https://miscreants.github.io/blog.trailofbits.com/categories/paper-review/Recent content in paper-review on The Trail of Bits BlogHugoen-usWed, 18 Mar 2020 07:50:32 -0400https://miscreants.github.io/blog.trailofbits.com/2020/03/18/financial-cryptography-2020-recap/Wed, 18 Mar 2020 07:50:32 -0400https://miscreants.github.io/blog.trailofbits.com/2020/03/18/financial-cryptography-2020-recap/A few weeks ago, we went to the 24th Financial Cryptography (FC) conference and the Workshop on Trusted Smart Contracts (WTSC), where we presented our work on smart contract bug categorization (see our executive summary) and a poster on Echidna. Although FC is not a blockchain conference, it featured several blockchain-oriented presentations this year and […]https://miscreants.github.io/blog.trailofbits.com/2019/11/13/announcing-the-crytic-10k-research-prize/Wed, 13 Nov 2019 07:00:35 -0500https://miscreants.github.io/blog.trailofbits.com/2019/11/13/announcing-the-crytic-10k-research-prize/At Trail of Bits, we make a significant effort to stay up to date with the academic world. We frequently evaluate our work through peer-reviewed conferences, and we love to attend academic events (see our recent ICSE and Crypto recaps).https://miscreants.github.io/blog.trailofbits.com/2019/09/11/crypto-2019-takeaways/Wed, 11 Sep 2019 06:50:16 -0400https://miscreants.github.io/blog.trailofbits.com/2019/09/11/crypto-2019-takeaways/This year’s IACR Crypto conference was an excellent blend of far-out theory and down-to-earth pragmatism. A major theme throughout the conference was the huge importance of getting basic cryptographic primitives right. Systems ranging from TLS servers and bitcoin wallets to state-of-the-art secure multiparty computation protocols were broken when one small sub-component was either chosen poorly […]https://miscreants.github.io/blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/Thu, 08 Aug 2019 06:50:40 -0400https://miscreants.github.io/blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/Until now, smart contract security researchers (and developers) have been frustrated by limited information about the actual flaws that survive serious development efforts. That limitation increases the risk of making critical smart contracts vulnerable, misallocating resources for risk reduction, and missing opportunities to employ automated analysis tools. We’re changing that. Today, Trail of Bits is […]https://miscreants.github.io/blog.trailofbits.com/2019/07/12/librabft/Fri, 12 Jul 2019 06:50:24 -0400https://miscreants.github.io/blog.trailofbits.com/2019/07/12/librabft/LibraBFT is the Byzantine Fault Tolerant (BFT) consensus algorithm used by the recently released Libra cryptocurrency. LibraBFT is based on another BFT consensus algorithm called HotStuff. While some have noted the similarities between the two algorithms, they differ in some crucial respects. In this post we highlight one such difference: in LibraBFT, non-leaders perform broadcasts. […]https://miscreants.github.io/blog.trailofbits.com/2019/06/19/trail-of-bits-icse-2019-recap/Wed, 19 Jun 2019 10:35:13 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/19/trail-of-bits-icse-2019-recap/Three weeks ago, we presented our work on Slither at WETSEB, an ICSE workshop. ICSE is a top-tier academic conference, focused on software engineering. This edition of the event went very well. The organizers do their best to attract and engage industrials to the discussions. The conference had many talks in parallel. We wish we […]https://miscreants.github.io/blog.trailofbits.com/2019/05/27/slither-the-leading-static-analyzer-for-smart-contracts/Mon, 27 May 2019 06:30:58 -0400https://miscreants.github.io/blog.trailofbits.com/2019/05/27/slither-the-leading-static-analyzer-for-smart-contracts/We have published an academic paper on Slither, our static analysis framework for smart contracts, in the International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), colocated with ICSE. Our paper shows that Slither’s bug detection outperforms other static analysis tools for finding issues in smart contracts in terms of speed, robustness, and […]https://miscreants.github.io/blog.trailofbits.com/2019/01/14/on-bounties-and-boffins/Mon, 14 Jan 2019 06:50:53 -0500https://miscreants.github.io/blog.trailofbits.com/2019/01/14/on-bounties-and-boffins/Trying to make a living as a programmer participating in bug bounties is the same as convincing yourself that you’re good enough at Texas Hold ‘Em to quit your job. There’s data to back this up in Fixing a Hole: The Labor Market for Bugs, a chapter in New Solutions for Cybersecurity, by Ryan Ellis, […]https://miscreants.github.io/blog.trailofbits.com/2018/10/05/how-to-spot-good-fuzzing-research/Fri, 05 Oct 2018 06:50:52 -0400https://miscreants.github.io/blog.trailofbits.com/2018/10/05/how-to-spot-good-fuzzing-research/Of the nearly 200 papers on software fuzzing that have been published in the last three years, most of them—even some from high-impact conferences—are academic clamor. Fuzzing research suffers from inconsistent and subjective benchmarks, which keeps this potent field in a state of arrested development. We’d like to help explain why this has happened and […]https://miscreants.github.io/blog.trailofbits.com/2017/04/14/a-walk-down-memory-lane/Fri, 14 Apr 2017 06:50:11 -0400https://miscreants.github.io/blog.trailofbits.com/2017/04/14/a-walk-down-memory-lane/Admit it. Every now and then someone does something, and you think: “I also had that idea!” You feel validated — a kindred spirit has had the same intuitions, the same insights, and even drawn the same conclusions. I was reminded of this feeling recently when I came across a paper describing how to use […]https://miscreants.github.io/blog.trailofbits.com/2016/05/05/the-dbirs-forest-of-exploit-signatures/Thu, 05 May 2016 16:56:12 -0400https://miscreants.github.io/blog.trailofbits.com/2016/05/05/the-dbirs-forest-of-exploit-signatures/If you follow the recommendations in the 2016 Verizon Data Breach Investigations Report (DBIR), you will expose your organization to more risk, not less. The report’s most glaring flaw is the assertion that the TLS FREAK vulnerability is among the ‘Top 10’ most exploited on the Internet. No experienced security practitioner believes that FREAK is […]