know
source ~/.bashrc && foundryupStatic analysis
Static analysis is a method of debugging by examining source code before a program is run. It’s done by analyzing a set of code against a set of coding rules (detectors). This technique can help find errors and bugs that might not be picked up by compilers and interpreters.
Static analysis tools, often referred to as SAST (Static Application Security Testing) tools, can be used to analyze code for potential security vulnerabilities, code quality issues, and adherence to coding standards.
For static analysis in this tutorial, we will use the Wake testing framework (see documentation: https://ackee.xyz/wake/docs/latest/static-analysis/using-detectors/).
Other static analysis tools include:
- Slither - https://github.com/crytic/slither
- MythX - https://mythx.io/ (deprecated)
Practical example
To show how static analysis works, we will use the code from the previous tutorial and run the Wake detectors on it.
- Clone the repository from https://github.com/Ackee-Blockchain-Education/NIE-BLO-tutorial-6.
- Edit the
wake.tomlfile and comment out lines 8-16 with the enumeration of the excluded detectors. - Analyze the output of the detectors in the VSCode window through the Solidity (Wake) extension.
- Run
wake detectin the terminal in the project directory to see the output of the detectors on the command line.
Fuzzing
Fuzzing is a technique for testing software that involves providing invalid, unexpected, or random data as inputs to a computer program.
Fuzz tests are beneficial for example for black box testing, when manual testing or review will be more time-consuming, or to catch bugs that are unlikely to be spotted by human eye.
For fuzzing in this tutorial, we will use the Wake testing framework (see documentation: https://ackee.xyz/wake/docs/latest/testing-framework/fuzzing/).
Other fuzzing tools include:
- Foundry - https://github.com/foundry-rs/foundry
- Echidna - https://github.com/crytic/echidna
Practical example
The foal of this tutorial is to learn to write a simple fuzzer for a smart contract.
- Clone the repository from https://github.com/Ackee-Blockchain-Education/NIE-BLO-tutorial-7.
- Follow the instructions in the README file.
- The
masterbranch contains the initial code, and thesolutionbranch contains the completed test code.
Formal verification
Formal verification is a technique used in software testing to prove or disprove the correctness of intended algorithms underlying a system with respect to a certain formal specification or property.
This method is out of scope of our tutorial.
Tools/companies that provide formal verification include:
- Halmos - https://github.com/a16z/halmos
- Runtime Verification - https://runtimeverification.com/
- Certora - https://www.certora.com/