2024 on The Trail of Bits Blog

Auditing the Ruby ecosystem's central package repository

Wed, 11 Dec 2024 09:00:59 -0500

Ruby Central hired Trail of Bits to complete a security assessment and a competitive analysis of RubyGems.org, the official package management system for Ruby applications. With over 184+ billion downloads to date, RubyGems.org is critical infrastructure for the Ruby language ecosystem.

35 more Semgrep rules: infrastructure, supply chain, and Ruby

Mon, 09 Dec 2024 09:00:43 -0500

We are publishing another set of custom Semgrep rules, bringing our total number of public rules to 115. This blog post will briefly cover the new rules, then explore two Semgrep features in depth: regex mode (especially how it compares against generic mode), and HCL language support for technologies […]

Evaluating Solidity support in AI coding assistants

Tue, 19 Nov 2024 09:00:37 -0500

AI-enabled code assistants (like GitHub’s Copilot, Continue.dev, and Tabby) are making software development faster and more productive. Unfortunately, these tools are often bad at Solidity. So we decided to improve them! To make it easier to write, edit, and understand Solidity with AI-enabled tools, we have: Added support for Solidity into Tabby […]

Attestations: A new generation of signatures on PyPI

Thu, 14 Nov 2024 09:00:15 -0500

For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring […]

Killing Filecoin nodes

Wed, 13 Nov 2024 06:00:12 -0500

In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is caused by an incorrect validation of an index, resulting in an index out-of-range panic. The vulnerability […]

Fuzzing between the lines in popular barcode software

Thu, 31 Oct 2024 09:00:18 -0400

Fuzzing—one of the most successful techniques for finding security bugs, consistently featured in articles and industry conferences—has become so popular that you may think most important software has already been extensively fuzzed. But that’s not always the case. In this blog post, we show how we fuzzed the ZBar barcode scanning library […]

A deep dive into Linux’s new mseal syscall

Fri, 25 Oct 2024 09:00:18 -0400

If you love exploit mitigations, you may have heard of a new system call named mseal landing into the Linux kernel’s 6.10 release, providing a protection called “memory sealing.” Beyond notes from the authors, very little information about this mitigation exists. In this blog post, we’ll explain what this syscall is, including […]

Auditing Gradio 5, Hugging Face’s ML GUI framework

Thu, 10 Oct 2024 12:00:29 -0400

This is a joint post with the Hugging Face Gradio team; read their announcement here! You can find the full report with all of the detailed findings from our security audit of Gradio 5 here. Hugging Face hired Trail of Bits to audit Gradio 5, a popular open-source library that provides a web interface that […]

Securing the software supply chain with the SLSA framework

Tue, 01 Oct 2024 09:00:58 -0400

Software supply chain security has been a hot topic since the Solarwinds breach back in 2020. Thanks to the Supply-chain Levels for Software Artifacts (SLSA) framework, the software industry is now at the threshold of sustainably solving many of the biggest challenges in securely building and distributing open-source software. SLSA is a […]

A few notes on AWS Nitro Enclaves: Attack surface

Tue, 24 Sep 2024 09:00:36 -0400

In the race to secure cloud applications, AWS Nitro Enclaves have emerged as a powerful tool for isolating sensitive workloads.
But with great power comes great responsibility-and potential security pitfalls. As pioneers in confidential computing security, we at
Trail of Bits have scrutinized the attack surface of AWS Nitro Enclaves, uncovering potential bugs that could compromise even these
hardened environments.

Announcing the Trail of Bits and Semgrep partnership

Thu, 19 Sep 2024 09:00:30 -0400

At Trail of Bits, we aim to share and develop tools and resources used in our security assessments with the broader security community. Many clients, we observed, don’t use Semgrep to its fullest potential or even at all. To bridge this gap and encourage broader adoption, our CEO, Dan Guido, initiated discussions with the Semgrep […]

Inside DEF CON: Michael Brown on how AI/ML is revolutionizing cybersecurity

Tue, 17 Sep 2024 09:00:08 -0400

At DEF CON, Michael Brown, Principal Security Engineer at Trail of Bits, sat down with Michael Novinson from Information Security Media Group (ISMG) to discuss four critical areas where AI/ML is revolutionizing security. Here’s what they covered: AI/ML techniques surpass the limits of traditional software analysis As Moore’s law slows down after 20 years of […]

