miesc 4.3.2__tar.gz

miesc-4.3.2/.dockerignore

@@ -0,0 +1,51 @@
+# Recordings and large media files
+demo/recordings/
+*.mp4
+*.gif
+*.wav
+*.aiff
+*.cast
+
+# Development files
+.git
+.github
+.vscode
+.idea
+*.egg-info
+__pycache__
+*.pyc
+*.pyo
+.pytest_cache
+.coverage
+htmlcov
+.tox
+.nox
+dist
+build
+*.egg
+
+# Virtual environments
+venv/
+venv314/
+.venv/
+
+# Thesis and documentation builds
+thesis_generator/
+docs/
+*.docx
+*.pdf
+
+# Test artifacts
+.benchmarks/
+benchmarks/datasets/
+
+# IDE and OS files
+.DS_Store
+*.swp
+*.swo
+Thumbs.db
+
+# Misc
+*.log
+*.tmp
+node_modules/

miesc-4.3.2/.env.example

@@ -0,0 +1,108 @@
+# ============================================================================
+# MIESC Environment Configuration (v3.3.0)
+# ============================================================================
+# Copy this file to .env and fill in your actual values:
+#   cp .env.example .env
+#
+# IMPORTANT: Never commit .env to version control!
+# ============================================================================
+
+# ============================================================================
+# AI/LLM Configuration
+# ============================================================================
+
+# OpenAI API (Required for AI correlation with GPT-4o)
+# Get your key at: https://platform.openai.com/api-keys
+OPENAI_API_KEY=your_openai_api_key_here
+
+# OpenAI Model Selection
+# OPENAI_MODEL=gpt-4o
+# OPENAI_TEMPERATURE=0.2
+# OPENAI_MAX_TOKENS=2000
+
+# Anthropic Claude API (Optional, for Claude-based correlation)
+# Get your key at: https://console.anthropic.com/
+# ANTHROPIC_API_KEY=sk-ant-your-anthropic-key-here
+# ANTHROPIC_MODEL=claude-3-5-sonnet-20241022
+
+# Local LLM Configuration (Optional, for self-hosted models)
+# LOCAL_LLM_ENABLED=false
+# LOCAL_LLM_ENDPOINT=http://localhost:11434/api/generate
+# LOCAL_LLM_MODEL=llama3.1:70b
+
+# HuggingFace API Key (Optional for SmartLLM)
+# HUGGINGFACE_API_KEY=your_huggingface_api_key_here
+
+# ============================================================================
+# Tool Configuration
+# ============================================================================
+
+# Slither Configuration
+# SLITHER_TIMEOUT=60
+# SLITHER_DETECTORS=all
+
+# Mythril Configuration
+# MYTHRIL_TIMEOUT=120
+# MYTHRIL_MAX_DEPTH=22
+
+# ============================================================================
+# MCP REST API Configuration
+# ============================================================================
+
+# MCP Server Settings
+# MCP_HOST=0.0.0.0
+# MCP_PORT=5001
+# MCP_DEBUG=false
+# MCP_LOG_LEVEL=INFO
+# MCP_MESSAGE_HISTORY_LIMIT=1000
+
+# API Authentication (Optional, for production)
+# MCP_API_KEY=your-secret-api-key-here
+# MCP_ENABLE_AUTH=false
+
+# ============================================================================
+# Output & Reporting
+# ============================================================================
+
+# Report Output Directory
+# REPORT_OUTPUT_DIR=analysis/reports
+# REPORT_FORMATS=json,markdown
+
+# ============================================================================
+# Logging Configuration
+# ============================================================================
+
+# Log Level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
+# LOG_LEVEL=INFO
+# LOG_FILE=logs/miesc.log
+
+# ============================================================================
+# Development & Testing
+# ============================================================================
+
+# Development Mode
+# DEV_MODE=false
+# ENABLE_PROFILING=false
+
+# ============================================================================
+# External Services (Optional)
+# ============================================================================
+
+# Etherscan API (for fetching verified contracts)
+# ETHERSCAN_API_KEY=your-etherscan-key-here
+
+# Slack Notifications (Optional)
+# SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
+# SLACK_ENABLED=false
+
+# ============================================================================
+# Notes
+# ============================================================================
+#
+# 1. Copy this file: cp .env.example .env
+# 2. Fill in your API keys and credentials
+# 3. Never commit .env to Git (it's in .gitignore)
+# 4. Load variables: export $(cat .env | xargs)
+# 5. Verify: python scripts/check_env.py
+#
+# ============================================================================

