https://miscreants.github.io/blog.trailofbits.com/categories/fuzzing/Recent content in fuzzing on The Trail of Bits BlogHugoen-usWed, 09 Apr 2025 00:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/04/09/introducing-a-new-section-on-snapshot-fuzzing-for-kernel-level-testing-in-the-testing-handbook/Wed, 09 Apr 2025 09:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/04/09/introducing-a-new-section-on-snapshot-fuzzing-for-kernel-level-testing-in-the-testing-handbook/Learn snapshot fuzzing for kernel-level testing. New Testing Handbook section shows how to test drivers, antivirus software, and complex kernel components.https://miscreants.github.io/blog.trailofbits.com/2025/02/14/unleashing-medusa-fast-and-scalable-smart-contract-fuzzing/Fri, 14 Feb 2025 00:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/02/14/unleashing-medusa-fast-and-scalable-smart-contract-fuzzing/Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security.https://miscreants.github.io/blog.trailofbits.com/2024/10/31/fuzzing-between-the-lines-in-popular-barcode-software/Thu, 31 Oct 2024 09:00:18 -0400https://miscreants.github.io/blog.trailofbits.com/2024/10/31/fuzzing-between-the-lines-in-popular-barcode-software/Fuzzing—one of the most successful techniques for finding security bugs, consistently featured in articles and industry conferences—has become so popular that you may think most important software has already been extensively fuzzed. But that’s not always the case. In this blog post, we show how we fuzzed the ZBar barcode scanning library […]https://miscreants.github.io/blog.trailofbits.com/2024/06/17/finding-mispriced-opcodes-with-fuzzing/Mon, 17 Jun 2024 09:00:43 -0400https://miscreants.github.io/blog.trailofbits.com/2024/06/17/finding-mispriced-opcodes-with-fuzzing/Fuzzing—a testing technique that tries to find bugs by repeatedly executing test cases and mutating them—has traditionally been used to detect segmentation faults, buffer overflows, and other memory corruption vulnerabilities that are detectable through crashes. But it has additional uses you may not know about: given the right invariants, we can use […]https://miscreants.github.io/blog.trailofbits.com/2024/05/16/understanding-addresssanitizer-better-memory-safety-for-your-code/Thu, 16 May 2024 09:00:57 -0400https://miscreants.github.io/blog.trailofbits.com/2024/05/16/understanding-addresssanitizer-better-memory-safety-for-your-code/This post will guide you through using AddressSanitizer (ASan), a compiler plugin that helps developers detect memory issues in code that can lead to remote code execution attacks (such as WannaCry or this WebP implementation bug). ASan inserts checks around memory accesses during compile time, and crashes the program […]https://miscreants.github.io/blog.trailofbits.com/2024/05/08/using-benchmarks-to-speed-up-echidna/Wed, 08 May 2024 09:30:07 -0400https://miscreants.github.io/blog.trailofbits.com/2024/05/08/using-benchmarks-to-speed-up-echidna/During my time as a Trail of Bits associate last summer, I worked on optimizing the performance of Echidna, Trail of Bits’ open-source smart contract fuzzer, written in Haskell. Through extensive use of profilers and other tools, I was able to pinpoint and debug a massive space leak in one of Echidna’s […]https://miscreants.github.io/blog.trailofbits.com/2024/04/30/curvance-invariants-unleashed/Tue, 30 Apr 2024 09:30:43 -0400https://miscreants.github.io/blog.trailofbits.com/2024/04/30/curvance-invariants-unleashed/Welcome to our deep dive into the world of invariant development with Curvance. We’ve been building invariants as part of regular code review assessments for more than 6 years now, but our work with Curvance marks our very first official invariant development project, in which developing and testing invariants is all we […]https://miscreants.github.io/blog.trailofbits.com/2024/03/29/introducing-ruzzy-a-coverage-guided-ruby-fuzzer/Fri, 29 Mar 2024 09:30:44 -0400https://miscreants.github.io/blog.trailofbits.com/2024/03/29/introducing-ruzzy-a-coverage-guided-ruby-fuzzer/Trail