https://miscreants.github.io/blog.trailofbits.com/categories/program-analysis/Recent content in program-analysis on The Trail of Bits BlogHugoen-usFri, 19 Dec 2025 00:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/19/can-chatbots-craft-correct-code/Fri, 19 Dec 2025 07:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/19/can-chatbots-craft-correct-code/LLMs fundamentally differ from compilers because they lack determinism and semantic guarantees, making them useful coding assistants but unreliable for autonomous code generation without human review and formal verification.https://miscreants.github.io/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/Mon, 18 Sep 2023 08:00:42 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/We identified 10 security vulnerabilities within the caddy-security plugin for the Caddy web server that could enable a variety of high-severity attacks in web applications, including client-side code execution, OAuth replay attacks, and unauthorized access to resources. During our evaluation, Caddy was deployed as a reverse proxy […]https://miscreants.github.io/blog.trailofbits.com/2023/03/30/acropalypse-polytracker-blind-spots/Thu, 30 Mar 2023 08:00:22 -0400https://miscreants.github.io/blog.trailofbits.com/2023/03/30/acropalypse-polytracker-blind-spots/The aCropalypse is upon us! Last week, news about CVE-2023-21036, nicknamed the “aCropalypse,” spread across Twitter and other media, and I quickly realized that the underlying flaw could be detected by our tool, PolyTracker. I’ll explain how PolyTracker can detect files affected by the vulnerability even without specific file format knowledge.https://miscreants.github.io/blog.trailofbits.com/2022/12/20/process-reparenting-microsoft-windows/Tue, 20 Dec 2022 08:00:25 -0500https://miscreants.github.io/blog.trailofbits.com/2022/12/20/process-reparenting-microsoft-windows/A Primer on Process Reparenting in Windows. Process reparenting is a technique used in Microsoft Windows to create a child process under a different parent process than the one making the call to CreateProcess. Malicious actors can use this technique to evade security products or break process ancestry ties, making detection more […]https://miscreants.github.io/blog.trailofbits.com/2022/08/25/magnifier-an-experiment-with-interactive-decompilation/Thu, 25 Aug 2022 09:00:30 -0400https://miscreants.github.io/blog.trailofbits.com/2022/08/25/magnifier-an-experiment-with-interactive-decompilation/Today, we are releasing Magnifier, an experimental reverse engineering user interface I developed during my internship. Magnifier asks, “What if, as an alternative to taking handwritten notes, reverse engineering researchers could interactively reshape a decompiled program to reflect what they would normally record?” With Magnifier, the decompiled C code isn’t the end—it’s […]https://miscreants.github.io/blog.trailofbits.com/2022/08/17/using-mutants-to-improve-slither/Wed, 17 Aug 2022 09:00:12 -0400https://miscreants.github.io/blog.trailofbits.com/2022/08/17/using-mutants-to-improve-slither/Improving static analysis tools can be hard; once you’ve implemented a good tool based on a useful representation of a program and added a large number of rules to detect problems, how do you further enhance the tool’s bug-finding power? One (necessary) approach to coming up with new rules […]https://miscreants.github.io/blog.trailofbits.com/2022/02/23/maat-symbolic-execution-made-easy/Wed, 23 Feb 2022 07:00:08 -0500https://miscreants.github.io/blog.trailofbits.com/2022/02/23/maat-symbolic-execution-made-easy/We have released Maat, a cross-architecture, multi-purpose, and user-friendly symbolic execution framework. It provides common symbolic execution capabilities such as dynamic symbolic execution (DSE), taint analysis, binary instrumentation, environment simulation, and constraint solving. Maat is easy-to-use, is based on the popular Ghidra intermediate representation (IR) language p-code, prioritizes runtime performance, and has […]https://miscreants.github.io/blog.trailofbits.com/2021/11/09/write-rust-lints-without-forking-clippy/Tue, 09 Nov 2021 00:30:40 -0500https://miscreants.github.io/blog.trailofbits.com/2021/11/09/write-rust-lints-without-forking-clippy/Originally published May 20, 2021 This blog post introduces Dylint, a tool for loading Rust linting rules (or “lints”) from dynamic libraries. Dylint makes it easy for developers to maintain their own