Done
Tìm hiểu cơ bản về static analysis
- Lý do: do em thấy chưa vững về kỹ thuật này lắm ạ.
- Đọc bài báo Static Analysis for Security.
- Tóm ý:
- Static analysis tools examine the text of a program statically, without attempting to execute it. They can examine either a program’s source code or a compiled form of the program to equal benefit.
- Good static analysis tool can successfully apply that tool without being aware of the finer points of security bugs.
- Static analysis problems are undecidable in the worst case. Also, static analysis tools can produce false negatives or false positives.
- Approaches to static analysis:
- The
greputility: doesn’t understand anything about the files it scans. - Lexical analysis: preprocesses and tokenize source files but make no effort to account for the target code’s semantics.
- Building an abstract syntax tree (AST) from source code: need to choose scope of the analysis. Bigger scope ➔ broader context ➔ reduce more false positive, but it requires more computation.
- The
Tìm hiểu thêm về smart contract
- Lý do: tương tự với static analysis, em thấy hiểu chưa sâu về smart contract ạ
- Đọc bài báo An Overview of Smart Contract - Architecture, Applications, and Future Trends:
- Tóm ý:
- Smart contracts are self-executing contracts with the terms of the agreement between interested parties. The contracts are written in the form of program codes that exist across a distributed, decentralized blockchain network.
- The correct implementation of smart contracts is enforced by the consensus protocols.
- Normally, after the smart contracts are signed by all parties, they are attached to the blockchain in the form of program codes (e.g., a Bitcoin transaction), and are recorded in the blockchain after being propagated by the P2P network and verified by the nodes.
- Smart contract encapsulates a number of pre-defined states and transition rules, scenarios that trigger contract execution (such as at a given time or a particular event occurs), responses in a particular scenario, etc.
Bài báo Extracting and Analyzing the Implemented Security Architecture of Business Applications
Riêng bài này em có thử tóm tắt bằng tiếng Việt (có đính kèm), nhưng chưa được cô đọng lắm ạ.
Bài báo On the applicability of security and privacy threat modeling for blockchain applications
Bài này em có scan qua và hightlight nhưng chưa có viết summary ạ.
Not done
- Bài báo về static analysis cho smart contract (framework Slither): Slither: A static analysis framework for smart contracts
- Bài báo survey về analysis dành cho smart contract Analysis of Blockchain Smart Contracts: Techniques and Insights
- Chưa trả lời được câu hỏi: có thể apply static analysis trên smart contract để lấy ra các artifacts của DFD được hay không?