Solgrep - A grammar aware Solidity query tool

In the last few years, the blockchain usage has been growing rapidly. A lot of industries have been using and developing blockchain platforms to perform decentralized computations. One of the most popular underlying technologies is the Ethereum blockchain. Executing, verifying and enforcing credible...

Descripción completa

Detalles Bibliográficos
Autor: Celades Pons, Ferran
Tipo de recurso: tesis de maestría
Fecha de publicación:2022
País:España
Institución:Universitat Oberta de Catalunya (UOC)
Repositorio:O2, repositorio institucional de la UOC
OAI Identifier:oai:openaccess.uoc.edu:10609/145646
Acceso en línea:http://hdl.handle.net/10609/145646
Access Level:acceso abierto
Palabra clave:Semgrep
AST
grammar
YAML
Node.js
gramàtica
gramática
Computer security -- TFM
Seguretat informàtica -- TFM
Seguridad informática -- TFM
Descripción
Sumario:In the last few years, the blockchain usage has been growing rapidly. A lot of industries have been using and developing blockchain platforms to perform decentralized computations. One of the most popular underlying technologies is the Ethereum blockchain. Executing, verifying and enforcing credible computable transactions on blockchains is done using smart contracts which the code is written using a Turing complete language. Those contracts are typically written in a high-level programming language called Solidity, then compiled to Ethereum Virtual Machine (EVM) assembly instructions and deployed to the Ethereum blockchain. So many tools have been written to analyze and find vulnerabilities in Solidity smart contracts from a static and dynamic standpoint. However, none of the already developed tools allow easy contribution by the community without actually having to modify the tool source code itself or write complex syntax specific queries. In this project we have created Solgrep. Solgrep is a tool that allows static semantic aware search on Solidity code. The initial idea of Solgrep was to be used as part of Smart Contracts Solidity Audits as a remarkable tool in the arsenal of an auditor. However, it was noticed that this tool could be easily integrated with current Solidity development stacks to find common bad patterns and coding mistakes that Solidity developers tend to do.