of Bits is excited to introduce Ruzzy, a coverage-guided fuzzer for pure Ruby code and Ruby C extensions. Fuzzing helps find bugs in software that processes untrusted input. In pure Ruby, these bugs may result in unexpected exceptions that could lead to denial of service, and in Ruby C extensions, they […]https://miscreants.github.io/blog.trailofbits.com/2024/03/22/why-fuzzing-over-formal-verification/Fri, 22 Mar 2024 09:00:28 -0400https://miscreants.github.io/blog.trailofbits.com/2024/03/22/why-fuzzing-over-formal-verification/We recently introduced our new offering, invariant development as a service. A recurring question that we are asked is, “Why fuzzing instead of formal verification?” And the answer is, “It’s complicated.” We use fuzzing for most of our audits but have used formal verification methods in the […]https://miscreants.github.io/blog.trailofbits.com/2024/03/01/toward-more-effective-curl-fuzzing/Fri, 01 Mar 2024 09:30:25 -0500https://miscreants.github.io/blog.trailofbits.com/2024/03/01/toward-more-effective-curl-fuzzing/Near the end of 2022, Trail of Bits was hired by the Open Source Technology Improvement Fund (OSTIF) to perform a security assessment of the cURL file transfer command-line utility and its library, libcurl. The scope of our engagement included a code review, a threat model, and the subject of this blog […]https://miscreants.github.io/blog.trailofbits.com/2024/02/23/continuously-fuzzing-python-c-extensions/Fri, 23 Feb 2024 09:30:03 -0500https://miscreants.github.io/blog.trailofbits.com/2024/02/23/continuously-fuzzing-python-c-extensions/Deserializing, decoding, and processing untrusted input are telltale signs that your project would benefit from fuzzing. Yes, even Python projects. Fuzzing helps reduce bugs in high-assurance software developed in all programming languages. Fortunately for the Python ecosystem, Google has released Atheris, a coverage-guided fuzzer for both pure Python code and Python C […]https://miscreants.github.io/blog.trailofbits.com/2024/02/09/master-fuzzing-with-our-new-testing-handbook-chapter/Fri, 09 Feb 2024 09:00:13 -0500https://miscreants.github.io/blog.trailofbits.com/2024/02/09/master-fuzzing-with-our-new-testing-handbook-chapter/Our latest addition to the Trail of Bits Testing Handbook is a comprehensive guide to fuzzing: an essential, effective, low-effort method to find bugs in software that involves repeatedly running a program with random inputs to cause unexpected results.https://miscreants.github.io/blog.trailofbits.com/2024/02/05/improving-the-state-of-cosmos-fuzzing/Mon, 05 Feb 2024 09:00:53 -0500https://miscreants.github.io/blog.trailofbits.com/2024/02/05/improving-the-state-of-cosmos-fuzzing/Cosmos is a platform enabling the creation of blockchains in Go (or other languages). Its reference implementation, Cosmos SDK, leverages strong fuzz testing extensively, following two approaches: smart fuzzing for low-level code, and dumb fuzzing for high-level simulation. In this blog post, we explain the differences between these approaches and show how […]https://miscreants.github.io/blog.trailofbits.com/2024/02/02/chaos-communication-congress-37c3-recap/Fri, 02 Feb 2024 09:00:01 -0500https://miscreants.github.io/blog.trailofbits.com/2024/02/02/chaos-communication-congress-37c3-recap/Last month, two of our engineers attended the 37th Chaos Communication Congress (37C3) in Hamburg, joining thousands of hackers who gather each year to exchange the latest research and achievements in technology and security. Unlike other tech conferences, this annual gathering focuses on the interaction of technology and society, covering such topics as politics, entertainment, […]https://miscreants.github.io/blog.trailofbits.com/2023/10/05/introducing-invariant-development-as-a-service/Thu, 05 Oct 2023 08:00:52 -0400https://miscreants.github.io/blog.trailofbits.com/2023/10/05/introducing-invariant-development-as-a-service/Understanding and rigorously testing system invariants are essential aspects of developing robust