trailofbits / eth-security-toolbox Goto Github PK

A Docker container preconfigured with all of the Trail of Bits Ethereum security tools.

License: GNU Affero General Public License v3.0

Dockerfile 100.00%

eth-security-toolbox's Introduction

Ethereum Security Toolbox

This repository contains scripts to create a Docker container preinstalled and preconfigured with all of Trail of Bits’ Ethereum security tools, including:

Echidna property-based fuzz tester
Medusa fuzz tester based on go-ethereum
Slither static analysis tool
solc-select to quickly switch between Solidity compiler versions
Building secure contracts repository

Other useful tools developed by third-parties are also included:

Foundry, a toolkit for Ethereum app development
Vyper, a Pythonic Smart Contract language for the EVM
n, a Node version manager
npm and Yarn
Python

Quickstart

Use our prebuilt Docker container to quickly install and run the toolkit:

docker pull ghcr.io/trailofbits/eth-security-toolbox:nightly
docker run -it ghcr.io/trailofbits/eth-security-toolbox:nightly

Alternatively, build the image from scratch:

git clone https://github.com/trailofbits/eth-security-toolbox.git
cd eth-security-toolbox
docker build -t eth-security-toolbox .

Usage

Simply start an instance of the Docker container:

docker run -it ghcr.io/trailofbits/eth-security-toolbox:nightly

Several Solidity versions are preinstalled via solc-select. By default, solc corresponds to the latest release. This can be changed using the solc-select tool:

$ solc --version
solc, the solidity compiler commandline interface
Version: 0.8.22+commit.4fc1097e.Linux.g++
$ solc-select use 0.4.26
$ solc --version
solc, the solidity compiler commandline interface
Version: 0.4.26+commit.4563c3fc.Linux.g++

You can also view the installed versions and install new ones:

$ solc-select versions
0.8.22 (current, set by /home/ethsec/.solc-select/global-version)
0.7.6
0.6.12
0.5.17
0.4.26
ethsec@f95fb29a709d:~$ solc-select install 0.8.0
Installing solc '0.8.0'...
Version '0.8.0' installed.
ethsec@f95fb29a709d:~$ solc-select use 0.8.0
Switched global version to 0.8.0
$ solc --version
solc, the solidity compiler commandline interface
Version: 0.8.0+commit.c7dfd78e.Linux.g++

The toolbox comes preinstalled with a LTS version of Node, and n, the Node version manager. You can install other versions of Node if needed by using n. Refer to their website for further instructions.

$ sudo n 14
  installing : node-v14.21.3
       mkdir : /usr/local/n/versions/node/14.21.3
       fetch : https://nodejs.org/dist/v14.21.3/node-v14.21.3-linux-arm64.tar.gz
     copying : node/14.21.3
   installed : v14.21.3 (with npm 6.14.18)
$ node --version
v14.21.3

Getting Help

Feel free to stop by our Slack channel for help on using or extending this toolbox.

License

The Ethereum Security Toolbox is licensed and distributed under the AGPLv3 license. Contact us if you’re looking for an exception to the terms.

eth-security-toolbox's People

Stargazers

Watchers

Forkers

iamonuwa joseph-hurtado elopez exef cyotee bonedaddy woods1060 sa1i alfredolopez80 liquity bizmindx trybittoken masterventures pypy233 deadheadtn adomore cleniocampolina jesus-eff cqr-cryeye-forks tailm gacwr rookiepj malato2021ma stjordanis pbwaffles 0xb00siff dipass-io ddbrain topguns23 kalbhairavaa johnsaigle kevzettler markusschadeninacta mc01 aceluodan ysfkel bmorphism naokiakazawa smitea 0xzra damilolaedwards w3eb3el amarosi yzkee rottaj gitcryptodevops vlavrenenko-hacken rds-on-rails gunsay 0xhekate mkdirsteve denchance le-kag starkeyjon shreeyesh fakemonkgin isofttechn dev3019 traderofbozz simonemastella efebia-com rusdacent kingjoker42 advaithd samwarden bzbee42 mektigboy jerod-estapa silviaxyz yonatanros davifbtc kajaaz d0nluka yumingvvv cluna80 blockchaindeveloper009 albertahn mo-hussain devsaint-star cruckdaniel case7026 composablesecurity hackervip996 web3secresearch 0xcryptojames anukq loris-epfl nghiangovan diempi ethkillmyself thangdc-gw th13vn

eth-security-toolbox's Issues

Install foundry

Add foundry to the Docker build.

Adding newer solc versions?

The latest version for solc is 0.8.3. Are you planning on having other versions updated?

