Breakpoint 2024: Introducing Radar: Extensible Static Analysis for Solana Programs

Solana developers and security enthusiasts, get ready for a game-changing tool that's set to revolutionize how we approach program security. Joe Van Loon, CEO and founder of Auto Wizard, has unveiled Radar – an innovative, open-source static analysis tool designed specifically for Solana programs.

Summary

In his presentation at Breakpoint 2024, Joe Van Loon introduced Radar, a powerful new static analysis tool for Solana programs. Radar stands out from traditional tools by offering an intuitive template engine that allows developers and auditors to easily create custom detectors, making it highly extensible and adaptable to specific project needs.

The tool is designed with user-friendliness in mind, featuring both CLI and server components, and is Docker-based for cross-platform compatibility. Radar can be seamlessly integrated into existing workflows through GitHub actions and command-line interfaces, making it a versatile addition to any Solana developer's toolkit.

One of Radar's most significant innovations is its approach to detector creation. Unlike other static analysis tools that require forking and modifying codebases, Radar allows users to write detectors using simple Python syntax in template form. This approach dramatically lowers the barrier to entry for creating custom security checks and enables rapid testing and iteration.

Key Points:

Introduction to Radar

Radar is an open-source static analysis tool specifically designed for Solana programs. It aims to empower developers and auditors to take security into their own hands by providing an accessible and extensible platform for code analysis. Joe Van Loon, with his extensive background in web2 security engineering at companies like Amazon and Apple, brings a wealth of experience to the development of this tool.

The tool's primary goal is to improve project security by allowing users to easily write their own detectors, making it invaluable for developers, auditors, and anyone concerned with the security of Solana programs. Radar's unique selling point is its ability to be used out of the box as a traditional scanner while also offering the flexibility to define custom detectors via templates.

Ease of Use and Integration

Radar has been designed with user-friendliness and integration in mind. It offers multiple options for use, including a Command Line Interface (CLI) and a server component. The tool is Docker-based, ensuring cross-platform compatibility and ease of installation across different systems.

One of the standout features of Radar is its built-in API microservice, which allows users to build on top of it, creating server applications or custom CLIs to suit their specific needs. This sets Radar apart from other static analysis tools that are typically limited to CLI functionality.

Furthermore, Radar can be easily incorporated into existing workflows through GitHub actions and command-line interfaces. The Radar repository includes pre-configured GitHub actions, allowing users to seamlessly integrate the tool into their development process. This integration enables automatic security checks on pull requests, with results displayed directly in GitHub's security tab for easy triage.

Innovative Detector Creation

Radar takes a novel approach to detector creation, addressing the limitations of traditional static analysis tools. Instead of requiring users to fork and modify codebases to create new detectors, Radar allows for the creation of detectors using simple Python syntax in template form.

This approach significantly lowers the barrier to entry for creating custom security checks. Users can quickly test and iterate on their detectors without needing to understand the intricacies of the tool's engine or go through a lengthy contribution process. The tool provides detailed API documentation and examples to help users get started with creating their own detectors.

Radar also includes a comprehensive library of helper functions that serve as building blocks for detectors. These functions abstract away much of the complexity involved in traversing abstract syntax trees and analyzing code structures, making it easier for users to create sophisticated detectors without deep expertise in static analysis techniques.

Facts + Figures

• Radar is one of Solana's only open-source, free static analysis tools
• The tool features both CLI and server components
• Radar is Docker-based for cross-platform compatibility
• It includes a built-in API microservice for extended functionality
• Radar allows for the creation of custom detectors using simple Python syntax
• The tool can be integrated into workflows via GitHub actions and command-line interfaces
• Radar uses abstract syntax trees (AST) for code analysis, rather than intermediate representations like LLVM IR
• The development team considered creating a domain-specific language (DSL) but opted for Python due to its flexibility and low barrier to entry
• Radar includes a comprehensive library of helper functions to simplify detector creation

Top quotes

1. "If you're a developer or auditor anyone who cares about security, that's the tool for you."
2. "We basically built in an API microservice into it, right, and sort of architected a CLI around it."
3. "Typically, when you have a static analysis tool, the detectors are defined in code. If you want to extend those detectors, you need to fork the code base."
4. "We decided for radar is that we would allow you to write essentially templates that you can just load in on the fly."
5. "We abstract a lot of that away."

Questions Answered

What is Radar and who created it?

Radar is an open-source static analysis tool for Solana programs, created by Joe Van Loon, the CEO and founder of Auto Wizard. It's designed to improve project security by allowing developers and auditors to easily write their own detectors and analyze Solana programs for potential vulnerabilities. The tool was developed with the goal of empowering developers to take security into their own hands through accessible and extensible code analysis.

How does Radar differ from other static analysis tools?

Radar stands out from other static analysis tools in several ways. Firstly, it offers an intuitive template engine that allows users to define their own detectors using simple Python syntax, without needing to fork or modify the tool's codebase. Additionally, Radar includes both CLI and server components, with a built-in API microservice that enables users to build custom applications on top of it. The tool is also designed for easy integration into existing workflows through GitHub actions and command-line interfaces.

How can developers create custom detectors with Radar?

Developers can create custom detectors in Radar using simple Python syntax in template form. The tool provides a comprehensive library of helper functions that serve as building blocks for detectors, abstracting away much of the complexity involved in traversing abstract syntax trees and analyzing code structures. This approach allows users to quickly test and iterate on their detectors without needing deep expertise in static analysis techniques. Detailed API documentation and examples are provided to help users get started with creating their own detectors.

What platforms does Radar support?

Radar is designed to be cross-platform compatible. It is Docker-based, which means it can run on any system that supports Docker containers. This includes major operating systems like Windows, macOS, and various Linux distributions. The tool's CLI is essentially a convenience wrapper around the Docker container, ensuring consistent functionality across different platforms.

How can Radar be integrated into existing development workflows?

Radar can be easily integrated into existing development workflows through GitHub actions and command-line interfaces. The Radar repository includes pre-configured GitHub actions that users can plug into their projects. When integrated, Radar can automatically run security checks on pull requests, with the results displayed directly in GitHub's security tab. This allows developers to seamlessly incorporate security analysis into their development process and triage results alongside other security tools.