open-source on The Trail of Bits Blog

Catching malicious package releases using a transparency log

Fri, 12 Dec 2025 07:00:00 -0500

We’re getting Sigstore’s rekor-monitor ready for production use, making it easier for developers to detect tampering and unauthorized uses of their identities in the Rekor transparency log.

How we avoided side-channels in our new post-quantum Go cryptography libraries

Fri, 14 Nov 2025 07:00:00 -0500

We’ve released open-source Go implementations of ML-DSA and SLH-DSA.

Building checksec without boundaries with Checksec Anywhere

Thu, 13 Nov 2025 07:00:00 -0500

Checksec Anywhere consolidates fragmented binary security analysis tools into a browser-based platform that analyzes ELF, PE, and Mach-O formats locally without compromising privacy or performance.

Fickling’s new AI/ML pickle file scanner

Tue, 16 Sep 2025 07:00:00 -0400

We’ve added a pickle file scanner to Fickling that uses an allowlist approach to protect AI/ML environments from malicious pickle files that could compromise models or infrastructure.

Datasig: Fingerprinting AI/ML datasets to stop data-borne attacks

Fri, 02 May 2025 07:00:00 -0400

Datasig generates compact, unique fingerprints for AI/ML datasets that let you compare training data with high accuracy—without needing access to the raw data itself.
This critical capability helps AIBOM (AI bill of materials) tools detect data-borne vulnerabilities that traditional security tools completely miss.

Making PyPI's test suite 81% faster

Thu, 01 May 2025 09:00:00 -0400

See how we slashed PyPI’s test suite runtime from 163 to 30 seconds.
The techniques we share can help you dramatically improve your own project’s
testing performance without sacrificing coverage.

Sneak peek: A new ASN.1 API for Python

Fri, 18 Apr 2025 09:00:00 -0400

We’re working on integrating an ASN.1 API into PyCA Cryptography,
built on top of the same Rust ASN.1 implementation already used by
Cryptography’s X.509 APIs.

Benchmarking OpenSearch and Elasticsearch

Thu, 06 Mar 2025 00:00:00 -0500

Trail of Bits’ independent study finds OpenSearch v2.17.1 is 1.6x faster than Elasticsearch v8.15.4 on Big5 workload and 11% faster on vector search.

Unleashing Medusa: Fast and scalable smart contract fuzzing

Fri, 14 Feb 2025 00:00:00 -0500

Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security.

PyPI now supports archiving projects

Thu, 30 Jan 2025 09:00:22 -0500

PyPI now supports marking projects as archived. Project owners can now archive their project to let users know that the project is not expected to receive any more updates. Project archival is a single piece in a larger supply-chain security puzzle: by exposing archival statuses, PyPI enables downstream consumers to make more […]

Celebrating our 2024 open-source contributions

Thu, 23 Jan 2025 09:00:30 -0500

While Trail of Bits is known for developing security tools like Slither, Medusa, and Fickling, our engineering efforts extend far beyond our own projects. Throughout 2024, our team has been deeply engaged with the broader security ecosystem, tackling challenges in open-source tools and infrastructure that security engineers rely on every day. This year, our engineers […]

Auditing the Ruby ecosystem's central package repository

Wed, 11 Dec 2024 09:00:59 -0500

Ruby Central hired Trail of Bits to complete a security assessment and a competitive analysis of RubyGems.org, the official package management system for Ruby applications. With over 184+ billion downloads to date, RubyGems.org is critical infrastructure for the Ruby language ecosystem.

Attestations: A new generation of signatures on PyPI

Thu, 14 Nov 2024 09:00:15 -0500

For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring […]

We wrote the code, and the code won

Thu, 15 Aug 2024 07:50:31 -0400

Earlier this week, NIST officially announced three standards specifying FIPS-approved algorithms for post-quantum cryptography. The Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) is one of these standardized algorithms. The Trail of Bits cryptography team has been anticipating this announcement, and we are excited to share an announcement of our own: we built an open-source pure-Rust implementation of SLH-DSA, which has been merged into RustCrypto.

Auditing the Ask Astro LLM Q&A app

Fri, 05 Jul 2024 09:00:28 -0400

Today, we present the second of our open-source AI security audits: a look at security issues we found in an open-source retrieval augmented generation (RAG) application that could lead to chatbot output poisoning, inaccurate document ingestion, and potential denial of service. This audit follows up on our previous work that identified 11 security vulnerabilities in […]

Relishing new Fickling features for securing ML systems

Mon, 04 Mar 2024 09:00:44 -0500

We’ve added new features to Fickling to offer enhanced threat detection and analysis across a broad spectrum of machine learning (ML) workflows. Fickling is a decompiler, static analyzer, and bytecode rewriter for the Python pickle module that can help you detect, analyze, or create malicious pickle files. While the ML community […]

How we applied advanced fuzzing techniques to cURL

Fri, 01 Mar 2024 09:30:25 -0500

Near the end of 2022, Trail of Bits was hired by the Open Source Technology Improvement Fund (OSTIF) to perform a security assessment of the cURL file transfer command-line utility and its library, libcurl. The scope of our engagement included a code review, a threat model, and the subject of this blog […]

Continuously fuzzing Python C extensions

Fri, 23 Feb 2024 09:30:03 -0500

Deserializing, decoding, and processing untrusted input are telltale signs that your project would benefit from fuzzing. Yes, even Python projects. Fuzzing helps reduce bugs in high-assurance software developed in all programming languages. Fortunately for the Python ecosystem, Google has released Atheris, a coverage-guided fuzzer for both pure Python code and Python C […]