ImportError: Missing some packages for native binary analysis. Please install them with pip3 install manticore[native]

Hi guys,

The docker image doesn't come already with the "manticore[native]" ?
I'm trying to use it with the following command. Do you see anything wrong?

docker run --entrypoint=""  -v $PWD:/home/trufflecon/  --user $(id -u):$(id -g) trailofbits/eth-security-toolbox  manticore .

Regards,

Add embark and embark-contract-info to the docker image

Slither supports now Embark, so we should add the framework to eth-security-toolbox.

Additionally Slither requires the @trailofbits/embark-contract-info embark plugin (https://github.com/crytic/embark-contract-info)

Break up monolithic image into images targeting solc versions

The eth-security-toolbox image is nearly 3GB. That is a lot of data to download, when you're looking to run slither against one specific versions of solc. I would like to propose that each version of solc get its own eth-security-toolbox tag.

I could create a driver script, which iterates through solc_releases (a la install_solc.sh), but executes docker build instead. However I am unclear how you want resulting images to be pushed. Is there a CI tool automatically building images for the project?

Modify dockerfile, so only 1 version of solc is installed per build
- ensure the installed version is the global default, set by solc-select
Create driver script, which runs docker build --tag trailofbits/eth-security-toolbox:solc-$VERSION
Push the resulting image to hub.docker.com?

Add the smart contracts workshop materials

https://github.com/trailofbits/publications/tree/master/workshops/Automated%20Smart%20Contracts%20Audit%20-%20TruffleCon%202018

Install all versions of solc

Install as many versions of solc as possible and write a script to switch between them.

etheno does not work

I've installed the latest version of trailofbits/eth-security-toolbox docker image, but ethen command fails.

ethsec@bbdbd6fa2619:~$ etheno
Traceback (most recent call last):
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 573, in _build_master
    ws.require(__requires__)
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 891, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 782, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (eth-utils 2.0.0 (/home/ethsec/.local/lib/python3.6/site-packages), Requirement.parse('eth-utils<2.0.0,>=1.9.5'), {'web3'})

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/ethsec/.local/bin/etheno", line 33, in <module>
    sys.exit(load_entry_point('etheno==0.2.4', 'console_scripts', 'etheno')())
  File "/home/ethsec/.local/bin/etheno", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/home/ethsec/.local/lib/python3.6/site-packages/importlib_metadata/__init__.py", line 194, in load
    module = import_module(match.group('module'))
  File "/usr/lib/python3.6/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 941, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/home/ethsec/.local/lib/python3.6/site-packages/etheno/__init__.py", line 1, in <module>
    from .etheno import Etheno, EthenoPlugin
  File "/home/ethsec/.local/lib/python3.6/site-packages/etheno/etheno.py", line 1, in <module>
    import pkg_resources
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3266, in <module>
    @_call_aside
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3241, in _call_aside
    f(*args, **kwargs)
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3279, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 575, in _build_master
    return cls._build_from_requirements(__requires__)
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 588, in _build_from_requirements
    dists = ws.resolve(reqs, Environment())
  File "/home/ethsec/.local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 777, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'rlp<3,>=1.0.0' distribution was not found and is required by eth-account

Best regards

Installed Node version creates issues with etheno --ganache

Node version installed in the container:

ethsec@6ab50b1ba5f1:~$ node --version
v14.16.0

causes an issue when running etheno --ganache as described here: crytic/etheno#72

Update to include newer tools and deprecate not actively used/maintained

Add Medusa
Remove Etheno, Manticore, Rattle

Slither fails to execute in latest docker tag

I cannot run slither with the latest docker tag of eth-security-toolbox. It appears npx is missing from the image. Current fix: manually running sudo npm install -g npx.

I am not sure what changed, but our project used to work fine, but now requires this manual step in between.

Steps to reproduce:
1. start eth-security-toolbox with mounted project
  docker run -it -d -v /path/to/project:/share trailofbits/eth-security-toolbox
2. cd into project repository (cd /share)
3. run slither .
Expected output:
- Slither code analysis.
Actual output:

INFO:Slither:'npx [email protected] compile' running (use --truffle-version [email protected] to use specific version)
ERROR:root:Error in .
ERROR:root:Traceback (most recent call last):
  File "/home/ethsec/.local/lib/python3.6/site-packages/slither/__main__.py", line 554, in main_impl
    (results, number_contracts) = process(filename, args, detector_classes, printer_classes)
  File "/home/ethsec/.local/lib/python3.6/site-packages/slither/__main__.py", line 57, in process
    triage_mode=args.triage_mode)
  File "/home/ethsec/.local/lib/python3.6/site-packages/slither/slither.py", line 58, in __init__
    kwargs.get('truffle_version', None))
  File "/home/ethsec/.local/lib/python3.6/site-packages/slither/slither.py", line 142, in _init_from_truffle
    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  File "/usr/lib/python3.6/subprocess.py", line 709, in __init__
    restore_signals, start_new_session)
  File "/usr/lib/python3.6/subprocess.py", line 1344, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'npx': 'npx'

