The Auditor Toolbox =================== > Docker system and Web3 tooling aggregator for Security Researchers <div class="section-divider"><hr class="section-divider"></div> Web3 Tooling has increased over the years. While some significant steps have been made, there's still more progress to be achieved.  ### Why did I build this? A brief introduction Back in the day, as I began my journey in the web3 security space, Secureum included a chapter about [tooling](https://secureum.substack.com/p/audit-techniques-and-tools-101). At that time, I believed it was the holy grail of bug detection. Driven by that excitement, I experimented with various tools, including Trail of Bits tools using the [eth-security-toolbox](https://github.com/trailofbits/eth-security-toolbox). This was a user-friendly Docker machine with all necessary dependencies pre-installed, ensuring an easy setup with zero issues. Plus, it operated in isolation as a container, effectively separating work from personal activities and offering an easily replicable environment. After that, more tools emerged, like Foundry. Unfortunately, some weren't entirely compatible with the eth-security-toolbox. But after some workarounds, I managed to get everything I needed on my system! Wait… is that a blue screen? Oh, god… #### Well… it’s ok… Time to set up everything again! \^~\^ So I had the pleasure of reinstalling everything, which for some unexpected reason, consumed a lot of time. Having to reinstall new tools or to install them in new computers struck me as inefficient. This led me to wonder: > Can I just have an easy to set environment with all set up beforehand? Or at least easy to set without doing research and dealing with bugs? <div class="section-divider"><hr class="section-divider"></div>  ### Auditor Toolbox Features > Link to the [repository](https://github.com/Deivitto/auditor-docker/) #### Base Setup: * **Operating System**: Ubuntu Jammy (22.04) * **Utilities**: Git, Curl/wget, gawk/ripgrep, z3, pandoc, openssh-client, texlive, solidity plugins for Vim, etc. * **Ethereum** dependencies. #### Languages & Frameworks: * **Python**: Version 3.9 * **Rust**: Comprehensive setup with Cargo * **Julia**: Built-in support. * **Noir**: Support for the Noir language (Nargo). * **Circom**: Framework for zkSNARK circuits. #### Web3 Tools for security: It includes not only dependencies but tools from well known companies, developers and contributooors: * **Foundry** as modular toolkit for Ethereum application development written in Rust. It includes: **Forge**, **Anvil**, **Cast**, and **Chisel**. Author Paradigm. * **Halmos** for Symbolic Bounded Model Checker for Ethereum Smart Contracts Bytecode. Author a16z. * **Heimdall** for advanced EVM smart contract toolkit specialized in bytecode analysis. Author Jon-Becker. * **Slither**, **Echidna**, **Medusa Fuzzer**, **Manticore**, and **Etheno**, **solc-select** and **crytic compile**. Author Trail of Bits. * **Extra Slither detectors**, specialized detectors for Slither. Author Pessimistic.io. * **Prover** tool for symbolic analysis. Author Certora. * **Mythril** for smart contract analysis. Author Consensys. * **Spearbit Report Generator**, all needed **dependencies** to use the report generator in Spearbit audits * **Python developer kit**: It includes **Vyper**, **Ape-Vyper**, **Py-solc-x** and **pyevwasm**, can be found in. #### Package Management and Node: * **NVM**: Node Version Manager to switch between different Node.js versions. * **Node**: Long Term Support (LTS) version. * **Package Managers**: **npm**, **yarn**, and **pnpm**.  #### VSCode Extensions: * There is also an option in the installer to install the most common extensions for Security Researchers. Really **useful for beginners or new installations.** #### Custom scripts: * **add2 / add2box:** Shortcut to the installer which will do the whole installation for different tools without leaving the CMD. * **add2-update:** Shorcut to the updater which will sync the scripts and templates folder with the latest version of them in the repo. This is for useful for fixes or to get the installer of a new tool. * **issue:** For bug hunters mostly. Sometimes I was auditing some contest and I prefer to write first the issues locally, then submit them after reviewing all of them. The issue, is that **the templates are different in the platforms, and sometimes you need to log in to get the template**, so why not to run _issue c4_ or _issue sh_ to create a Code4rena or Sherlock issue and open it in your editor instantly? It also have support for Spearbit and Codehawks templates. * **solc-docs --book:** Downloads the latest **solidity lang documentation** and tries to open the pdf file. For more info go to the table with all the [**features**](https://github.com/Deivitto/auditor-docker/wiki/Features) or to the [references](https://github.com/Deivitto/auditor-docker/wiki/References) page in the wiki, where all the links to the packages are included. ### Practical use cases and reasons So I was in some random event talking with [Cryptonicle](https://twitter.com/Cryptonicle1) and [p\_misirov](https://twitter.com/p_misirov) about the idea _“Is it really needed? Would people use it? What should include, what use cases would it have…”._ In my case, it was a totally yes, so I looked for the reasons. * **Core dependencies and tools.** Most of the tools and core dependencies are always installed, dealing with all of them in one installation creates a fast and nice user experience. * **Newbie friendly.** Newcomers won't need extensive research to find invaluable tools. **Simplifying tool adoption for novices facilitates a deeper and faster immersion into the ecosystem**. * **Plug and play,** install it and feel free to start working in less than 10 minutes. You don’t need to bring your computer everywhere you go, you just need any computer and use this docker to have your setup ready for a random contest wherever you are. * **Time. Replication. Portability.