Introducing DIFFER, a new tool for testing and validating transformed programs

Wed, 31 Jan 2024 09:30:48 -0500

We recently released a new differential testing tool, called DIFFER, for finding bugs and soundness violations in transformed programs. DIFFER combines elements from differential, regression, and fuzz testing to help users find bugs in programs that have been altered by software rewriting, debloating, and hardening tools. We used DIFFER to evaluate 10 […]

Enhancing trust for SGX enclaves

Fri, 26 Jan 2024 09:00:31 -0500

Creating reproducible builds for SGX enclaves used in privacy-oriented deployments is a difficult task that lacks a convenient and robust solution. We describe using Nix to achieve reproducible and transparent enclave builds so that anyone can audit whether the enclave is running the source code it claims, thereby enhancing the security of […]

We build X.509 chains so you don’t have to

Thu, 25 Jan 2024 09:00:22 -0500

For the past eight months, Trail of Bits has worked with the Python Cryptographic Authority to build cryptography-x509-verification, a brand-new, pure-Rust implementation of the X.509 path validation algorithm that TLS and other encryption and authentication protocols are built on. Our implementation is fast, standards-conforming, and memory-safe, giving the Python ecosystem a modern […]

Celebrating our 2023 open-source contributions

Wed, 24 Jan 2024 09:00:22 -0500

At Trail of Bits, we pride ourselves on making our best tools open source, such as Slither, PolyTracker, and RPC Investigator. But while this post is about open source, it’s not about our tools… In 2023, our employees submitted over 450 pull requests (PRs) that were merged into non-Trail of Bits repositories. This demonstrates our […]

30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more

Wed, 17 Jan 2024 08:30:32 -0500

We are publishing a set of 30 custom Semgrep rules for Ansible playbooks, Java/Kotlin code, shell scripts, and Docker Compose configuration files. These rules were created and used to audit for common security vulnerabilities in the listed technologies. This new release of our Semgrep rules joins our public CodeQL […]

Internet freedom with the Open Technology Fund

Mon, 15 Jan 2024 08:30:54 -0500

Trail of Bits cares about internet freedom, and one of our most valued partners in pursuit of that goal is the Open Technology Fund (OTF). Our core values involve focusing on high-impact work, including work with a positive social impact. The OTF’s Red Team Lab […]

Securing open-source infrastructure with OSTIF

Tue, 09 Jan 2024 09:00:08 -0500

The Open Source Technology Improvement Fund (OSTIF) counters an often overlooked challenge in the open-source world: the same software projects that uphold today’s internet infrastructure are reliant on, in OSTIF’s words, a “surprisingly small group of people with a limited amount of time” for all development, testing, and maintenance. This scarcity of contributor time in […]

How CISA can improve OSS security

Mon, 20 Nov 2023 09:35:59 -0500

The US government recently issued a request for information (RFI) about open-source software (OSS) security. In this blog post, we will present a summary of our response and proposed solutions. Some of our solutions include rewriting widely used legacy code in memory safe languages such as Rust, funding OSS solutions to improve […]

Our audit of PyPI

Tue, 14 Nov 2023 08:00:37 -0500

This is a joint post with the PyPI maintainers; read their announcement here! This audit was sponsored by the Open Tech Fund as part of their larger mission to secure critical pieces of internet infrastructure. You can read the full report in our Publications repository. Late this summer, we performed an audit […]

Adding build provenance to Homebrew

Mon, 06 Nov 2023 08:00:37 -0500

This is a joint post with Alpha-Omega—read their announcement post as well! We’re starting a new project in collaboration with Alpha-Omega and OpenSSF to improve the transparency and security of Homebrew. This six-month project will bring cryptographically verifiable build provenance to homebrew-core, allowing end users and companies to prove that Homebrew’s packages come from the official Homebrew CI/CD.

Announcing a stable release of sigstore-python

Fri, 13 Jan 2023 10:00:58 -0500

Read the official announcement on the Sigstore blog as well! Trail of Bits is thrilled to announce the first stable release of sigstore-python, a client implementation of Sigstore that we’ve been developing for nearly a year! This work has been graciously funded by Google’s Open Source Security Team (GOSST), who we’ve also […]

We sign code now

Tue, 08 Nov 2022 07:30:15 -0500

Sigstore announced the general availability of its free and ecosystem-agnostic software signing service two weeks ago, giving developers a way to sign, verify and protect their software projects and the dependencies they rely on. Trail of Bits is absolutely thrilled to be a part of the project, and we spoke about our […]

Announcing osquery 5: Now with EndpointSecurity on macOS

Wed, 10 Nov 2021 01:05:55 -0500

Originally published on October 6, 2021 TL;DR: Version 5.0.1 of osquery, a cross-platform, open-source endpoint visibility agent, is now available. This release is an exciting milestone for the project, as it introduces an EndpointSecurity-based process events table for macOS. Read on to learn how we integrated EndpointSecurity into osquery […]

Write Rust lints without forking Clippy

Tue, 09 Nov 2021 00:30:40 -0500

Originally published May 20, 2021 This blog post introduces Dylint, a tool for loading Rust linting rules (or “lints”) from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections. Previously, the simplest way to write a new Rust lint was to fork Clippy, Rust’s […]