Octopus is a security analysis framework designed for WebAssembly modules and blockchain smart contracts. It provides tools for disassembling bytecode, performing control flow and call flow analysis, converting to Static Single Assignment (SSA) form, and symbolic execution. The framework supports WebAssembly, Bitcoin, Ethereum (EVM and eWasm), EOS, and NEO.

How It Works

Octopus employs a multi-platform approach, leveraging specific parsers and analyzers for each supported architecture. It generates Control Flow Graphs (CFGs) and Call Flow Graphs to visualize program structure and function interactions. For deeper analysis, it utilizes symbolic execution with the Z3 solver to explore program paths and identify potential vulnerabilities.

Quick Start & Requirements

• Installation: Install system dependencies (python-pip, graphviz, xdg-utils) and then install Octopus via pip3 install octopus or by cloning the repository and running python3 setup.py install.
• Requirements: Python >= 3.5 (ideally 3.6), Linux (Ubuntu 16.04 recommended), graphviz, requests, z3-solver, wasm.
• Docker: A Docker image is available: docker pull smartbugs/octopus and docker run -it smartbugs/octopus.
• Documentation: Examples are provided within the repository.

Highlighted Details

• Supports analysis of WebAssembly, Bitcoin, Ethereum (EVM/eWasm), EOS, and NEO.
• Features include disassemblers, CFG/Call Flow graph generation, and symbolic execution.
• Includes blockchain explorers for interacting with live networks (e.g., Ethereum Infura).
• Offers command-line tools (octopus_wasm.py, octopus_eth_evm.py) and Python APIs.

Maintenance & Community

The project was sponsored by QuoScient. The primary author is Patrick Ventuzelo (@Pat_Ventuzelo). Further community engagement details are not explicitly provided in the README.

Licensing & Compatibility

Licensed under the MIT License, permitting commercial use and integration with closed-source projects.

Limitations & Caveats

The README indicates that some features are still in development (WIP) or not yet implemented (TODO) for certain platforms, particularly for advanced analyses like symbolic execution on Bitcoin and NEO. Linux is the primary supported OS.