smart contracts. Invariants are facts about the protocol that should remain true no matter what happens. Defining and testing these invariants allows developers to prevent the introduction of bugs and make their code more robust in the long term. However, it is difficult […]https://miscreants.github.io/blog.trailofbits.com/2023/07/21/fuzzing-on-chain-contracts-with-echidna/Fri, 21 Jul 2023 07:00:31 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/21/fuzzing-on-chain-contracts-with-echidna/With the release of version 2.1.0 of Echidna, our fuzzing tool for Ethereum smart contracts, we’ve introduced new features for direct retrieval of on-chain data, such as contract code and storage slot values. This data can be used to fuzz deployed contracts in their on-chain state or to test […]https://miscreants.github.io/blog.trailofbits.com/2023/07/07/differential-fuzz-testing-upgradeable-smart-contracts-with-diffusc/Fri, 07 Jul 2023 07:00:33 -0400https://miscreants.github.io/blog.trailofbits.com/2023/07/07/differential-fuzz-testing-upgradeable-smart-contracts-with-diffusc/On March 28, 2023, SafeMoon, a self-styled “community-focused DeFi token” on Binance Smart Chain, lost the equivalent of $8.9 million in Binance Coin BNB to an exploit in a liquidity pool. The exploit leveraged a simple error introduced in an upgrade to SafeMoon’s SFM token contract, allowing the attacker to burn tokens held in the […]https://miscreants.github.io/blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/Tue, 14 Feb 2023 08:00:14 -0500https://miscreants.github.io/blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. The project coincided with a Trail of Bits maker week, which meant that we had more manpower than we usually do, allowing us to take a nonstandard approach to the […]https://miscreants.github.io/blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/Thu, 12 Jan 2023 08:00:17 -0500https://miscreants.github.io/blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). These vulnerabilities have been discovered automatically using the novel protocol fuzzer tlspuffin. This blog post […]https://miscreants.github.io/blog.trailofbits.com/2022/12/08/hybrid-echidna-fuzzing-optik-maat/Thu, 08 Dec 2022 08:00:36 -0500https://miscreants.github.io/blog.trailofbits.com/2022/12/08/hybrid-echidna-fuzzing-optik-maat/Smart contract fuzzing is an effective bug-finding technique that is largely used at Trail Of Bits during audits. During my internship at Trail of Bits, I contributed to expand our fuzzing capabilities by working on Hybrid Echidna, a “hybrid fuzzer” that couples our smart contract fuzzer, Echidna, with […]https://miscreants.github.io/blog.trailofbits.com/2022/04/26/improving-the-state-of-go-fuzz/Tue, 26 Apr 2022 07:00:18 -0400https://miscreants.github.io/blog.trailofbits.com/2022/04/26/improving-the-state-of-go-fuzz/During my winternship, I used the findings from recent Go audits to make several improvements to go-fuzz, a coverage-based fuzzer for projects written in Go. I focused on three enhancements to improve the effectiveness of Go fuzzing campaigns and provide a better experience for users. I contributed to fixing type alias […]https://miscreants.github.io/blog.trailofbits.com/2022/03/02/optimizing-a-smart-contract-fuzzer/Wed, 02 Mar 2022 07:00:33 -0500https://miscreants.github.io/blog.trailofbits.com/2022/03/02/optimizing-a-smart-contract-fuzzer/During my winternship, I applied code analysis tools, such as GHC’s Haskell profiler, to improve the efficiency of the Echidna smart contract fuzzer. As a result, Echidna is now over six times faster! Echidna overview To use Echidna, users provide smart contracts and a list of conditions that should be satisfied no […]https://miscreants.github.io/blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/Tue, 23 Mar 2021 11:00:37 -0400https://miscreants.github.io/blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/In the summer of 2020, we described our work fuzzing the Solidity compiler, solc. So now we’d like to revisit this project, since fuzzing