Friends don’t let friends reuse IVs

Fri, 13 Sep 2024 09:00:54 -0400

If you’ve encountered cryptography software, you’ve probably heard the advice to never use an IV twice—in fact, that’s exactly where the other common name, nonce (number used once), comes from. Depending on the cryptography involved, a reused nonce can reveal encrypted messages, or even leak your secret key! But common knowledge may not cover every […]

Sanitize your C++ containers: ASan annotations step-by-step

Tue, 10 Sep 2024 09:00:42 -0400

AddressSanitizer (ASan) is a compiler plugin that helps detect memory errors like buffer overflows or use-after-frees. In this post, we explain how to equip your C++ code with ASan annotations to find more bugs. We also show our work on ASan in GCC and LLVM. In LLVM, Trail of […]

“Unstripping” binaries: Restoring debugging information in GDB with Pwndbg

Fri, 06 Sep 2024 09:00:21 -0400

GDB loses significant functionality when debugging binaries that lack debugging symbols (also known as “stripped binaries”). Function and variable names become meaningless addresses; setting breakpoints requires tracking down relevant function addresses from an external source; and printing out structured values involves staring at a memory dump trying to manually discern field boundaries. […]

What would you do with that old GPU?

Thu, 05 Sep 2024 09:00:11 -0400

(Would you get up and throw it away?) [sing to the tune of The Beatles – With A Little Help From My Friends] Here’s a riddle: when new GPUs are constantly being produced, product cycles are ~18-24 months long, and each cycle doubles GPU power (per Huang’s Law), what […]

Provisioning cloud infrastructure the wrong way, but faster

Tue, 27 Aug 2024 09:00:06 -0400

Today we’re going to provision some cloud infrastructure the Max Power way: by combining automation with unchecked AI output. Unfortunately, this method produces cloud infrastructure code that 1) works and 2) has terrible security properties. In a nutshell, AI-based tools like Claude and ChatGPT readily provide extremely bad cloud infrastructure provisioning code, […]

“YOLO” is not a valid hash construction

Wed, 21 Aug 2024 09:00:51 -0400

Among the cryptographic missteps we see at Trail of Bits, “let’s build our own tool out of a hash function” is one of the most common. Clients have a problem along the lines of “we need to hash a bunch of different values together” or “we need a MAC” or “we need […]

We wrote the code, and the code won

Thu, 15 Aug 2024 07:50:31 -0400

Earlier this week, NIST officially announced three standards specifying FIPS-approved algorithms for post-quantum cryptography. The Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) is one of these standardized algorithms. The Trail of Bits cryptography team has been anticipating this announcement, and we are excited to share an announcement of our own: we built an open-source pure-Rust implementation of SLH-DSA, which has been merged into RustCrypto.

Trail of Bits Advances to AIxCC Finals

Mon, 12 Aug 2024 19:23:13 -0400

Trail of Bits has qualified for the final round of DARPA’s AI Cyber Challenge (AIxCC)! Our Cyber Reasoning System, Buttercup, placed in the top 7 out of 39 teams competing in the semifinal round held at DEF CON 2024. Competition Overview The AIxCC semifinal featured a series of challenges based on real-world software, including nginx, […]

Trail of Bits’ Buttercup heads to DARPA’s AIxCC

Fri, 09 Aug 2024 09:10:29 -0400

With DARPA’s AI Cyber Challenge (AIxCC) semifinal starting today at DEF CON 2024, we want to introduce Buttercup, our AIxCC submission. Buttercup is a Cyber Reasoning System (CRS) that combines conventional cybersecurity techniques like fuzzing and static analysis with AI and machine learning to find and fix software vulnerabilities. The system is designed to operate […]

Cloud cryptography demystified: Google Cloud Platform

Mon, 05 Aug 2024 09:00:03 -0400

This post, the second in our series on cryptography in the cloud, provides an overview of the cloud cryptography services offered within Google Cloud Platform (GCP): when to use them, when not to use them, and important usage considerations. Stay tuned for future posts covering other cloud services. At Trail of Bits, […]

Our audit of Homebrew

Tue, 30 Jul 2024 09:00:34 -0400

This is a joint post with the Homebrew maintainers; read their announcement here! Last summer, we performed an audit of Homebrew. Our audit’s scope included Homebrew/brew itself (home of the brew CLI), and three adjacent repositories responsible for various security-relevant aspects of Homebrew’s operation: Homebrew/actions: a repository of custom GitHub Actions used […]