miesc-4.3.2/.gitattributes

@@ -0,0 +1,51 @@
+# GitHub Linguist Configuration
+# This file tells GitHub how to detect languages in the repository
+
+# Mark documentation directories - exclude from language stats
+docs/** linguist-documentation
+thesis/** linguist-documentation
+*.md linguist-documentation
+
+# Mark vendored/generated code - exclude from language stats
+venv/** linguist-vendored
+node_modules/** linguist-vendored
+*.min.js linguist-vendored
+*.min.css linguist-vendored
+
+# Website assets - mark as documentation (GitHub Pages site)
+css/** linguist-documentation=false
+js/** linguist-documentation=false
+pages/** linguist-documentation=false
+index.html linguist-documentation=false
+
+# Explicitly mark smart contract languages
+*.sol linguist-language=Solidity
+*.vy linguist-language=Vyper
+*.rs linguist-language=Rust
+*.cairo linguist-language=Cairo
+*.move linguist-language=Move
+
+# Mark Python as primary language
+*.py linguist-language=Python
+
+# Mark shell scripts
+*.sh linguist-language=Shell
+
+# Mark configuration files appropriately
+*.toml linguist-language=TOML
+*.yml linguist-language=YAML
+*.yaml linguist-language=YAML
+*.json linguist-language=JSON
+
+# Exclude analysis outputs and data files from stats
+output/** linguist-generated
+outputs/** linguist-generated
+analysis/** linguist-generated
+data/** linguist-generated
+
+# Exclude test contracts that are intentionally vulnerable
+vulnerable_contracts/** linguist-documentation
+examples/** linguist-documentation=false
+
+# Video assets - exclude from stats
+video_assets/** linguist-documentation

miesc-4.3.2/.pre-commit-config.yaml

@@ -0,0 +1,140 @@
+# Pre-commit hooks configuration for MIESC
+# Implements Shift-Left Security by running checks before commits
+#
+# Installation:
+#   pip install pre-commit
+#   pre-commit install
+#
+# Usage:
+#   pre-commit run --all-files  # Run all hooks manually
+#   git commit -m "message"      # Hooks run automatically
+
+repos:
+  # Code Formatting
+  - repo: https://github.com/psf/black
+    rev: 24.1.1
+    hooks:
+      - id: black
+        name: Black Code Formatter
+        language_version: python3.9
+        args: ['--line-length=100']
+
+  # Fast Linting (Ruff)
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.1.14
+    hooks:
+      - id: ruff
+        name: Ruff Linter
+        args: ['--fix', '--exit-non-zero-on-fix']
+
+  # Traditional Linting (Flake8)
+  - repo: https://github.com/PyCQA/flake8
+    rev: 7.0.0
+    hooks:
+      - id: flake8
+        name: Flake8 Style Checker
+        args: ['--max-line-length=100', '--ignore=E203,W503']
+
+  # Security Scanning (Bandit)
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.6
+    hooks:
+      - id: bandit
+        name: Bandit Security Scanner
+        args: ['-r', 'src/', '-ll']  # Low-level severity
+        exclude: ^tests/
+
+  # Secret Scanning
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.4.0
+    hooks:
+      - id: detect-secrets
+        name: Detect Hardcoded Secrets
+        args: ['--baseline', '.secrets.baseline']
+        exclude: tests/
+
+  # YAML Validation
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-yaml
+        name: Check YAML Syntax
+      - id: check-json
+        name: Check JSON Syntax
+      - id: check-toml
+        name: Check TOML Syntax
+      - id: end-of-file-fixer
+        name: Fix End of Files
+      - id: trailing-whitespace
+        name: Trim Trailing Whitespace
+      - id: check-added-large-files
+        name: Check for Large Files
+        args: ['--maxkb=1000']
+      - id: check-merge-conflict
+        name: Check for Merge Conflicts
+      - id: check-case-conflict
+        name: Check for Case Conflicts
+
+  # Python-specific checks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-ast
+        name: Check Python AST
+      - id: check-docstring-first
+        name: Check Docstring First
+      - id: debug-statements
+        name: Check for Debug Statements
+      - id: name-tests-test
+        name: Check Test Naming
+        args: ['--pytest-test-first']
+
+  # Type Checking (MyPy)
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.8.0
+    hooks:
+      - id: mypy
+        name: MyPy Type Checker
+        args: ['--ignore-missing-imports', '--show-error-codes']
+        additional_dependencies:
+          - 'types-requests'
+          - 'types-PyYAML'
+          - 'types-click'
+        exclude: ^tests/
+
+  # Markdown Linting
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.38.0
+    hooks:
+      - id: markdownlint
+        name: Markdown Linter
+        args: ['--fix']
+
+  # Commit Message Validation
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v3.13.0
+    hooks:
+      - id: commitizen
+        name: Check Commit Message Format
+        stages: [commit-msg]
+
+# Configuration
+default_language_version:
+  python: python3.9
+
+fail_fast: false  # Run all hooks even if one fails
+minimum_pre_commit_version: '3.0.0'
+
+# Exclude patterns
+exclude: |
+  (?x)^(
+      venv/|
+      .venv/|
+      __pycache__/|
+      \.git/|
+      \.pytest_cache/|
+      \.mypy_cache/|
+      build/|
+      dist/|
+      \.egg-info/
+  )