campaigns tend to “saturate,” finding fewer new results over time. Did Solidity fuzzing run out of gas? Is fuzzing a high-stakes project worthwhile, especially if […]https://miscreants.github.io/blog.trailofbits.com/2021/03/19/un-bee-lievable-performance-fast-coverage-guided-fuzzing-with-honeybee-and-intel-processor-trace/Fri, 19 Mar 2021 10:00:15 -0400https://miscreants.github.io/blog.trailofbits.com/2021/03/19/un-bee-lievable-performance-fast-coverage-guided-fuzzing-with-honeybee-and-intel-processor-trace/Today, we are releasing an experimental coverage-guided fuzzer called Honeybee that records program control flow using Intel Processor Trace (IPT) technology. Previously, IPT has been scrutinized for severe underperformance due to issues with capture systems and inefficient trace analyses. My winter internship focused on working through these challenges to make […]https://miscreants.github.io/blog.trailofbits.com/2021/02/05/confessions-of-a-smart-contract-paper-reviewer/Fri, 05 Feb 2021 06:59:10 -0500https://miscreants.github.io/blog.trailofbits.com/2021/02/05/confessions-of-a-smart-contract-paper-reviewer/If you’re thinking of writing a paper describing an exciting novel approach to smart contract analysis and want to know what reviewers will be looking for, you’ve come to the right place. Deadlines for many big conferences (ISSTA tool papers, ASE, FSE, etc.) are approaching, as is our own Workshop on Smart Contract Analysis, so […]https://miscreants.github.io/blog.trailofbits.com/2020/10/22/lets-build-a-high-performance-fuzzer-with-gpus/Thu, 22 Oct 2020 06:00:14 -0400https://miscreants.github.io/blog.trailofbits.com/2020/10/22/lets-build-a-high-performance-fuzzer-with-gpus/TL;DR: Can we use GPUs to get 10x performance/dollar when fuzzing embedded software in the cloud? Based on our preliminary work, we think the answer is yes! Fuzzing is a software testing technique that supplies programs with many randomized inputs in an attempt to cause unexpected behavior. It’s an important, […]https://miscreants.github.io/blog.trailofbits.com/2020/08/17/using-echidna-to-test-a-smart-contract-library/Mon, 17 Aug 2020 07:00:17 -0400https://miscreants.github.io/blog.trailofbits.com/2020/08/17/using-echidna-to-test-a-smart-contract-library/In this post, we’ll show you how to test your smart contracts with the Echidna fuzzer. In particular, you’ll see how to: Find a bug we discovered during the Set Protocol audit using a variation of differential fuzzing, and Specify and check useful properties for your own smart contract libraries. And we’ll demonstrate how to […]https://miscreants.github.io/blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/Fri, 05 Jun 2020 07:50:24 -0400https://miscreants.github.io/blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/Over the last few months, we’ve been fuzzing solc, the standard Solidity smart contract compiler, and we’ve racked up almost 20 (now mostly fixed) new bugs. A few of these are duplicates of existing bugs with slightly different symptoms or triggers, but the vast majority are previously unreported bugs in the compiler. This has been […]https://miscreants.github.io/blog.trailofbits.com/2020/03/30/an-echidna-for-all-seasons/Mon, 30 Mar 2020 07:00:46 -0400https://miscreants.github.io/blog.trailofbits.com/2020/03/30/an-echidna-for-all-seasons/TL;DR: We have improved Echidna with tons of new features and enhancements since it was released—and there’s more to come. Two years ago, we open-sourced Echidna, our property-based smart contract fuzzer. Echidna is one of the tools we use most in smart contract assessments. According to our records, Echidna was used in about 35% of […]https://miscreants.github.io/blog.trailofbits.com/2019/11/11/test-case-reduction/Mon, 11 Nov 2019 07:00:11 -0500https://miscreants.github.io/blog.trailofbits.com/2019/11/11/test-case-reduction/Imagine reducing the amount of code and time needed to test software, while at the same time increasing the efficacy of your tests and making your debugging tasks easier—all with minimal