** It saves a lot of time not having to configure a system and removes a lot of worry about having issues in one computer as you can go to a secondary one and keep working. * **Capture the Flag.** You can bring it into Capture the Flag competitions as it is fully equipped with standard tools. We can find **compilers and decompilers**, **static analyzers**, **fuzzers**, **symbolic analysis**, **formal verification**… users won’t need to do research for tools and installation, just to find their path to the solution! <div class="section-divider"><hr class="section-divider"></div> ### What Makes an Effective Docker Machine? In my quest to design a high-quality Docker machine, I gathered insights through introspection, discussions, and research: * **Tools**: Packing essential tools and utilities expedites tasks and simplifies installations. This Docker machine's hallmark is its comprehensive bundle that allows for auditing in a complete, testable environment in under 10 minutes. * **Convenience**: Reduces the time and effort required to set up your working environment for audits. * **Flexibility**: The base of the machine is a simple ubuntu 22:04 with a lot of packages installed to ease the configuration of later software that can be used. After that, all comes in the form of installer to install your needs, this installer will be updated with new features but it won’t break any base machine. * **Memory**: Less is more. This is why it's focused in the most commonly used tools to be integrated into the Dockerfile, while niche or memory-intensive tools are kept separate in the installer script. * **Consistency**: The same Docker container will run identically on any machine. It’s the same if you are using Windows, MacOS, or Linux, it should always run the same. * **Open Source**: Being open source allows transparency, easy customization and contributions by the community. * **Isolation**: Containers provide isolation, ensuring that they do not interfere with each other or with the host system. <div class="section-divider"><hr class="section-divider"></div> ### Next Steps * Introduce niche versions tailored for **zero-knowledge**, **formal verification**, **symbolic execution**, etc. * Incorporate a toolkit for **golang** and associated **golang tools**. * Elevate the **user experience**. * Decrease certain installation durations. * Launch a regular **newsletter** detailing the latest advancements. * Regularly **update versions** as years progress. <div class="section-divider"><hr class="section-divider"></div> ### Acknowledgments A big shoutout to [**Cryptonicle**](https://twitter.com/Cryptonicle1) and [**p\_misirov**](https://twitter.com/p_misirov) for their continuous dialogue on potential features for the machine. A hearty thank you to both of them and to [**eugenioclr**](https://twitter.com/eugenioclrc) for their invaluable help in testing and consistently spotting bugs that eluded me. <div class="section-divider"><hr class="section-divider"></div> ### Links and Documentation * [Auditor Docker on GitHub](https://github.com/Deivitto/auditor-docker/) * [References Wiki](https://github.com/Deivitto/auditor-docker/wiki/References) * [Troubleshooting Wiki](https://github.com/Deivitto/auditor-docker/wiki/Troubleshooting) * [Features Wiki](https://github.com/Deivitto/auditor-docker/wiki/Features) * [Official Docker Documentation](https://docs.docker.com/) [View original.](https://medium.com/p/840848d42109) Exported from [Medium](https://medium.com) on August 16, 2023. <style>a{color:#000;}a:hover{color:#5c5c5c;} * { font-family: Roboto, ,Cambria,"Times New Roman",Times,serif; line-height: 1.6; text-rendering: optimizeLegibility; } strong, a {font-weight:500;} /*! CSS Used from: https://cdn-static-1.medium.com/_/fp/css/main-branding-base.HJt032K6kpEVA4YtAumf5A.12.css */ hr{-webkit-box-sizing:content-box;box-sizing:content-box;height:0;} @media print and (color){ *{-webkit-print-color-adjust:exact;print-color-adjust:exact;} } hr.section-divider{display:block;border:0;text-align:center;overflow:visible;} hr.section-divider:before{content:'...';display:inline-block;margin-left:.6em;color:rgba(0,0,0,.68);position:relative;top:-30px;} @media print{ body.postShowScreen *{visibility:hidden;} body.postShowScreen .postArticle-content *{visibility:visible;} } hr.section-divider:before{--x-height-multiplier:0.342;--baseline-multiplier:0.22;font-family:medium-content-slab-serif-font,Georgia,Cambria,"Times New Roman",Times,serif;font-weight:400;font-style:italic;font-size:30px;letter-spacing:.6em;} @media all and (max-width:767px){ hr.section-divider{font-size:24px;line-height:1.4;} } @media print{ hr.section-divider:before{font-size:20.4px;} } hr.section-divider{margin-top:52px;margin-bottom:42px;} @media (max-width:767px){ hr.section-divider{margin-top:44px;margin-bottom:34px;} } hr.section-divider{background: none;} /*! CSS Used fontfaces */ @font-face{font-family:'medium-content-slab-serif-font';font-weight:300;font-style:italic;src:url('https://glyph.medium.com/font/24e0824/0-3j_4g_53_6bu_6c4_6c8_6c9_6cc_6cd_6ci_6cm/marat-sans-300-italic.woff') format('woff');unicode-range:U+0-7F,U+A0,U+B7,U+200A,U+2014,U+2018,U+2019,U+201C,U+201D,U+2022,U+2026;} @font-face{font-family:'medium-content-slab-serif-font';font-weight:300;font-style:italic;src:url('https://glyph.medium.com/font/24e0824/3k-4f_4h-52_54-6bt_6bv-6c3_6c5-6c7_6ca-6cb_6ce-6ch_6cj-6cl_6cn-nvnj/marat-sans-300-italic.woff') format('woff');unicode-range:U+80-9F,U+A1-B6,U+B8-2009,U+200B-2013,U+2015-2017,U+201A-201B,U+201E-2021,U+2023-2025,U+2027-10FFFF;} @font-face{font-family:Cambria;src:local('Arial'),local('Helvetica');unicode-range:U+2500-259F;} </style>