personal lint collections. Previously, the simplest way to write a new Rust lint was to fork Clippy, Rust’s […]https://miscreants.github.io/blog.trailofbits.com/2020/05/29/detecting-bad-openssl-usage/Fri, 29 May 2020 07:50:06 -0400https://miscreants.github.io/blog.trailofbits.com/2020/05/29/detecting-bad-openssl-usage/OpenSSL is one of the most popular cryptographic libraries out there; even if you aren’t using C/C++, chances are your programming language’s biggest libraries use OpenSSL bindings as well. It’s also notoriously easy to mess up due to the design of its low-level API. Yet many of these mistakes fall into […]https://miscreants.github.io/blog.trailofbits.com/2019/11/01/two-new-tools-that-tame-the-treachery-of-files/Fri, 01 Nov 2019 07:00:18 -0400https://miscreants.github.io/blog.trailofbits.com/2019/11/01/two-new-tools-that-tame-the-treachery-of-files/Parsing is hard, even when a file format is well specified. But when the specification is ambiguous, it leads to unintended and strange parser and interpreter behaviors that make file formats susceptible to security vulnerabilities. What if we could automatically generate a “safe” subset of any file format, along with an associated, verified parser? That’s […]https://miscreants.github.io/blog.trailofbits.com/2019/07/01/siderophile-expose-your-crates-unsafety/Mon, 01 Jul 2019 11:30:06 -0400https://miscreants.github.io/blog.trailofbits.com/2019/07/01/siderophile-expose-your-crates-unsafety/Today we released a tool, siderophile, that helps Rust developers find fuzzing targets in their codebases. Siderophile trawls your crate’s dependencies and attempts to finds every unsafe function, expression, trait method, etc. It then traces these up the callgraph until it finds the function in your crate that uses the unsafety. It ranks the functions […]https://miscreants.github.io/blog.trailofbits.com/2019/04/01/performing-concolic-execution-on-cryptographic-primitives/Mon, 01 Apr 2019 07:50:55 -0400https://miscreants.github.io/blog.trailofbits.com/2019/04/01/performing-concolic-execution-on-cryptographic-primitives/For my winternship and springternship at Trail of Bits, I researched novel techniques for symbolic execution on cryptographic protocols. I analyzed various implementation-level bugs in cryptographic libraries, and built a prototype Manticore-based concolic unit testing tool, Sandshrew, that analyzed C cryptographic primitives under a symbolic and concrete environment. Sandshrew is a first step […]https://miscreants.github.io/blog.trailofbits.com/2018/10/26/the-good-the-bad-and-the-weird/Fri, 26 Oct 2018 06:50:13 -0400https://miscreants.github.io/blog.trailofbits.com/2018/10/26/the-good-the-bad-and-the-weird/Let’s automatically identify weird machines in software. Combating software exploitation has been a cat-and-mouse game ever since the Morris worm in 1988. Attackers use specific exploitation primitives to achieve unintended code execution. Major software vendors introduce exploit mitigation to break those primitives. Back and forth, back and forth. The mitigations have certainly raised the bar […]https://miscreants.github.io/blog.trailofbits.com/2018/09/10/protecting-software-against-exploitation-with-darpas-cfar/Mon, 10 Sep 2018 09:00:55 -0400https://miscreants.github.io/blog.trailofbits.com/2018/09/10/protecting-software-against-exploitation-with-darpas-cfar/Today, we’re going to talk about a hard problem that we are working on as part of DARPA’s Cyber Fault-Tolerant Attack Recovery (CFAR) program: automatically protecting software from 0-day exploits, memory corruption, and many currently undiscovered bugs. You might be thinking: “Why bother? Can’t I just compile my code with exploit mitigations like stack guard, […]https://miscreants.github.io/blog.trailofbits.com/2018/09/06/rattle-an-ethereum-evm-binary-analysis-framework/Thu, 06 Sep 2018 02:30:38 -0400https://miscreants.github.io/blog.trailofbits.com/2018/09/06/rattle-an-ethereum-evm-binary-analysis-framework/Most smart contracts have no verified source code, but people still trust them to protect their cryptocurrency. What’s more, several large custodial smart contracts have had security incidents. The security of contracts that exist on the blockchain should be independently ascertainable. Ethereum VM (EVM) Bytecode Ethereum contracts are compiled to EVM – the Ethereum Virtual […]https://miscreants.github.io/blog.trailofbits.com/2018/07/06/optimizing-lifted-bitcode-with-dead-store-elimination/Fri, 