Our crypto experts answer 10 key questions

Thu, 25 Jul 2024 09:00:36 -0400

Cryptography is a fundamental part of electronics and the internet that helps secure credit cards, cell phones, web browsing (fingers crossed you’re using TLS!), and even top-secret military data. Cryptography is just as essential in the blockchain space, with blockchains like Ethereum depending on hashes, Merkle trees, and ECDSA signatures, among other […]

Announcing AES-GEM (AES with Galois Extended Mode)

Fri, 12 Jul 2024 09:00:35 -0400

Today, AES-GCM is one of two cipher modes used by TLS 1.3 (the other being ChaCha20-Poly1305) and the preferred method for encrypting data in FIPS-validated modules. But despite its overwhelming success, AES-GCM has been the root cause of some catastrophic failures: for example, Hanno Böck and Sean Devlin exploited nonce misuse to […]

Trail of Bits named a leader in cybersecurity consulting services

Tue, 09 Jul 2024 07:00:45 -0400

Trail of Bits has been recognized as a leader in cybersecurity consulting services according to The Forrester Wave™: Cybersecurity Consulting Services, Q2 2024. In this evaluation, we were compared against 14 other top vendors and emerged as a leader for our services. Read the report on our website. What is the Forrester Wave™? Forrester is […]

Auditing the Ask Astro LLM Q&A app

Fri, 05 Jul 2024 09:00:28 -0400

Today, we present the second of our open-source AI security audits: a look at security issues we found in an open-source retrieval augmented generation (RAG) application that could lead to chatbot output poisoning, inaccurate document ingestion, and potential denial of service. This audit follows up on our previous work that identified 11 security vulnerabilities in […]

Quantum is unimportant to post-quantum

Mon, 01 Jul 2024 09:00:01 -0400

You might be hearing a lot about post-quantum (PQ) cryptography lately, and it’s easy to wonder why it’s such a big deal when nobody has actually seen a quantum computer. But even if a quantum computer is never built, new PQ standards are safer, more resilient, and more flexible than their classical […]

Disarming Fiat-Shamir footguns

Mon, 24 Jun 2024 09:00:38 -0400

The Fiat-Shamir transform is an important building block in zero-knowledge proofs (ZKPs) and multi-party computation (MPC). It allows zero-knowledge proofs based on interactive protocols to be made non-interactive. Essentially, it turns conversations into documents. This ability is at the core of powerful technologies like SNARKs and STARKs. Useful stuff! But the Fiat-Shamir […]

EuroLLVM 2024 trip report

Fri, 21 Jun 2024 09:00:22 -0400

EuroLLVM is a developer meeting focused on projects under the LLVM Foundation umbrella that live in the LLVM GitHub monorepo, like Clang and—more recently, thanks to machine learning research—the MLIR framework. Trail of Bits, which has a history in compiler engineering and all things LLVM, sent a bunch of […]

Themes from Real World Crypto 2024

Tue, 18 Jun 2024 09:00:27 -0400

In March, Trail of Bits engineers traveled to the vibrant (and only slightly chilly) city of Toronto to attend Real World Crypto 2024, a three-day event that hosted hundreds of brilliant minds in the field of cryptography. We also attended three associated events: the Real World Post-Quantum Cryptography (RWPQC) workshop, the Fully Homomorphic Encryption (FHE) […]

Finding mispriced opcodes with fuzzing

Mon, 17 Jun 2024 09:00:43 -0400

Fuzzing—a testing technique that tries to find bugs by repeatedly executing test cases and mutating them—has traditionally been used to detect segmentation faults, buffer overflows, and other memory corruption vulnerabilities that are detectable through crashes. But it has additional uses you may not know about: given the right invariants, we can use […]

Understanding Apple’s On-Device and Server Foundation Models release

Fri, 14 Jun 2024 16:49:37 -0400

Earlier this week, at Apple’s WWDC, we finally witnessed Apple’s AI strategy. The videos and live demos were accompanied by two long-form releases: Apple’s Private Cloud Compute and Apple’s On-Device and Server Foundation Models. This blog post is about the latter. So, what is Apple releasing, and how does it compare to […]

PCC: Bold step forward, not without flaws

Fri, 14 Jun 2024 15:46:48 -0400

Earlier this week, Apple announced Private Cloud Compute (or PCC for short). Without deep context on the state of the art of Artificial Intelligence (AI) and Machine Learning (ML) security, some sensible design choices may seem surprising. Conversely, some of the risks linked to this design are hidden in the fine print. […]