human effort. It seems too good to be true, but we’re going to explain how test-case reduction can do all this (and maybe more). […]https://miscreants.github.io/blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/Thu, 07 Nov 2019 07:00:06 -0500https://miscreants.github.io/blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/The Trail of Bits Assurance practice has received an influx of Go projects, following the success of our Kubernetes assessment this summer. As a result, we’ve been adapting for Go projects some of the security assessment techniques and tactics we’ve used with other compiled languages. We started by understanding the design of the language, identifying […]https://miscreants.github.io/blog.trailofbits.com/2019/10/31/destroying-x86_64-instruction-decoders-with-differential-fuzzing/Thu, 31 Oct 2019 07:00:01 -0400https://miscreants.github.io/blog.trailofbits.com/2019/10/31/destroying-x86_64-instruction-decoders-with-differential-fuzzing/TL;DR: x86_64 decoding is hard, and the number and variety of implementations available for it makes it uniquely suited to differential fuzzing. We’re open sourcing mishegos, a differential fuzzer for instruction decoders. You can use it to discover discrepancies in your own decoders and analysis tools! In the beginning, there was instruction decoding Decompilation and […]https://miscreants.github.io/blog.trailofbits.com/2019/10/24/watch-your-language-our-first-vyper-audit/Thu, 24 Oct 2019 07:00:04 -0400https://miscreants.github.io/blog.trailofbits.com/2019/10/24/watch-your-language-our-first-vyper-audit/A lot of companies are working on Ethereum smart contracts, yet writing secure contracts remains a difficult task. You still have to avoid common pitfalls, compiler issues, and constantly check your code for recently discovered risks. A recurrent source of vulnerabilities comes from the early state of the programming languages available. Most developers are using […]https://miscreants.github.io/blog.trailofbits.com/2019/09/03/deepstate-now-supports-ensemble-fuzzing/Tue, 03 Sep 2019 06:50:44 -0400https://miscreants.github.io/blog.trailofbits.com/2019/09/03/deepstate-now-supports-ensemble-fuzzing/We are proud to announce the integration of ensemble fuzzing into DeepState, our unit-testing framework powered by fuzzing and symbolic execution. Ensemble fuzzing allows testers to execute multiple fuzzers with varying heuristics in a single campaign, while maintaining an architecture for synchronizing generated input seeds across […]https://miscreants.github.io/blog.trailofbits.com/2019/06/19/trail-of-bits-icse-2019-recap/Wed, 19 Jun 2019 10:35:13 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/19/trail-of-bits-icse-2019-recap/Three weeks ago, we presented our work on Slither at WETSEB, an ICSE workshop. ICSE is a top-tier academic conference, focused on software engineering. This edition of the event went very well. The organizers do their best to attract and engage industrials to the discussions. The conference had many talks in parallel. We wish we […]https://miscreants.github.io/blog.trailofbits.com/2019/05/31/fuzzing-unit-tests-with-deepstate-and-eclipser/Fri, 31 May 2019 07:00:31 -0400https://miscreants.github.io/blog.trailofbits.com/2019/05/31/fuzzing-unit-tests-with-deepstate-and-eclipser/If unit tests are important to you, there’s now another reason to use DeepState, our Google-Test-like property-based testing tool for C and C++. It’s called Eclipser, a powerful new fuzzer very recently presented in an ICSE 2019 paper. We are proud to announce that Eclipser is now fully integrated into DeepState. Eclipser provides many of […]https://miscreants.github.io/blog.trailofbits.com/2019/04/08/user-friendly-fuzzing-with-sienna-locomotive/Mon, 08 Apr 2019 07:50:13 -0400https://miscreants.github.io/blog.trailofbits.com/2019/04/08/user-friendly-fuzzing-with-sienna-locomotive/Fuzzing is a great way to find bugs in software, but many developers don’t use it. We hope to change that today with the release of Sienna Locomotive, a new open-source