06 Jul 2018 07:50:11 -0400https://miscreants.github.io/blog.trailofbits.com/2018/07/06/optimizing-lifted-bitcode-with-dead-store-elimination/Tim Alberdingk Thijm As part of my Springternship at Trail of Bits, I created a series of data-flow-based optimizations that eliminate most “dead” stores that emulate writes to machine code registers in McSema-lifted programs. For example, applying my dead-store-elimination (DSE) passes to Apache httpd eliminated 117,059 stores, or 50% of the store operations to Remill’s […]https://miscreants.github.io/blog.trailofbits.com/2018/05/03/state-machine-testing-with-echidna/Thu, 03 May 2018 06:50:48 -0400https://miscreants.github.io/blog.trailofbits.com/2018/05/03/state-machine-testing-with-echidna/Property-based testing is a powerful technique for verifying arbitrary properties of a program via execution on a large set of inputs, typically generated stochastically. Echidna is a library and executable I’ve been working on for applying property-based testing to EVM code (particularly code written in Solidity). Echidna is a library for generating random sequences of […]https://miscreants.github.io/blog.trailofbits.com/2018/04/04/vulnerability-modeling-with-binary-ninja/Wed, 04 Apr 2018 06:50:35 -0400https://miscreants.github.io/blog.trailofbits.com/2018/04/04/vulnerability-modeling-with-binary-ninja/Plenty of static analyzers can perform vulnerability discovery on source code, but what if you only have the binary? How can we model a vulnerability and then check a binary to see if it is vulnerable? The short answer: use Binary Ninja’s MLIL and SSA form. Together, they make it easy to build and solve a system of equations with a theorem prover that takes binaries and turns them, alchemy-like, into vulnerabilities!https://miscreants.github.io/blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/Fri, 23 Mar 2018 00:28:08 -0400https://miscreants.github.io/blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/Two years ago, when we began taking on blockchain security engagements, there were no tools engineered for the work. No static analyzers, fuzzers, or reverse engineering tools for Ethereum. So, we invested significant time and expertise to create what we needed, adapt what we already had, and refine the work continuously over dozens of audits. […]https://miscreants.github.io/blog.trailofbits.com/2017/04/27/manticore-symbolic-execution-for-humans/Thu, 27 Apr 2017 00:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2017/04/27/manticore-symbolic-execution-for-humans/Manticore helps us quickly take advantage of symbolic execution, taint analysis, and instrumentation to analyze binaries.https://miscreants.github.io/blog.trailofbits.com/2017/02/13/devirtualizing-c-with-binary-ninja/Mon, 13 Feb 2017 06:50:32 -0500https://miscreants.github.io/blog.trailofbits.com/2017/02/13/devirtualizing-c-with-binary-ninja/In my first blog post, I introduced the general structure of Binary Ninja’s Low Level IL (LLIL), as well as how to traverse and manipulate it with the Python API. Now, we’ll do something a little more interesting. Reverse engineering binaries compiled from object-oriented languages can be challenging, particularly when it comes to virtual functions. […]https://miscreants.github.io/blog.trailofbits.com/2017/01/31/breaking-down-binary-ninjas-low-level-il/Tue, 31 Jan 2017 06:50:09 -0500https://miscreants.github.io/blog.trailofbits.com/2017/01/31/breaking-down-binary-ninjas-low-level-il/Hi, I’m Josh. I recently joined the team at Trail of Bits, and I’ve been an evangelist and plugin writer for the Binary Ninja reversing platform for a while now. I’ve developed plugins that make reversing easier and extended Binary Ninja’s architecture support to assist in playing the microcorruption CTF. One of my favorite features of […]https://miscreants.github.io/blog.trailofbits.com/2014/02/23/semantic-analysis-of-native-programs-introducing-codereason/Sun, 23 Feb 2014 22:59:13 -0500https://miscreants.github.io/blog.trailofbits.com/2014/02/23/semantic-analysis-of-native-programs-introducing-codereason/Have you ever wanted to make a query into a native mode program asking about program locations that write a specific value to a register? Have you ever wanted to automatically deobfuscate obfuscated strings? Reverse engineering a native program involves understanding its semantics at a low level until a high level picture of functionality emerges. […]