Announcing the Burp Suite Professional chapter in the Testing Handbook

Fri, 14 Jun 2024 09:00:23 -0400

Based on our security auditing experience, we’ve found that Burp Suite Professional’s dynamic analysis can uncover vulnerabilities hidden amidst the maze of various target components. Unpredictable security issues like race conditions are often elusive when examining source code alone. While Burp is a comprehensive tool for web application security testing, its extensive […]

Exploiting ML models with pickle file attacks: Part 2

Tue, 11 Jun 2024 11:00:17 -0400

In part 1, we introduced Sleepy Pickle, an attack that uses malicious pickle files to stealthily compromise ML models and carry out sophisticated attacks against end users. Here we show how this technique can be adapted to enable long-lasting presence on compromised systems while remaining undetected. This variant technique, which we call […]

Exploiting ML models with pickle file attacks: Part 1

Tue, 11 Jun 2024 09:00:36 -0400

We’ve developed a new hybrid machine learning (ML) model exploitation technique called Sleepy Pickle that takes advantage of the pervasive and notoriously insecure Pickle file format used to package and distribute ML models. Sleepy pickle goes beyond previous exploit techniques that target an organization’s systems when they deploy ML models to instead […]

Announcing AI/ML safety and security trainings

Fri, 07 Jun 2024 09:00:41 -0400

We are offering AI/ML safety and security training this year! Recent advances in AI/ML technologies opened up a new world of possibilities for businesses to run more efficiently and offer better services and products. However, incorporating AI/ML into computing systems brings new and unique complexities, risks, and attack surfaces. In our experience […]

Understanding AddressSanitizer: Better memory safety for your code

Thu, 16 May 2024 09:00:57 -0400

This post will guide you through using AddressSanitizer (ASan), a compiler plugin that helps developers detect memory issues in code that can lead to remote code execution attacks (such as WannaCry or this WebP implementation bug). ASan inserts checks around memory accesses during compile time, and crashes the program […]

A peek into build provenance for Homebrew

Tue, 14 May 2024 09:00:05 -0400

Last November, we announced our collaboration with Alpha-Omega and OpenSSF to add build provenance to Homebrew. Today, we are pleased to announce that the core of that work is live and in public beta: homebrew-core is now cryptographically attesting to all bottles built in the official Homebrew CI. You […]

Using benchmarks to speed up Echidna

Wed, 08 May 2024 09:30:07 -0400

During my time as a Trail of Bits associate last summer, I worked on optimizing the performance of Echidna, Trail of Bits’ open-source smart contract fuzzer, written in Haskell. Through extensive use of profilers and other tools, I was able to pinpoint and debug a massive space leak in one of Echidna’s […]

The life and times of an Abstract Syntax Tree

Thu, 02 May 2024 09:00:06 -0400

You’ve reached computer programming nirvana. Your journey has led you down many paths, including believing that God wrote the universe in LISP, but now the truth is clear in your mind: every problem can be solved by writing one more compiler. It’s true. Even our soon-to-be artificially intelligent overlords are nothing but […]

Curvance: Invariants unleashed

Tue, 30 Apr 2024 09:30:43 -0400

Welcome to our deep dive into the world of invariant development with Curvance. We’ve been building invariants as part of regular code review assessments for more than 6 years now, but our work with Curvance marks our very first official invariant development project, in which developing and testing invariants is all we […]

Announcing two new LMS libraries

Fri, 26 Apr 2024 09:00:32 -0400

The Trail of Bits cryptography team is pleased to announce the open-sourcing of our pure Rust and Go implementations of Leighton-Micali Hash-Based Signatures (LMS), a well-studied NIST-standardized post-quantum digital signature algorithm. If you or your organization are looking to transition to post-quantum support for digital signatures, both of these implementations have been […]

5 reasons to strive for better disclosure processes

Mon, 15 Apr 2024 09:00:53 -0400

This blog showcases five examples of real-world vulnerabilities that we’ve disclosed in the past year (but have not publicly disclosed before). We also share the frustrations we faced in disclosing them to illustrate the need for effective disclosure processes. Here are the five bugs: Undefined behavior in the borsh-rs Rust library Denial-of-service […]

Introducing Ruzzy, a coverage-guided Ruby fuzzer

Fri, 29 Mar 2024 09:30:44 -0400

Trail of Bits is excited to introduce Ruzzy, a coverage-guided fuzzer for pure Ruby code and Ruby C extensions. Fuzzing helps find bugs in software that processes untrusted input. In pure Ruby, these bugs may result in unexpected exceptions that could lead to denial of service, and in Ruby C extensions, they […]

Why fuzzing over formal verification?

