DevCon2: Visualizing Security
Developers are familiar with the concept of “code smells:” patterns in code that indicate likely problems. These patterns are great targets for static analysis. Raine built a tool called solgraph that when combined with solidity-parser, can output a visual graph of the parts of a contract that need the most attention for security risks. The tool doesn’t prove correctness, but rather presents a very simple way to identify risks. For example, for TheDAO contract, which was arguably long and complex, there would have been a simple way to visualize where extra attention was warranted to prevent re-entrancy attacks.
Beyond this kind of static analysis, it’d be useful to have dynamic analysis as well that depends on the state of the contract. To develop a dynamic analysis ecosystem, we need to start developing standardized unit testing patterns and standardized access control modifiers.
Awareness of the different developer cultures within the Ethereum community can be help build a comprehensive view when it comes to security issues. Web developers, systems engineers, academics, and non-developer enthusiasts in the community all have different perspectives on the meaning of security, and each individual’s solutions will benefit from taking each culture’s perspective into account.
This series was a collaborative research project written by Bill Gleim, Simon de la Rouviere, Paul Kohlhaas, and Niran Babalola. It was crowdfunded by the Ethereum Movement, a decentralized nonprofit built on Benefactory.