fuzzer for Windows that emphasizes usability. Sienna Locomotive aims to make fuzzing accessible to developers with limited security expertise. Its user-oriented features make it […]https://miscreants.github.io/blog.trailofbits.com/2019/03/28/fuzzing-in-the-year-2000/Thu, 28 Mar 2019 07:50:56 -0400https://miscreants.github.io/blog.trailofbits.com/2019/03/28/fuzzing-in-the-year-2000/It is time for the second installment of our efforts to reproduce original fuzzing research on modern systems. If you haven’t yet, please read the first part. This time we tackle fuzzing on Windows by reproducing the results of “An Empirical Study of the Robustness of Windows NT Applications Using Random Testing” (aka ‘the NT […]https://miscreants.github.io/blog.trailofbits.com/2019/01/23/fuzzing-an-api-with-deepstate-part-2/Wed, 23 Jan 2019 07:50:06 -0500https://miscreants.github.io/blog.trailofbits.com/2019/01/23/fuzzing-an-api-with-deepstate-part-2/Alex Groce, Associate Professor, School of Informatics, Computing and Cyber Systems, Northern Arizona University Mutation Testing Introducing one bug by hand (as we did in Part 1) is fine, and we could try it again, but “the plural of anecdote is not data.” However, this is not strictly true. If we have enough anecdotes, we […]https://miscreants.github.io/blog.trailofbits.com/2019/01/22/fuzzing-an-api-with-deepstate-part-1/Tue, 22 Jan 2019 07:50:21 -0500https://miscreants.github.io/blog.trailofbits.com/2019/01/22/fuzzing-an-api-with-deepstate-part-1/Alex Groce, Associate Professor, School of Informatics, Computing and Cyber Systems, Northern Arizona University Using DeepState, we took a handwritten red-black tree fuzzer and, with minimal effort, turned it into a much more fully featured test generator. The DeepState fuzzer, despite requiring no more coding effort, supports replay of regression tests, reduction of the size […]https://miscreants.github.io/blog.trailofbits.com/2019/01/17/how-to-write-a-rootkit-without-really-trying/Thu, 17 Jan 2019 07:50:53 -0500https://miscreants.github.io/blog.trailofbits.com/2019/01/17/how-to-write-a-rootkit-without-really-trying/We open-sourced a fault injection tool, KRF, that uses kernel-space syscall interception. You can use it today to find faulty assumptions (and resultant bugs) in your programs. Check it out! This post covers intercepting system calls from within the Linux kernel, via a plain old kernel module. We’ll go through a quick refresher on syscalls […]https://miscreants.github.io/blog.trailofbits.com/2018/12/31/fuzzing-like-its-1989/Mon, 31 Dec 2018 06:50:18 -0500https://miscreants.github.io/blog.trailofbits.com/2018/12/31/fuzzing-like-its-1989/With 2019 a day away, let’s reflect on the past to see how we can improve. Yes, let’s take a long look back 30 years and reflect on the original fuzzing paper, An Empirical Study of the Reliability of UNIX Utilities, and its 1995 follow-up, Fuzz Revisited, by Barton P. Miller. In this blog post, […]https://miscreants.github.io/blog.trailofbits.com/2018/10/05/how-to-spot-good-fuzzing-research/Fri, 05 Oct 2018 06:50:52 -0400https://miscreants.github.io/blog.trailofbits.com/2018/10/05/how-to-spot-good-fuzzing-research/Of the nearly 200 papers on software fuzzing that have been published in the last three years, most of them—even some from high-impact conferences—are academic clamor. Fuzzing research suffers from inconsistent and subjective benchmarks, which keeps this potent field in a state of arrested development. We’d like to help explain why this has happened and […]https://miscreants.github.io/blog.trailofbits.com/2018/05/03/state-machine-testing-with-echidna/Thu, 03 May 2018 06:50:48 -0400https://miscreants.github.io/blog.trailofbits.com/2018/05/03/state-machine-testing-with-echidna/Property-based testing is a powerful technique for verifying arbitrary properties of a program via execution on a large set of inputs, typically generated stochastically. Echidna is a library and executable I’ve been working on for applying property-based testing to EVM code (particularly