Static Analysis of a Source Code

Introduction With regard to auditing of web applications, the main purpose of performing static analysis of source code is to detect vulnerabilities. Therefore, this article explains the proposed vulnerability of the two major PHP source code, the algorithm proposed for investigation of LFI (local file include) and RFI (remote file inclusion). The method is as follows.

Since user input is not processed, the function of that file is very likely to be abused.

The NIST SAMATE project is designed to measure the effectiveness of static analysis tools to help organizations improve the use of technology. They conducted static analysis and manual source code reviews of open source packages and compared the results. According to their analysis, one-eighth to one-third of all weaknesses found are "simple". Furthermore, they discovered that this tool only found "simple" implementation errors, but did not find vulnerabilities that required a deep understanding of code and design. When run on Tomcat, a popular open source tool, these tools generate warnings for 26 or 15.4% of general vulnerabilities and published entries. These statistics reflect the results of Gartner's "Application Security: Thinking Starting with Significance". Interestingly, SAST is thought to cover only 10 to 20% of the code base. 10 to 20% "

Static analysis, also called static code analysis, is a method of debugging a computer program that is executed by examining the code without running the program. This process provides an understanding of the code structure and helps to ensure that the code conforms to the appropriate standards. BLUE uses static analysis to find errors and confirm compliance with coding guidelines. Static analysis allows for faster, error-free coding by ignoring the code structure of the token contract and checking certain database symbols to ensure they are encoded correctly.

The purpose of static analysis is to automatically check the source code of the Smart Contract and overestimate all possible actions of the contract. It may be very difficult to adequately approach the semantics of smart contracts excessively, requiring detailed knowledge system analysis methods (such as abstract interpretation) and block chain execution semantics. The correct answer to this is that if there are no specific errors (such as reordering transactions) during the analysis, this error will not be present in all actions of the Smart Contract.