Fri, 22 Mar 2024 09:00:28 -0400

We recently introduced our new offering, invariant development as a service. A recurring question that we are asked is, “Why fuzzing instead of formal verification?” And the answer is, “It’s complicated.” We use fuzzing for most of our audits but have used formal verification methods in the […]

Streamline your static analysis triage with SARIF Explorer

Wed, 20 Mar 2024 09:30:45 -0400

Today, we’re releasing SARIF Explorer, the VSCode extension that we developed to streamline how we triage static analysis results. We make heavy use of static analysis tools during our audits, but the process of triaging them was always a pain. We designed SARIF Explorer to provide an intuitive UI inside VSCode, with […]

Read code like a pro with our weAudit VSCode extension

Tue, 19 Mar 2024 09:30:00 -0400

Today, we’re releasing weAudit, the collaborative code-reviewing tool that we use during our security audits. With weAudit, we review code more efficiently by taking notes and tracking bugs in a codebase directly inside VSCode, reducing our reliance on external tools, ensuring we never lose track of bugs we find, and enabling us […]

Releasing the Attacknet: A new tool for finding bugs in blockchain nodes using chaos testing

Mon, 18 Mar 2024 09:00:59 -0400

Today, Trail of Bits is publishing Attacknet, a new tool that addresses the limitations of traditional runtime verification tools, built in collaboration with the Ethereum Foundation. Attacknet is intended to augment the EF’s current test methods by subjecting their execution and consensus clients to some of the most challenging network conditions […]

Secure your blockchain project from the start

Wed, 13 Mar 2024 09:00:45 -0400

Systemic security issues in blockchain projects often appear early in development. Without an initial focus on security, projects may choose flawed architectures or make insecure design or development choices that result in hard-to-maintain or vulnerable solutions. Traditional security reviews can be used to identify some security issues, but by the time they are complete, it […]

DARPA awards $1 million to Trail of Bits for AI Cyber Challenge

Mon, 11 Mar 2024 13:46:31 -0400

We’re excited to share that Trail of Bits has been selected as one of the seven exclusive teams to participate in the small business track for DARPA’s AI Cyber Challenge (AIxCC). Our team will receive a $1 million award to create a Cyber Reasoning System (CRS) and compete in the AIxCC […]

Out of the kernel, into the tokens

Fri, 08 Mar 2024 09:00:48 -0500

We’re digging up the archives of vulnerabilities that Trail of Bits has reported over the years. This post shares the story of two such issues: a denial-of-service (DoS) vulnerability hidden in JSON Web Tokens (JWTs), and an oversight in the Linux kernel that could enable circumvention of critical kernel […]

Cryptographic design review of Ockam

Tue, 05 Mar 2024 09:00:38 -0500

In October 2023, Ockam hired Trail of Bits to review the design of its product, a set of protocols that aims to enable secure communication (i.e., end-to-end encrypted and mutually authenticated channels) across various heterogeneous networks. A secure system starts at the design […]

Relishing new Fickling features for securing ML systems

Mon, 04 Mar 2024 09:00:44 -0500

We’ve added new features to Fickling to offer enhanced threat detection and analysis across a broad spectrum of machine learning (ML) workflows. Fickling is a decompiler, static analyzer, and bytecode rewriter for the Python pickle module that can help you detect, analyze, or create malicious pickle files. While the ML community […]

How we applied advanced fuzzing techniques to cURL

Fri, 01 Mar 2024 09:30:25 -0500

Near the end of 2022, Trail of Bits was hired by the Open Source Technology Improvement Fund (OSTIF) to perform a security assessment of the cURL file transfer command-line utility and its library, libcurl. The scope of our engagement included a code review, a threat model, and the subject of this blog […]

When try, try, try again leads to out-of-order execution bugs

Fri, 01 Mar 2024 07:00:42 -0500

Have you ever wondered how a rollup and its base chain—the chain that the rollup commits state checkpoints to—communicate and interact? How can a user with funds only on the base chain interact with contracts on the rollup? In Arbitrum Nitro, one way to call a method on a contract deployed on […]

