add sast and fuzzing info

Author: GrosQuildu

content/docs/fuzzing/_index.md

@@ -215,3 +215,27 @@ Many techniques can be leveraged when writing harnesses; we discuss these in the
 **Instrumentation runtime:** Instrumentations like [AddressSanitizer]({{% relref 03-asan %}}) or [UndefinedBehaviorSanitizer](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html) come with a runtime. A fuzzer must be compatible with the sanitizer for bugs to be detected reliably and feedback implemented efficiently. In memory-safe languages like Go or Rust you are less likely to need sanitizers.
 
 Note, that the two just mentioned sanitizers introduce instrumentation with the goal of finding more bugs. There is also a different class of instrumentations (e.g., [SanitizerCoverage](https://clang.llvm.org/docs/SanitizerCoverage.html)) that provides feedback to the fuzzer during execution. The runtime of the feedback-based instrumentation is usually part of the fuzzer runtime.
+
+## What to fuzz
+
+What type of issues fuzzing can find?
+
+* Crashes and panics
+    * Memory corruption issues: UAFs, integer overflows, undefined behaviors, buffer overflows, memory leaks etc
+
+* Invariant violations: business logic bugs
+    * State invariants violations: properties that require statefull fuzzing
+
+* Differentials: cross testing between different implementations of the same functionality
+    * Cross-platform differentials: testing the same code on different architectures
+    * Regressions: between different versions of the same code
+
+* Broken logical properties
+    * Round-trip: `decode(encode(x)) == x`
+    * Idempotence: `f(f(x)) == f(x)`
+    * Monotonicity: `x < y → f(x) ≤ f(y)`
+    * Identity: `f(x, identity) == x`
+    * Commutativity: `f(x, y) == f(y, x)`
+    * Associativity: `f(f(x, y), z) == f(x, f(y, z))`
+
+* Race conditions

content/docs/static-analysis/_index.md

@@ -13,3 +13,62 @@ This section presents several static analysis tools. For each tool, we cover top
 - Usage in continuous integration pipelines
 
 {{< section >}}
+
+
+## Basic theory
+
+Below is an overview of techniques implemented in static analysis tools.
+
+Usually tools support only a subset of the following analyses, with varying degree of precision and completeness. Knowing what are a tool's capabilities is useful in determining it's usefulness.
+
+### Views on a code
+
+* Abstract Syntax Tree (AST)
+* Control Flow Graph (CFG)
+* Data Flow Graph (DFG)
+* Call Graph
+* Intermediate Representation (IR)
+* Single Static Assignment Form (SSA)
+* Use-Definition Chain (use-def)
+
+### Analyses
+
+* AST traversal
+* Abstract Interpretation
+    * Constant Propagation
+    * Value Range analysis
+* Data-Flow analysis
+* Train Tracking
+* Control-Flow analysis
+    * Domination relationship
+    * Reachability
+* Hoare logic
+* Model checking
+* Symbolic execution
+    * Concolic execution
+* Type analysis
+* Alias/Pointer/points-to analysis
+* Program slicing
+* Global value numbering
+* Hash consing
+
+### Precision
+
+* Intraprocedural
+    * Flow-sensitivity (order of statements)
+    * Path-sensitivity (conditional branches)
+
+* Interprocedural
+    * Context-sensitivity (Polyvariance)
+        * Call-site
+        * Type
+        * Object
+    * Context-insensitive
+
+
+### Properties
+
+* Soundness
+* Precision
+* Completness
+* Execution time