Consider including vyper

Now that slither supports Vyper, perhaps we should include the binary in the docker image
https://github.com/crytic/slither/blob/e3dcf1ecd3e9de60da046de471c5663ab637993a/.github/workflows/test.yml#L60-L76

Tag docker image with version

Hey guys, it would be great if you could tag the docker image in the registry with a specific version. Currently, only the latest tag is available and then can cause CI's to break, as we cannot select a certain version.

Fix automated build

Our automated docker build has been broken for some time. We should fix it, and/or consider moving to the github package registry

New slither version

Please can you publish the latest docker image with slither 6.14?

kind regards

Use solc-select from pip

We can now remove
https://github.com/crytic/eth-security-toolbox/blob/3fa099cef9a70c5d65ce9c3dca8b945076b7ae11/Dockerfile#L9-L15

plus the related scripts, and use

pip install solc-select
solc-select install

Instead

Update slither to v0.8.2

0.8.1 is currently installed by default.

v0.8.2 adds support for custom errors

Temp Fix

Run pip3 install slither-analyzer --upgrade in the docker container

Adding new solc versions

Could you please add the latest solc versions >=0.5.14 that set the default EVM version to "Istanbul" ?

Update solc installation

eth-security-toolbox/Dockerfile

Line 42 in 54bec34

    
           RUN solc-select install all && SOLC_VERSION=0.8.0 solc-select versions | head -n1 | xargs solc-select use

solc-select use latest

Error when buiding from the scratch

Here is the output :
ERROR [ 3/21] RUN apt-get -y remove solc

please take a look

Echidna doesn't work

Running echidna-test in the container outputs Killed regardless of the input options.

Docker version: v20.10.6
OS: macOS 11.2.3
Processor: Apple M1
Image ID: 2ad73f16de91

Can't run slither from docker image without interactive mode

Hi! As the title states, running the command:

docker run -v $(pwd):/tmp -w /tmp trailofbits/eth-security-toolbox slither contracts/manifold/lazyclaim/ERC721LazyClaim.sol

gives the error:

/home/ethsec/.local/bin/slither: line 4: import: command not found
/home/ethsec/.local/bin/slither: line 5: import: command not found
/home/ethsec/.local/bin/slither: line 7: from: command not found
/home/ethsec/.local/bin/slither: slither: line 10: syntax error near unexpected token `('
/home/ethsec/.local/bin/slither: slither: line 10: `    sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])'

The command runs in docker's interactive mode (using the flag -it), but I want to run slither directly from a script

Vyper support?

Any plans or work in progress to support Vyper?

If yes, is there a version manager like solc-select?

Fix npm/npx support from the docker

Task Description

npm install/ npx are not working correctly from the docker:

$ npx [email protected] version
Error: EACCES: permission denied, mkdir '/home/ethsec/.npm/_npx'

It is the same for a npm install

Unhandled rejection Error: EACCES: permission denied, mkdir '/home/ethsec/.npm/_cacache'

We need to fix it. It is preventing Slither to run correctly with truffle: #9

Acceptance criteria

npx [email protected] version can run from the docker
npm install can run from the docker
Issue #9 is fixed

Required Skills

Docker experience

Feel free to ask questions here, or join our slack (#ethereum)

Slither fails to execute in latest docker tag

I cannot run slither with the latest docker tag of eth-security-toolbox. After #8 was fixed, it now seems slither was "not compiled correctly".
This time, I have no idea how to provide a workaround.

Steps to reproduce:
1. start eth-security-toolbox with mounted project
  docker run -it -d -v /path/to/project:/share trailofbits/eth-security-toolbox
2. cd into project repository (cd /share)
3. run slither .
Expected output:
- Slither code analysis.
Actual output:

ERROR:Slither:Invalid compilation
ERROR:Slither:Solidity version not found ['']

Docker image:

Using default tag: latest
latest: Pulling from trailofbits/eth-security-toolbox
Digest: sha256:38cde2135b8446a8e98d719543ff6647765352937f042d6608d50b88d3bf44b9
Status: Image is up to date for trailofbits/eth-security-toolbox:latest

M1 Support

Please add linux/arm64 docker build to support M1 chips

Offer slimmer docker image options

The current latest image clocks in at nearly 14 gigs, making it one of the most gigantic images I've come across, and not really something I want to bring into a CI/CD pipeline. Could you offer some other tags that might have fewer tools/versions of solidity installed?