Our response to the US Army’s RFI on developing AIBOM tools

Wed, 28 Feb 2024 11:30:05 -0500

The US Army’s Program Executive Office for Intelligence, Electronic Warfare and Sensors (PEO IEW&S) recently issued a request for information (RFI) on methods to implement and automate production of an artificial intelligence bill of materials (AIBOM) as part of Project Linchpin. The RFI describes the AIBOM as a detailed […]

Circomspect has been integrated into the Sindri CLI

Mon, 26 Feb 2024 09:00:02 -0500

Our tool Circomspect is now integrated into the Sindri command-line interface (CLI)! We designed Circomspect to help developers build Circom circuits more securely, particularly given the limited tooling support available for this novel programming framework. Integrating this tool into a development environment like that provided by Sindri is a significant step toward […]

Continuously fuzzing Python C extensions

Fri, 23 Feb 2024 09:30:03 -0500

Deserializing, decoding, and processing untrusted input are telltale signs that your project would benefit from fuzzing. Yes, even Python projects. Fuzzing helps reduce bugs in high-assurance software developed in all programming languages. Fortunately for the Python ecosystem, Google has released Atheris, a coverage-guided fuzzer for both pure Python code and Python C […]

Breaking the shared key in threshold signature schemes

Tue, 20 Feb 2024 09:30:37 -0500

Today we are disclosing a denial-of-service vulnerability that affects the Pedersen distributed key generation (DKG) phase of a number of threshold signature scheme implementations based on the Frost, DMZ21, GG20, and GG18 protocols. The vulnerability allows a single malicious participant to surreptitiously raise the threshold required to reconstruct the shared key, which […]

A few notes on AWS Nitro Enclaves: Images and attestation

Fri, 16 Feb 2024 09:30:32 -0500

AWS Nitro Enclaves are locked-down virtual machines with support for attestation. They are Trusted Execution Environments (TEEs), similar to Intel SGX, making them useful for running highly security-critical code. However, the AWS Nitro Enclaves platform lacks thorough documentation and mature tooling. So we decided to do some deep research into it […]

Cloud cryptography demystified: Amazon Web Services

Wed, 14 Feb 2024 09:00:06 -0500

This post, part of a series on cryptography in the cloud, provides an overview of the cloud cryptography services offered within Amazon Web Services (AWS): when to use them, when not to use them, and important usage considerations. Stay tuned for future posts covering other cloud services. At Trail of Bits, we […]

Why Windows can’t follow WSL symlinks

Mon, 12 Feb 2024 09:30:25 -0500

Did you know that symbolic links (or symlinks) created through Windows Subsystem for Linux (WSL) can’t be followed by Windows? I recently encountered this rather frustrating issue as I’ve been using WSL for my everyday work over the last few months. No doubt others have noticed it as well, so I wanted […]

Master fuzzing with our new Testing Handbook chapter

Fri, 09 Feb 2024 09:00:13 -0500

Our latest addition to the Trail of Bits Testing Handbook is a comprehensive guide to fuzzing: an essential, effective, low-effort method to find bugs in software that involves repeatedly running a program with random inputs to cause unexpected results.

Binary type inference in Ghidra

Wed, 07 Feb 2024 09:00:39 -0500

Trail of Bits is releasing BTIGhidra, a Ghidra extension that helps reverse engineers by inferring type information from binaries. The analysis is inter-procedural, propagating and resolving type constraints between functions while consuming user input to recover additional type information. This refined type information produces more idiomatic decompilation, enhancing reverse engineering comprehension. The […]

Improving the state of Cosmos fuzzing

Mon, 05 Feb 2024 09:00:53 -0500

Cosmos is a platform enabling the creation of blockchains in Go (or other languages). Its reference implementation, Cosmos SDK, leverages strong fuzz testing extensively, following two approaches: smart fuzzing for low-level code, and dumb fuzzing for high-level simulation. In this blog post, we explain the differences between these approaches and show how […]

Chaos Communication Congress (37C3) recap

Fri, 02 Feb 2024 09:00:01 -0500

Last month, two of our engineers attended the 37th Chaos Communication Congress (37C3) in Hamburg, joining thousands of hackers who gather each year to exchange the latest research and achievements in technology and security. Unlike other tech conferences, this annual gathering focuses on the interaction of technology and society, covering such topics as politics, entertainment, […]

