Merge pull request #89 from trailofbits/basic-theory

add sast and fuzzing info

Author: elopez

content/docs/crypto/_index.md

@@ -13,4 +13,6 @@ For each tool, we cover topics such as:
 - Installation and basic use
 - Provide examples
 
+## Sections
+
 {{< section >}}

content/docs/dynamic-analysis/_index.md

@@ -13,4 +13,6 @@ Here we present several dynamic analysis tools. For each tool, we cover topics s
 - Advanced configuration
 - Usage in continuous integration pipelines
 
+## Sections
+
 {{< section >}}

content/docs/fuzzing/_index.md

@@ -215,3 +215,28 @@ Many techniques can be leveraged when writing harnesses; we discuss these in the
 **Instrumentation runtime:** Instrumentations like [AddressSanitizer]({{% relref 03-asan %}}) or [UndefinedBehaviorSanitizer](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html) come with a runtime. A fuzzer must be compatible with the sanitizer for bugs to be detected reliably and feedback implemented efficiently. In memory-safe languages like Go or Rust you are less likely to need sanitizers.
 
 Note, that the two just mentioned sanitizers introduce instrumentation with the goal of finding more bugs. There is also a different class of instrumentations (e.g., [SanitizerCoverage](https://clang.llvm.org/docs/SanitizerCoverage.html)) that provides feedback to the fuzzer during execution. The runtime of the feedback-based instrumentation is usually part of the fuzzer runtime.
+
+## What to fuzz
+
+What type of issues fuzzing can find?
+
+* Crashes and panics
+    * Memory corruption issues: UAFs, integer overflows, undefined behaviors, buffer overflows, memory leaks, etc.
+
+* Invariant violations: business logic bugs
+    * State invariants violations: properties that require stateful fuzzing
+
+* Differentials: cross testing between different implementations of the same functionality
+    * Cross-platform differentials: testing the same code on different architectures
+    * Regressions: between different versions of the same code
+    * Cross-implementation: between different libraries or tools implementing similar functionality
+
+* Broken logical properties
+    * Round-trip: `decode(encode(x)) == x`
+    * Idempotence: `f(f(x)) == f(x)`
+    * Monotonicity: `x < y → f(x) ≤ f(y)`
+    * Identity: `f(x, identity) == x`
+    * Commutativity: `f(x, y) == f(y, x)`
+    * Associativity: `f(f(x, y), z) == f(x, f(y, z))`
+
+* Race conditions

content/docs/static-analysis/_index.md

@@ -12,4 +12,63 @@ This section presents several static analysis tools. For each tool, we cover top
 - Advanced configuration
 - Usage in continuous integration pipelines
 
+## Sections
+
 {{< section >}}
+
+## Basic theory
+
+Below is an overview of techniques implemented in static analysis tools.
+
+Usually, tools support only a subset of the following analyses, with varying degrees of precision and completeness. Knowing what a tool's capabilities are is important in determining its usefulness.
+
+### Views on a code
+
+- Abstract Syntax Tree (AST)
+- Control Flow Graph (CFG)
+- Data Flow Graph (DFG)
+- Call Graph
+- Intermediate Representation (IR)
+- Single Static Assignment Form (SSA)
+- Use-Definition Chain (use-def)
+
+### Analyses
+
+- AST traversal
+- Abstract Interpretation
+  - Constant Propagation
+  - Value Range analysis
+- Data-Flow analysis
+- Train Tracking
+- Control-Flow analysis
+  - Domination relationship
+  - Reachability
+- Hoare logic
+- Model checking
+- Symbolic execution
+  - Concolic execution
+- Type analysis
+- Alias/Pointer/points-to analysis
+- Program slicing
+- Global value numbering
+- Hash consing
+
+### Precision
+
+- Intraprocedural
+  - Flow-sensitivity (order of statements)
+  - Path-sensitivity (conditional branches)
+
+- Interprocedural
+  - Context-sensitivity (Polyvariance)
+    - Call-site
+    - Type
+    - Object
+  - Context-insensitive
+
+### Properties
+
+- Soundness
+- Precision
+- Completeness
+- Execution time

content/docs/web/_index.md

@@ -12,4 +12,6 @@ This section presents web application security tools. For each tool, we cover to
 - Advanced configuration
 - Usage in continuous integration pipelines
 
+## Sections
+
 {{< section >}}

content/docs/web/burp/stepbystep/02-workingmanually/_index.md

@@ -13,4 +13,6 @@ standpoint—you can choose appropriate requests from the **Proxy** tab and try
 For example, requests that reflect user-provided values in the response and API calls that handle authentication
 are worth investigating in this manner. To support yourself with semi-automatic methods, use the following Burp tools.
 
+## Sections
+
 {{< section >}}