https://miscreants.github.io/blog.trailofbits.com/categories/compilers/Recent content in compilers on The Trail of Bits BlogHugoen-usWed, 31 Dec 2025 00:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/31/detect-gos-silent-arithmetic-bugs-with-go-panikint/Wed, 31 Dec 2025 07:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/31/detect-gos-silent-arithmetic-bugs-with-go-panikint/We’re releasing go-panikint, a modified Go compiler that turns silent integer overflows into explicit panics. We used it to find a live integer overflow in the Cosmos SDK’s RPC pagination logic, showing how this approach eliminates a major blind spot for anyone fuzzing Go projects.https://miscreants.github.io/blog.trailofbits.com/2025/12/02/introducing-constant-time-support-for-llvm-to-protect-cryptographic-code/Tue, 02 Dec 2025 07:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/02/introducing-constant-time-support-for-llvm-to-protect-cryptographic-code/Trail of Bits developed constant-time coding support for LLVM that prevents compilers from breaking cryptographic implementations vulnerable to timing attacks, introducing the __builtin_ct_select family of intrinsics that preserve constant-time properties throughout compilation.https://miscreants.github.io/blog.trailofbits.com/2025/01/23/celebrating-our-2024-open-source-contributions/Thu, 23 Jan 2025 09:00:30 -0500https://miscreants.github.io/blog.trailofbits.com/2025/01/23/celebrating-our-2024-open-source-contributions/While Trail of Bits is known for developing security tools like Slither, Medusa, and Fickling, our engineering efforts extend far beyond our own projects. Throughout 2024, our team has been deeply engaged with the broader security ecosystem, tackling challenges in open-source tools and infrastructure that security engineers rely on every day. This year, our engineers […]https://miscreants.github.io/blog.trailofbits.com/2024/06/21/eurollvm-2024-trip-report/Fri, 21 Jun 2024 09:00:22 -0400https://miscreants.github.io/blog.trailofbits.com/2024/06/21/eurollvm-2024-trip-report/EuroLLVM is a developer meeting focused on projects under the LLVM Foundation umbrella that live in the LLVM GitHub monorepo, like Clang and—more recently, thanks to machine learning research—the MLIR framework. Trail of Bits, which has a history in compiler engineering and all things LLVM, sent a bunch of […]https://miscreants.github.io/blog.trailofbits.com/2024/05/16/understanding-addresssanitizer-better-memory-safety-for-your-code/Thu, 16 May 2024 09:00:57 -0400https://miscreants.github.io/blog.trailofbits.com/2024/05/16/understanding-addresssanitizer-better-memory-safety-for-your-code/This post will guide you through using AddressSanitizer (ASan), a compiler plugin that helps developers detect memory issues in code that can lead to remote code execution attacks (such as WannaCry or this WebP implementation bug). ASan inserts checks around memory accesses during compile time, and crashes the program […]https://miscreants.github.io/blog.trailofbits.com/2024/05/02/the-life-and-times-of-an-abstract-syntax-tree/Thu, 02 May 2024 09:00:06 -0400https://miscreants.github.io/blog.trailofbits.com/2024/05/02/the-life-and-times-of-an-abstract-syntax-tree/You’ve reached computer programming nirvana. Your journey has led you down many paths, including believing that God wrote the universe in LISP, but now the truth is clear in your mind: every problem can be solved by writing one more compiler. It’s true. Even our soon-to-be artificially intelligent overlords are nothing but […]https://miscreants.github.io/blog.trailofbits.com/2023/09/11/holy-macroni-a-recipe-for-progressive-language-enhancement/Mon, 11 Sep 2023 08:00:12 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/11/holy-macroni-a-recipe-for-progressive-language-enhancement/Despite its use for refactoring and static analysis tooling, Clang has a massive shortcoming: the Clang AST does not provide provenance information about which CPP macro expansions a given AST node is expanded from; nor does it lower macro expansions down to LLVM Intermediate Representation (IR) code. This makes the construction of […]https://miscreants.github.io/blog.trailofbits.com/2023/07/28/the-future-of-clang-based-tooling/Fri, 28 Jul 2023 07:00:19 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/28/the-future-of-clang-based-tooling/Clang is a marvelous compiler; it’s a compiler’s compiler! But it isn’t a toolsmith’s compiler. As a toolsmith, my ideal compiler would be an open book, allowing me to get to everywhere from anywhere. The data on which my ideal compiler would operate (files, macros, tokens), their eventual interpretation (declarations, statements, types), […]https://miscreants.github.io/blog.trailofbits.com/2023/06/15/finding-bugs-with-mlir-and-vast/Thu, 15 Jun 2023 07:00:10 -0400https://miscreants.github.io/blog.trailofbits.com/2023/06/15/finding-bugs-with-mlir-and-vast/Intermediate languages (IRs) are what reverse engineers and vulnerability researchers