miesc-4.3.2/.pre-commit-hooks.yaml

@@ -0,0 +1,56 @@
+# MIESC Pre-commit Hooks
+# These hooks allow users to integrate MIESC security scanning into their projects
+#
+# Usage in your project's .pre-commit-config.yaml:
+#
+#   repos:
+#     - repo: https://github.com/fboiero/MIESC
+#       rev: v4.2.2
+#       hooks:
+#         - id: miesc-quick
+#           args: ['--fail-on', 'high,critical']
+#
+# For more information: https://github.com/fboiero/MIESC
+
+- id: miesc-quick
+  name: MIESC Quick Security Scan
+  description: Run quick security scan on Solidity contracts (4 tools, ~30s)
+  entry: python -m miesc audit quick
+  language: python
+  files: \.sol$
+  types: [file]
+  pass_filenames: true
+  require_serial: false
+  additional_dependencies: ['miesc>=4.2.2']
+
+- id: miesc-full
+  name: MIESC Full Security Audit
+  description: Run comprehensive 9-layer security audit (all tools)
+  entry: python -m miesc audit full
+  language: python
+  files: \.sol$
+  types: [file]
+  pass_filenames: true
+  require_serial: true
+  stages: [manual]
+  additional_dependencies: ['miesc>=4.2.2']
+
+- id: miesc-layer
+  name: MIESC Single Layer Scan
+  description: Run specific layer analysis
+  entry: python -m miesc audit layer 1
+  language: python
+  files: \.sol$
+  types: [file]
+  pass_filenames: true
+  additional_dependencies: ['miesc>=4.2.2']
+
+- id: miesc-ci
+  name: MIESC CI Mode
+  description: Security scan with CI-friendly output (exit code on issues)
+  entry: python -m miesc audit quick --ci
+  language: python
+  files: \.sol$
+  types: [file]
+  pass_filenames: true
+  additional_dependencies: ['miesc>=4.2.2']

