Static Analysis of Runtime Pallets
This Request for Proposals is currently considered under development, meaning one or more grants have been signed to address the topic. We might be interested in additional implementations, but itโs better to double check this with the grants team.
- Status: Implemented
- Proposer: Bhargav Bhatt, David Hawig
Project Description ๐โ
Runtime Pallets are modules for writing the business logic of blockchains in Substrate (a Rust framework for building blockchians). These are usually concise pieces of standalone code with relatively few dependencies and clear specifications, hence tractable targets for performing static analysis and verification. We would like to develop tools and techniques to perform static analysis with reasonable soundness guarantees. In particular, we would like to target vunerability classes that are detectable using dataflow analysis techniques like tag analysis and taint analysis. Just to give a flavor, relevant might vulnerabilities include:
- incorrect origin of dispatchable functions.
- unsigned transaction validation.
- tracking bad randomness: ensure bad randomness does not leak into sensitive functions.
- detect panics statically to avoid potential DoS attacks: these include unsafe arithmetic operations, access outside bounds, assertion failures, etc.
- tracking unsanitised input leakage for sensitive functions.
We seek applications that either extend existing static analysers for rust like MIRAI, Prusti, or build Rust front-ends to static analysis engines. Our preliminary feasibility study shows that MIRAI would be a good starting point as it includes a tag analysis framework, however, we are open to other tools and techniques.
Deliverablesโ
The deliverables listed are an initial draft and can be modified taking into consideration the interests of the applicant.
| Number | Deliverable | Specification |
|---|---|---|
| 0a. | License | Apache 2.0 / MIT / Unlicense |
| 0b. | Documentation | A document describing the design decisions for the tool and modeling of vulnerabilities. Clear usage guideline along with the trade-off of different modes if any. |
| 0c. | Testing Guide | Test-suite which exercises various features. |
| 0d. | Article | A brief outreach article describing the high-level technique used and outcomes of the grant, including a sample of minimal examples. |
| 1 | Tool | A robust static analysis tool that works on Substrate runtime pallets and analyses vulnerabilities classes described above. |
| 2 | Engagement | Engage with teams at Web3 Foundation and Parity to prioritise targeting vulnerability classes. |