Introducing DIFFER, a new tool for testing and validating transformed programs

Wed, 31 Jan 2024 09:30:48 -0500

We recently released a new differential testing tool, called DIFFER, for finding bugs and soundness violations in transformed programs. DIFFER combines elements from differential, regression, and fuzz testing to help users find bugs in programs that have been altered by software rewriting, debloating, and hardening tools. We used DIFFER to evaluate 10 […]

Enhancing trust for SGX enclaves

Fri, 26 Jan 2024 09:00:31 -0500

Creating reproducible builds for SGX enclaves used in privacy-oriented deployments is a difficult task that lacks a convenient and robust solution. We describe using Nix to achieve reproducible and transparent enclave builds so that anyone can audit whether the enclave is running the source code it claims, thereby enhancing the security of […]

We build X.509 chains so you don’t have to

Thu, 25 Jan 2024 09:00:22 -0500

For the past eight months, Trail of Bits has worked with the Python Cryptographic Authority to build cryptography-x509-verification, a brand-new, pure-Rust implementation of the X.509 path validation algorithm that TLS and other encryption and authentication protocols are built on. Our implementation is fast, standards-conforming, and memory-safe, giving the Python ecosystem a modern […]

Celebrating our 2023 open-source contributions

Wed, 24 Jan 2024 09:00:22 -0500

At Trail of Bits, we pride ourselves on making our best tools open source, such as Slither, PolyTracker, and RPC Investigator. But while this post is about open source, it’s not about our tools… In 2023, our employees submitted over 450 pull requests (PRs) that were merged into non-Trail of Bits repositories. This demonstrates our […]

Our thoughts on AIxCC’s competition format

Thu, 18 Jan 2024 09:00:38 -0500

Late last month, DARPA officially opened registration for their AI Cyber Challenge (AIxCC). As part of the festivities, DARPA also released some highly anticipated information about the competition: a request for comments (RFC) that contained a sample challenge problem and the scoring methodology. Prior rules documents and FAQs released by DARPA painted […]

30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more

Wed, 17 Jan 2024 08:30:32 -0500

We are publishing a set of 30 custom Semgrep rules for Ansible playbooks, Java/Kotlin code, shell scripts, and Docker Compose configuration files. These rules were created and used to audit for common security vulnerabilities in the listed technologies. This new release of our Semgrep rules joins our public CodeQL […]

LeftoverLocals: Listening to LLM responses through leaked GPU local memory

Tue, 16 Jan 2024 12:00:39 -0500

We are disclosing LeftoverLocals: a vulnerability that allows recovery of data from GPU local memory created by another process on Apple, Qualcomm, AMD, and Imagination GPUs. LeftoverLocals impacts the security posture of GPU applications as a whole, with particular significance to LLMs and ML models run on impacted GPU […]

Internet freedom with the Open Technology Fund

Mon, 15 Jan 2024 08:30:54 -0500

Trail of Bits cares about internet freedom, and one of our most valued partners in pursuit of that goal is the Open Technology Fund (OTF). Our core values involve focusing on high-impact work, including work with a positive social impact. The OTF’s Red Team Lab […]

How to introduce Semgrep to your organization

Fri, 12 Jan 2024 09:00:26 -0500

Semgrep, a static analysis tool for finding bugs and specific code patterns in more than 30 languages, is set apart by its ease of use, many built-in rules, and the ability to easily create custom rules. We consider it an essential automated tool for discovering security issues in a […]

Securing open-source infrastructure with OSTIF

Tue, 09 Jan 2024 09:00:08 -0500

The Open Source Technology Improvement Fund (OSTIF) counters an often overlooked challenge in the open-source world: the same software projects that uphold today’s internet infrastructure are reliant on, in OSTIF’s words, a “surprisingly small group of people with a limited amount of time” for all development, testing, and maintenance. This scarcity of contributor time in […]

Tag, you’re it: Signal tagging in Circom

Tue, 02 Jan 2024 09:00:01 -0500

We at Trail of Bits perform security reviews for a seemingly endless stream of applications that use zero-knowledge (ZK) proofs. While fast new arithmetization and folding libraries like Halo2, Plonky2, and Boojum are rapidly gaining adoption, Circom remains a mainstay of ZK circuit design. We’ve written about Circom safety before in the […]