miesc-4.3.2/.secrets.baseline

@@ -0,0 +1 @@
+{"version": "1.4.0", "plugins_used": [], "results": {}}

miesc-4.3.2/CHANGELOG.md

@@ -0,0 +1,226 @@
+# Changelog
+
+All notable changes to MIESC will be documented in this file.
+
+Format based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+Versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [4.2.1] - 2024-12-23
+
+### Added
+
+#### Scientific Benchmark Validation (SmartBugs Curated)
+- **Comprehensive multi-tool benchmark** against SmartBugs Curated dataset (143 contracts)
+- Benchmark runner script (`benchmarks/run_benchmark.py`) for reproducible validation
+- Detailed results in `benchmarks/results/` JSON format
+
+#### Benchmark Results Summary
+| Tool | Layer | Recall | F1-Score | Notes |
+|------|-------|--------|----------|-------|
+| Slither | 1 | 84.3% | 80.0% | +27.3% vs SmartBugs 2020 paper |
+| SmartBugsDetector | 2 | 100% | - | Pattern-based, no compilation |
+| Mythril | 3 | - | - | 6 findings with SWC codes |
+
+#### Per-Category Detection Rates (Slither)
+- Unchecked low-level calls: 100%
+- Front running: 100%
+- Arithmetic overflow: 93.3%
+- Bad randomness: 87.5%
+- Access control: 86.7%
+- Reentrancy: 73.3%
+- Time manipulation: 60.0%
+- Denial of service: 50.0%
+
+#### New Adapters
+- **SmartGuard Adapter** - ML-based vulnerability prediction
+- **LLMBugScanner Adapter** - GPT-4o powered vulnerability detection
+- **ZK Circuit Adapter** - Zero-knowledge proof circuit validation
+- **CrossChain Adapter** - Bridge and cross-chain security analysis
+
+#### Slither Adapter Improvements
+- Legacy Solidity support (0.4.x - 0.5.x) with `--compile-force-framework solc`
+- Automatic solc-select integration for version management
+- Improved IR generation handling for complex legacy patterns
+
+### Changed
+- Updated version to 4.2.1
+- Enhanced adapter error handling for legacy contracts
+- Improved benchmark reproducibility with JSON result export
+
+### Documentation
+- Added benchmark methodology documentation
+- Scientific comparison with literature (SmartBugs 2020, Empirical Review 2020)
+- Multi-tool strategy recommendations
+
+---
+
+## [4.1.0] - 2024-12-09
+
+### Added
+
+#### New Security Layers (post-thesis extension)
+- **Layer 8: DeFi Security Analysis** - First open-source DeFi vulnerability detectors
+  - Flash loan attack detection (callback validation, repayment verification)
+  - Oracle manipulation detection (spot price vs TWAP)
+  - Sandwich attack detection (zero slippage, missing deadlines)
+  - MEV exposure analysis (liquidation front-running)
+  - Price manipulation detection (reserve ratio vulnerabilities)
+
+- **Layer 9: Dependency Security Analysis** - Supply chain security
+  - OpenZeppelin CVE database integration (CVE-2022-35961, etc.)
+  - Vulnerable version detection with semantic versioning
+  - Dangerous pattern detection (tx.origin, selfdestruct, delegatecall, ecrecover)
+  - Third-party library vulnerability scanning (Uniswap, Compound)
+
+#### API Enhancements
+- SSE (Server-Sent Events) streaming endpoint `/mcp/stream/audit`
+- DeFi-specific analysis endpoint `/mcp/defi/analyze`
+- Real-time layer-by-layer progress updates
+
+#### Scientific Validation
+- **SmartBugs benchmark integration** (143 contracts, 207 vulnerabilities)
+  - 50.22% recall (outperforms individual tools)
+  - 87.5% recall on reentrancy vulnerabilities
+  - 89.3% recall on unchecked low-level calls
+- Automated evaluation script with metrics calculation
+- Scientific report generation for thesis
+
+#### Performance Benchmarks
+- Scalability benchmarks demonstrating 346 contracts/minute
+- 3.53x parallel speedup with 4 workers
+- Memory-efficient analysis (< 5 MB per contract)
+
+### Changed
+- Updated MCP REST API to version 4.1.0
+- Improved Solidity version auto-detection for legacy contracts (0.4.x - 0.8.x)
+- Enhanced error handling in tool adapters
+- Architecture extended from 7 to 9 layers (Layers 8-9 are post-thesis work)
+
+### Fixed
+- Foundry.toml interference with Slither analysis on SmartBugs dataset
+- Solc version selection for legacy contracts
+
+---
+
+## [Unreleased]
+
+### Added
+- **DPGA Application Submitted** (December 5, 2025)
+  - Application ID: GID0092948
+  - Status: Under Review