use to see the forest for the trees. IRs are used to view programs at different abstraction layers, so that analysis can understand both low-level code aberrations and higher levels of flawed logic mistakes. The setback is that bug-finding tools are often pigeonholed into choosing […]https://miscreants.github.io/blog.trailofbits.com/2022/12/22/syntax-searching-c-c-clang-ast/Thu, 22 Dec 2022 08:00:52 -0500https://miscreants.github.io/blog.trailofbits.com/2022/12/22/syntax-searching-c-c-clang-ast/The naive approach to searching for patterns in source code is to use regular expressions; a better way is to parse the code with a custom parser, but both of these approaches have limitations. During my internship, I prototyped an internal tool called Syntex that does searching on Clang ASTs to avoid […]https://miscreants.github.io/blog.trailofbits.com/2022/05/17/interactive-decompilation-with-rellic-xref/Tue, 17 May 2022 07:00:09 -0400https://miscreants.github.io/blog.trailofbits.com/2022/05/17/interactive-decompilation-with-rellic-xref/Rellic is a framework for analyzing and decompiling LLVM modules into C code, implementing the concepts described in the original paper presenting the Dream decompiler and its successor, Dream++. It recently made an appearance on this blog when I presented rellic-headergen, a tool for extracting debug metadata from LLVM modules and turning […]https://miscreants.github.io/blog.trailofbits.com/2022/05/03/themes-from-real-world-crypto-2022/Tue, 03 May 2022 07:00:04 -0400https://miscreants.github.io/blog.trailofbits.com/2022/05/03/themes-from-real-world-crypto-2022/Last week, over 500 cryptographers from around the world gathered in Amsterdam for Real World Crypto 2022, meeting in person for the first time in over two years. As in previous years, we dispatched a handful of our researchers and engineers to attend the conference, listen to talks, and schmooze observe the […]https://miscreants.github.io/blog.trailofbits.com/2022/01/19/c-your-data-structures-with-rellic-headergen/Wed, 19 Jan 2022 07:00:12 -0500https://miscreants.github.io/blog.trailofbits.com/2022/01/19/c-your-data-structures-with-rellic-headergen/Have you ever wondered how a compiler sees your data structures? Compiler Explorer may help you understand the relation between the source code and machine code, but it doesn’t provide as much support when it comes to the layout of your data. You might have heard about padding, alignment, and “plain old […]https://miscreants.github.io/blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/Tue, 23 Mar 2021 11:00:37 -0400https://miscreants.github.io/blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/In the summer of 2020, we described our work fuzzing the Solidity compiler, solc. So now we’d like to revisit this project, since fuzzing campaigns tend to “saturate,” finding fewer new results over time. Did Solidity fuzzing run out of gas? Is fuzzing a high-stakes project worthwhile, especially if […]https://miscreants.github.io/blog.trailofbits.com/2020/11/25/high-fidelity-build-instrumentation-with-blight/Wed, 25 Nov 2020 09:38:10 -0500https://miscreants.github.io/blog.trailofbits.com/2020/11/25/high-fidelity-build-instrumentation-with-blight/TL;DR: We’re open-sourcing a new framework, blight, for painlessly wrapping and instrumenting C and C++ build tools. We’re already using it on our research projects, and have included a set of useful actions. You can use it today for your own measurement and instrumentation needs: Why would you ever want to wrap a build tool? […]https://miscreants.github.io/blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/Fri, 05 Jun 2020 07:50:24 -0400https://miscreants.github.io/blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/Over the last few months, we’ve been fuzzing solc, the standard Solidity smart contract compiler, and we’ve racked up almost 20 (now mostly fixed) new bugs. A few of these are duplicates of existing bugs with slightly different symptoms or triggers, but the vast majority are previously unreported bugs in the compiler. This has been […]https://miscreants.github.io/blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/Thu, 07 Nov 2019 07:00:06 -0500https://miscreants.github.io/blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/The Trail of Bits Assurance practice has received an influx of Go projects, following the success of our Kubernetes assessment this summer. As a result, we’ve been adapting for Go projects some of the security assessment techniques and tactics we’ve used with other compiled languages. We started by understanding the design of the language, identifying […]https://miscreants.github.io/blog.trailofbits.com/2019/06/27/use-constexpr-for-faster-smaller-and-safer-code/Thu, 27 Jun 2019 06:50:06 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/27/use-constexpr-for-faster-smaller-and-safer-code/With the release of C++14, the standards committee strengthened one of the coolest modern features of