https://miscreants.github.io/blog.trailofbits.com/authors/evan-sultanik/Recent content in Evan Sultanik on The Trail of Bits BlogHugoen-usFri, 19 Dec 2025 00:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/19/can-chatbots-craft-correct-code/Fri, 19 Dec 2025 07:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/19/can-chatbots-craft-correct-code/LLMs fundamentally differ from compilers because they lack determinism and semantic guarantees, making them useful coding assistants but unreliable for autonomous code generation without human review and formal verification.https://miscreants.github.io/blog.trailofbits.com/2025/08/25/speedrunning-the-new-york-subway/Mon, 25 Aug 2025 07:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/08/25/speedrunning-the-new-york-subway/We optimized the route for visiting every NYC subway station using algorithms from combinatorial optimization, creating a 20-hour tour that beats the existing world record by 45 minutes.https://miscreants.github.io/blog.trailofbits.com/2025/07/21/detecting-code-copying-at-scale-with-vendetect/Mon, 21 Jul 2025 07:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/07/21/detecting-code-copying-at-scale-with-vendetect/Vendetect is our new open-source tool for detecting copied and vendored code between repositories. It uses semantic fingerprinting to identify similar code even when variable names change or comments disappear. More importantly, unlike academic plagiarism detectors, it understands version control history, helping you trace vendored code back to its exact source commit.https://miscreants.github.io/blog.trailofbits.com/2025/07/08/investigate-your-dependencies-with-deptective/Tue, 08 Jul 2025 07:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/07/08/investigate-your-dependencies-with-deptective/Deptective, our new open-source tool, automatically finds the packages needed to install software dependencies. It does so not based on the software’s self-reported requirements, but by observing what the software needs at runtime.https://miscreants.github.io/blog.trailofbits.com/2025/02/05/preventing-account-takeover-on-centralized-cryptocurrency-exchanges-in-2025/Wed, 05 Feb 2025 09:00:37 -0500https://miscreants.github.io/blog.trailofbits.com/2025/02/05/preventing-account-takeover-on-centralized-cryptocurrency-exchanges-in-2025/This blog post highlights key points from our new white paper Preventing Account Takeovers on Centralized Cryptocurrency Exchanges, which documents ATO-related attack vectors and defenses tailored to CEXes. Imagine trying to log in to your centralized cryptocurrency exchange (CEX) account and your password and username just… don’t work. You […]https://miscreants.github.io/blog.trailofbits.com/2022/07/01/libmagic-the-blathering/Fri, 01 Jul 2022 07:00:27 -0400https://miscreants.github.io/blog.trailofbits.com/2022/07/01/libmagic-the-blathering/A couple of years ago we released PolyFile: a utility to identify and map the semantic structure of files, including polyglots, chimeras, and schizophrenic files. It’s a bit like file, binwalk, and Kaitai Struct all rolled into one. PolyFile initially used the TRiD definition database for file identification. However, […]https://miscreants.github.io/blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/Tue, 21 Jun 2022 05:00:39 -0400https://miscreants.github.io/blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/A new Trail of Bits research report examines unintended centralities in distributed ledgers Blockchains can help push the boundaries of current technology in useful ways. However, to make good risk decisions involving exciting and innovative technologies, people need demonstrable facts that are arrived at through reproducible methods and open data. We believe the risks inherent […]https://miscreants.github.io/blog.trailofbits.com/2021/12/16/it-depends/Thu, 16 Dec 2021 08:00:14 -0500https://miscreants.github.io/blog.trailofbits.com/2021/12/16/it-depends/You just cloned a fresh source code repository and want to get a quick sense of its dependencies. Our tool, it-depends, can get you there. We are proud to announce the release of it-depends, an open-source tool for automatic enumeration of dependencies. You simply point it to a source code repository, and it will build […]https://miscreants.github.io/blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/Mon, 15 Mar 2021 11:06:18 -0400https://miscreants.github.io/blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/Many machine learning (ML) models are Python pickle files under the hood, and it makes sense. The use of pickling conserves memory, enables start-and-stop model training, and makes trained models portable (and, thereby, shareable). Pickling is easy to implement, is built into Python without requiring additional dependencies, and supports serialization of custom […]https://miscreants.github.io/blog.trailofbits.com/2021/02/02/pdf-is-broken-a-justctf-challenge/Tue, 02 Feb 2021 07:50:28 -0500https://miscreants.github.io/blog.trailofbits.com/2021/02/02/pdf-is-broken-a-justctf-challenge/Trail of Bits sponsored the recent justCTF competition, and our engineers helped craft several of the challenges, including D0cker, Go-fs, Pinata, Oracles, and 25519. In this post we’re going to cover another of our challenges, titled PDF is broken, and so is this file. It demonstrates some of the PDF file format’s idiosyncrasies in a […]https://miscreants.github.io/blog.trailofbits.com/2020/08/28/graphtage/Fri, 28 Aug 2020 07:00:27 -0400https://miscreants.github.io/blog.trailofbits.com/2020/08/28/graphtage/Graphtage is a command line utility and underlying library for semantically comparing and merging tree-like structures such as JSON, JSON5, XML, HTML, YAML, and TOML files. Its name is a portmanteau of “graph” and “graftage” (i.e., the horticultural practice of joining two trees together so they grow as one). Read on for what Graphtage does differently and better, why we developed it, how it works, and directions for using it as a library.https://miscreants.github.io/blog.trailofbits.com/2019/11/01/two-new-tools-that-tame-the-treachery-of-files/Fri, 01 Nov 2019 07:00:18 -0400https://miscreants.github.io/blog.trailofbits.com/2019/11/01/two-new-tools-that-tame-the-treachery-of-files/Parsing is hard, even when a file format is well specified. But when the specification is ambiguous, it leads to unintended and strange parser and interpreter behaviors that make file formats susceptible to security vulnerabilities. What if we could automatically generate a “safe” subset of any file format, along with an associated, verified parser? That’s […]https://miscreants.github.io/blog.trailofbits.com/2019/01/18/empire-hacking-ethereum-edition-2/Fri, 18 Jan 2019 07:50:58 -0500https://miscreants.github.io/blog.trailofbits.com/2019/01/18/empire-hacking-ethereum-edition-2/On December 12, over 150 attendees joined a special, half-day Empire Hacking to learn about pitfalls in smart contract security and how to avoid them. Thank you to everyone who came, to our superb speakers, and to BuzzFeed for hosting this meetup at their office. Watch the presentations again It’s hard to find such rich […]