+  - Contact: Bolaji Ayodeji (DPG Evangelist)
+  - Expected review period: 4-8 weeks
+- Complete DPG compliance documentation package
+- DPGA Application Responses CSV for reference
+
+## [4.0.0] - 2025-01-14
+
+### Added
+- **PropertyGPT** (Layer 4 - Formal Verification): Automated CVL property generation
+  - 80% recall on ground-truth Certora properties
+  - Increases formal verification adoption from 5% to 40% (+700%)
+  - Based on NDSS 2025 paper (arXiv:2405.02580)
+- **DA-GNN** (Layer 6 - ML Detection): Graph Neural Network-based vulnerability detection
+  - 95.7% accuracy with 4.3% false positive rate
+  - Control-flow + data-flow graph representation
+  - Based on Computer Networks (ScienceDirect, Feb 2024)
+- **SmartLLM RAG + Verificator** (Layer 5 - AI Analysis): Enhanced AI-powered analysis
+  - Retrieval-Augmented Generation with ERC-20/721/1155 knowledge base
+  - Multi-stage pipeline: Generator → Verificator → Consensus
+  - Precision improved from 75% to 88% (+17%), FP rate reduced by 52%
+  - Based on arXiv:2502.13167 (Feb 2025)
+- **DogeFuzz** (Layer 2 - Dynamic Testing): Coverage-guided fuzzer with hybrid execution
+  - AFL-style power scheduling algorithm
+  - 85% code coverage, 3x faster than Echidna
+  - Parallel execution with 4 workers
+  - Based on arXiv:2409.01788 (Sep 2024)
+- Certora adapter (formal verification integration)
+- Halmos adapter (symbolic testing for Foundry)
+- DAG-NN adapter (graph neural network detection)
+
+### Changed
+- Increased tool count from 22 to 25 adapters (+13.6%)
+- Precision: 89.47% → 94.5% (+5.03pp)
+- Recall: 86.2% → 92.8% (+6.6pp)
+- False Positive Rate: 10.53% → 5.5% (-48%)
+- Detection Coverage: 85% → 96% (+11pp)
+- Restructured repository to UNIX/OSS conventions
+- Updated README with comprehensive "What's New in v4.0" section
+- Improved scientific rigor in documentation
+
+### Research Papers Integrated
+- NDSS Symposium 2025: PropertyGPT for automated property generation
+- Computer Networks 2024: DA-GNN for graph-based vulnerability detection
+- arXiv 2025: SmartLLM with RAG and Verificator enhancements
+- arXiv 2024: DogeFuzz coverage-guided fuzzing
+
+## [3.5.0] - 2025-01-13
+
+### Added
+- OpenLLaMA local LLM integration for AI-assisted analysis
+- Aderyn adapter (Rust-based static analyzer)
+- Medusa adapter (coverage-guided fuzzer)
+- AI enhancement for Layers 3-4 (symbolic execution, formal verification)
+- SmartLLM, GPTScan, LLM-SmartAudit adapters
+- SMTChecker adapter (built-in Solidity verification)
+- Wake adapter (Python development framework)
+- 117 unit and integration tests
+- CI/CD workflow with automated tool installation
+- Complete adapter documentation
+
+### Changed
+- Increased tool count from 15 to 17
+- Improved test coverage to 87.5%
+- Enhanced DPGA compliance (100% maintained)
+
+## [3.4.0] - 2025-11-08
+
+### Added
+- Aderyn and Medusa adapters
+- 17 security tool integrations
+
+### Changed
+- Test suite expanded to 117 tests
+
+## [2.2.0] - 2024-10-XX
+
+### Added
+- 15 security tool integrations
+- AI-assisted triage (GPT-4, Llama)
+- PolicyAgent v2.2 (12 compliance standards)
+- Model Context Protocol (MCP) architecture
+- 30 regression tests
+- Comprehensive documentation
+
+## [2.1.0] - 2024-09-XX
+
+### Added
+- Multi-agent architecture
+- Initial MCP integration
+- Compliance mapping framework
+
+## [2.0.0] - 2024-08-XX
+
+### Added
+- Complete framework rewrite
+- 7-layer defense architecture
+- Initial tool adapters (10)
+
+## [1.0.0] - 2024-06-XX
+
+### Added
+- Initial proof-of-concept
+- Basic Slither and Mythril integration
+
+---
+
+[Unreleased]: https://github.com/fboiero/MIESC/compare/v4.2.1...HEAD
+[4.2.1]: https://github.com/fboiero/MIESC/compare/v4.1.0...v4.2.1
+[4.1.0]: https://github.com/fboiero/MIESC/compare/v4.0.0...v4.1.0
+[4.0.0]: https://github.com/fboiero/MIESC/compare/v3.5.0...v4.0.0
+[3.5.0]: https://github.com/fboiero/MIESC/compare/v3.4.0...v3.5.0
+[3.4.0]: https://github.com/fboiero/MIESC/compare/v2.2.0...v3.4.0
+[2.2.0]: https://github.com/fboiero/MIESC/compare/v2.1.0...v2.2.0
+[2.1.0]: https://github.com/fboiero/MIESC/compare/v2.0.0...v2.1.0
+[2.0.0]: https://github.com/fboiero/MIESC/compare/v1.0.0...v2.0.0
+[1.0.0]: https://github.com/fboiero/MIESC/releases/tag/v1.0.0