C++: constexpr. Now, C++ developers can write constant expressions and force their evaluation at compile-time, rather than at every invocation by users. This results in faster execution, smaller executables and, surprisingly, safer code. Undefined behavior has been the source […]https://miscreants.github.io/blog.trailofbits.com/2019/06/25/creating-an-llvm-sanitizer-from-hopes-and-dreams/Tue, 25 Jun 2019 06:50:21 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/25/creating-an-llvm-sanitizer-from-hopes-and-dreams/Each year, Trail of Bits runs a month-long winter internship aka “winternship” program. This year we were happy to host 4 winterns who contributed to 3 projects. This project comes from Carson Harmon, a new graduate from Purdue interested in compilers and systems engineering, and a new full-time member of our research practice. I set […]https://miscreants.github.io/blog.trailofbits.com/2019/06/17/leaves-of-hash/Mon, 17 Jun 2019 06:50:58 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/17/leaves-of-hash/Trail of Bits has released Indurative, a cryptographic library that enables authentication of a wide variety of data structures without requiring users to write much code. Indurative is useful for everything from data integrity to trustless distributed systems. For instance, developers can use Indurative to add Binary Transparency to a package manager — so users […]https://miscreants.github.io/blog.trailofbits.com/2019/01/21/how-mcsema-handles-c-exceptions/Mon, 21 Jan 2019 07:50:27 -0500https://miscreants.github.io/blog.trailofbits.com/2019/01/21/how-mcsema-handles-c-exceptions/C++ programs using exceptions are problematic for binary lifters. The non-local control-flow “throw” and “catch” operations that appear in C++ source code do not map neatly to straightforward binary representations. One could allege that the compiler, runtime, and stack unwinding library collude to make exceptions work. We recently completed our investigation into exceptions and can […]https://miscreants.github.io/blog.trailofbits.com/2018/09/10/protecting-software-against-exploitation-with-darpas-cfar/Mon, 10 Sep 2018 09:00:55 -0400https://miscreants.github.io/blog.trailofbits.com/2018/09/10/protecting-software-against-exploitation-with-darpas-cfar/Today, we’re going to talk about a hard problem that we are working on as part of DARPA’s Cyber Fault-Tolerant Attack Recovery (CFAR) program: automatically protecting software from 0-day exploits, memory corruption, and many currently undiscovered bugs. You might be thinking: “Why bother? Can’t I just compile my code with exploit mitigations like stack guard, […]https://miscreants.github.io/blog.trailofbits.com/2018/03/22/an-accessible-overview-of-meltdown-and-spectre-part-2/Thu, 22 Mar 2018 06:50:19 -0400https://miscreants.github.io/blog.trailofbits.com/2018/03/22/an-accessible-overview-of-meltdown-and-spectre-part-2/This is the second half of our blog post on the Meltdown an Spectre vulnerabilities, describing Spectre Variant 1 (V1) and Spectre Variant 2 (V2). If you have not done so already, please review the first blog post for an accessible review of computer architecture fundamentals. This blog post will start by covering the technical […]https://miscreants.github.io/blog.trailofbits.com/2018/01/30/an-accessible-overview-of-meltdown-and-spectre-part-1/Tue, 30 Jan 2018 07:50:39 -0500https://miscreants.github.io/blog.trailofbits.com/2018/01/30/an-accessible-overview-of-meltdown-and-spectre-part-1/In the past few weeks the details of two critical design flaws in modern processors were finally revealed to the public. Much has been written about the impact of Meltdown and Spectre, but there is scant detail about what these attacks are and how they work. We are going to try our best to fix […]https://miscreants.github.io/blog.trailofbits.com/2018/01/23/heavy-lifting-with-mcsema-2-0/Tue, 23 Jan 2018 07:50:03 -0500https://miscreants.github.io/blog.trailofbits.com/2018/01/23/heavy-lifting-with-mcsema-2-0/Four years ago, we released McSema, our x86 to LLVM bitcode binary translator. Since then, it has stretched and flexed; we added x86-64 support, put it on a performance-focused diet, and improved its usability and documentation. McSema wasn’t the only thing improving these past years, though. At the same time, programs were increasingly adopting modern […]https://miscreants.github.io/blog.trailofbits.com/2017/04/14/a-walk-down-memory-lane/Fri, 14 Apr 2017 06:50:11 -0400https://miscreants.github.io/blog.trailofbits.com/2017/04/14/a-walk-down-memory-lane/Admit it. Every now and then someone does something, and you think: “I also had that idea!” You feel validated — a kindred spirit has had the same intuitions, the same insights, and even drawn the same conclusions. I was reminded of this feeling recently when I came across a paper describing how to use […]https://miscreants.github.io/blog.trailofbits.com/2017/02/20/the-challenges-of-deploying-security-mitigations/Mon, 20 Feb 2017 