code written in Solidity). Echidna is a library for generating random sequences of […]https://miscreants.github.io/blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/Fri, 23 Mar 2018 00:28:08 -0400https://miscreants.github.io/blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/Two years ago, when we began taking on blockchain security engagements, there were no tools engineered for the work. No static analyzers, fuzzers, or reverse engineering tools for Ethereum. So, we invested significant time and expertise to create what we needed, adapt what we already had, and refine the work continuously over dozens of audits. […]https://miscreants.github.io/blog.trailofbits.com/2018/03/09/echidna-a-smart-fuzzer-for-ethereum/Fri, 09 Mar 2018 13:19:34 -0500https://miscreants.github.io/blog.trailofbits.com/2018/03/09/echidna-a-smart-fuzzer-for-ethereum/Today we released Echidna, our next-generation EVM smart fuzzer at EthCC. It’s the first-ever fuzzer to target smart contracts, and has powerful features like abstract state-machine modeling and automatic minimal test case generation. We’ve been working on it for quite some time, and are thrilled to finally share it with the world. Different interfaces for […]https://miscreants.github.io/blog.trailofbits.com/2017/02/16/the-smart-fuzzer-revolution/Thu, 16 Feb 2017 06:50:08 -0500https://miscreants.github.io/blog.trailofbits.com/2017/02/16/the-smart-fuzzer-revolution/I recently had the privilege of giving a keynote at BSidesLisbon. I had a great time at the conference, and I’d like to thank Bruno Morisson for inviting me. If you’re into port, this is the conference for you! I recommend that anyone in the area consider attending next year. I felt there was a […]https://miscreants.github.io/blog.trailofbits.com/2016/11/02/shin-grr-make-fuzzing-fast-again/Wed, 02 Nov 2016 07:50:40 -0400https://miscreants.github.io/blog.trailofbits.com/2016/11/02/shin-grr-make-fuzzing-fast-again/We’ve mentioned GRR before – it’s our high-speed, full-system emulator used to fuzz program binaries. We developed GRR for DARPA’s Cyber Grand Challenge (CGC), and now we’re releasing it as an open-source project! Go check it out. Fear GRR Bugs aren’t afraid of slow fuzzers, and that’s why GRR was designed with unique and innovative […]https://miscreants.github.io/blog.trailofbits.com/2016/08/02/engineering-solutions-to-hard-program-analysis-problems/Tue, 02 Aug 2016 07:50:34 -0400https://miscreants.github.io/blog.trailofbits.com/2016/08/02/engineering-solutions-to-hard-program-analysis-problems/Finding bugs in programs is hard. Automating the process is even harder. We tackled the harder problem and produced two production-quality bug-finding systems: GRR, a high-throughput fuzzer, and PySymEmu (PSE), a binary symbolic executor with support for concrete inputs. From afar, fuzzing is a dumb, brute-force method that works surprisingly well, and symbolic execution is […]https://miscreants.github.io/blog.trailofbits.com/2016/05/18/protofuzz-a-protobuf-fuzzer/Wed, 18 May 2016 07:50:57 -0400https://miscreants.github.io/blog.trailofbits.com/2016/05/18/protofuzz-a-protobuf-fuzzer/Google’s Protocol Buffers (protobuf) is a common method of serializing data, typically found in distributed applications. Protobufs simplify the generally error-prone task of parsing binary data by letting a developer define the type of data, and letting a protobuf compiler (protoc) generate all the serialization and deserialization code automatically. Fuzzing a service expecting protobuf-encoded structures […]https://miscreants.github.io/blog.trailofbits.com/2015/09/10/summer-trail-of-bits/Thu, 10 Sep 2015 07:50:45 -0400https://miscreants.github.io/blog.trailofbits.com/2015/09/10/summer-trail-of-bits/This summer I’ve had the incredible opportunity to work with Trail of Bits as a high school intern. In return, I am obligated to write a blog post about this internship. So without further ado, here it is. Starting with Fuzzing The summer kicked off with fuzzing, a technique I had heard of but had […]