09:15:41 -0500https://miscreants.github.io/blog.trailofbits.com/2017/02/20/the-challenges-of-deploying-security-mitigations/This blog has promoted control flow integrity (CFI) as a game changing security mitigation and encouraged its use. We wanted to take our own security advice and start securing software we use. To that end, we decided to apply CFI to facebook’s osquery, a cross-platform codebase with which we are deeply familiar. Using osquery, we […]https://miscreants.github.io/blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/Tue, 27 Dec 2016 06:00:29 -0500https://miscreants.github.io/blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/We’re back with our promised second installment discussing control flow integrity. This time, we will talk about Microsoft’s implementation of control flow integrity. As a reminder, control flow integrity, or CFI, is an exploit mitigation technique that prevents bugs from turning into exploits. For a more detailed explanation, please read the first post in this […]https://miscreants.github.io/blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-edition/Mon, 17 Oct 2016 07:50:15 -0400https://miscreants.github.io/blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-edition/Our previous blog posts often mentioned control flow integrity, or CFI, but we have never explained what CFI is, how to use it, or why you should care. It’s time to remedy the situation! In this blog post, we’ll explain, at a high level, what CFI is, what it does, what it doesn’t do, and […]https://miscreants.github.io/blog.trailofbits.com/2014/12/04/close-encounters-with-symbolic-execution-part-2/Thu, 04 Dec 2014 08:50:36 -0500https://miscreants.github.io/blog.trailofbits.com/2014/12/04/close-encounters-with-symbolic-execution-part-2/This is part two of a two-part blog post that shows how to use KLEE with mcsema to symbolically execute Linux binaries (see the first post!). This part will cover how to build KLEE, mcsema, and provide a detailed example of using them to symbolically execute an existing binary. The binary we’ll be symbolically executing […]https://miscreants.github.io/blog.trailofbits.com/2014/11/25/close-encounters-with-symbolic-execution/Tue, 25 Nov 2014 08:50:54 -0500https://miscreants.github.io/blog.trailofbits.com/2014/11/25/close-encounters-with-symbolic-execution/At THREADS 2014, I demonstrated a new capability of mcsema that enables the use of KLEE, a symbolic execution framework, on software available only in binary form. In the talk, I described how to use mcsema and KLEE to learn an unknown protocol defined in a binary that has never been seen before. In the example, […]https://miscreants.github.io/blog.trailofbits.com/2014/08/20/remastering-applications-by-obfuscating-during-compilation/Wed, 20 Aug 2014 08:50:45 -0400https://miscreants.github.io/blog.trailofbits.com/2014/08/20/remastering-applications-by-obfuscating-during-compilation/In this post, we discuss the creation of a novel software obfuscation toolkit, MAST, implemented in the LLVM compiler and suitable for denying program understanding to even the most well-resourced adversary. Our implementation is inspired by effective obfuscation techniques used by nation-state malware and techniques discussed in academic literature. MAST enables software developers to protect […]https://miscreants.github.io/blog.trailofbits.com/2014/08/07/mcsema-is-officially-open-source/Thu, 07 Aug 2014 08:50:47 -0400https://miscreants.github.io/blog.trailofbits.com/2014/08/07/mcsema-is-officially-open-source/We are proud to announce that McSema is now open source! McSema is a framework for analyzing and transforming machine-code programs to LLVM bitcode. It supports translation of x86 machine code, including integer, floating point, and SSE instructions. We previously covered some features of McSema in an earlier blog post and in our talk at ReCON 2014. Our […]https://miscreants.github.io/blog.trailofbits.com/2014/06/23/a-preview-of-mcsema/Mon, 23 Jun 2014 09:00:21 -0400https://miscreants.github.io/blog.trailofbits.com/2014/06/23/a-preview-of-mcsema/On June 28th Artem Dinaburg and Andrew Ruef will be speaking at REcon 2014 about a project named McSema. McSema is a framework for translating x86 binaries into LLVM bitcode. This translation is the opposite of what happens inside a compiler. A compiler translates LLVM bitcode to x86 machine code. McSema translates x86 machine code into LLVM […]https://miscreants.github.io/blog.trailofbits.com/2014/04/27/using-static-analysis-and-clang-to-find-heartbleed/Sun, 27 Apr 2014 12:25:50 -0400https://miscreants.github.io/blog.trailofbits.com/2014/04/27/using-static-analysis-and-clang-to-find-heartbleed/Background Friday night I sat down with a glass of Macallan 15 and decided to write a static checker that would find the Heartbleed bug. I decided that I would write it as an out-of-tree clang analyzer plugin and evaluate it on a few very small functions that had the spirit of the Heartbleed bug […]