https://miscreants.github.io/blog.trailofbits.com/categories/static-analysis/Recent content in static-analysis on The Trail of Bits BlogHugoen-usThu, 11 Dec 2025 00:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/11/introducing-mrva-a-terminal-first-approach-to-codeql-multi-repo-variant-analysis/Thu, 11 Dec 2025 07:00:00 -0500https://miscreants.github.io/blog.trailofbits.com/2025/12/11/introducing-mrva-a-terminal-first-approach-to-codeql-multi-repo-variant-analysis/Our new tool mrva is a terminal-first tool for running CodeQL multi-repository variant analysis locally,allowing users to download pre-built databases, analyze them with custom queries, and view results directly in the terminal.https://miscreants.github.io/blog.trailofbits.com/2025/09/25/taming-2500-compiler-warnings-with-codeql-an-openvpn2-case-study/Thu, 25 Sep 2025 07:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/09/25/taming-2500-compiler-warnings-with-codeql-an-openvpn2-case-study/We created a CodeQL query that reduced 2,500+ compiler warnings about implicit conversions in OpenVPN2 to just 20 high-priority cases, demonstrating how to effectively identify potentially dangerous type conversions in C code.https://miscreants.github.io/blog.trailofbits.com/2025/09/16/ficklings-new-ai/ml-pickle-file-scanner/Tue, 16 Sep 2025 07:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/09/16/ficklings-new-ai/ml-pickle-file-scanner/We’ve added a pickle file scanner to Fickling that uses an allowlist approach to protect AI/ML environments from malicious pickle files that could compromise models or infrastructure.https://miscreants.github.io/blog.trailofbits.com/2024/03/20/streamline-the-static-analysis-triage-process-with-sarif-explorer/Wed, 20 Mar 2024 09:30:45 -0400https://miscreants.github.io/blog.trailofbits.com/2024/03/20/streamline-the-static-analysis-triage-process-with-sarif-explorer/Today, we’re releasing SARIF Explorer, the VSCode extension that we developed to streamline how we triage static analysis results. We make heavy use of static analysis tools during our audits, but the process of triaging them was always a pain. We designed SARIF Explorer to provide an intuitive UI inside VSCode, with […]https://miscreants.github.io/blog.trailofbits.com/2024/03/04/relishing-new-fickling-features-for-securing-ml-systems/Mon, 04 Mar 2024 09:00:44 -0500https://miscreants.github.io/blog.trailofbits.com/2024/03/04/relishing-new-fickling-features-for-securing-ml-systems/We’ve added new features to Fickling to offer enhanced threat detection and analysis across a broad spectrum of machine learning (ML) workflows. Fickling is a decompiler, static analyzer, and bytecode rewriter for the Python pickle module that can help you detect, analyze, or create malicious pickle files. While the ML community […]https://miscreants.github.io/blog.trailofbits.com/2024/02/26/circomspect-has-been-integrated-into-the-sindri-cli/Mon, 26 Feb 2024 09:00:02 -0500https://miscreants.github.io/blog.trailofbits.com/2024/02/26/circomspect-has-been-integrated-into-the-sindri-cli/Our tool Circomspect is now integrated into the Sindri command-line interface (CLI)! We designed Circomspect to help developers build Circom circuits more securely, particularly given the limited tooling support available for this novel programming framework. Integrating this tool into a development environment like that provided by Sindri is a significant step toward […]https://miscreants.github.io/blog.trailofbits.com/2023/12/11/say-hello-to-the-next-chapter-of-the-testing-handbook/Mon, 11 Dec 2023 08:30:16 -0500https://miscreants.github.io/blog.trailofbits.com/2023/12/11/say-hello-to-the-next-chapter-of-the-testing-handbook/Today we are announcing the latest addition to the Trail of Bits Testing Handbook: a brand new chapter on CodeQL! CodeQL is a powerful and versatile static analysis tool, and at Trail of Bits, we regularly use CodeQL on client engagements to find common vulnerabilities and to perform variant analysis for already […]https://miscreants.github.io/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/Mon, 18 Sep 2023 08:00:42 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/We identified 10 security vulnerabilities within the caddy-security plugin for the Caddy web server that could enable a variety of high-severity attacks in web applications, including client-side code execution, OAuth replay attacks, and unauthorized access to resources. During our evaluation, Caddy was deployed as a reverse proxy […]https://miscreants.github.io/blog.trailofbits.com/2023/09/11/holy-macroni-a-recipe-for-progressive-language-enhancement/Mon, 11 Sep 2023 08:00:12 -0400https://miscreants.github.io/blog.trailofbits.com/2023/09/11/holy-macroni-a-recipe-for-progressive-language-enhancement/Despite its use for refactoring and static analysis tooling, Clang has a massive shortcoming: the Clang AST does not provide provenance information about which CPP macro expansions a given AST node is expanded from; nor does it lower macro expansions down to LLVM Intermediate Representation (IR) code. This makes the construction of […]https://miscreants.github.io/blog.trailofbits.com/2022/10/05/trail-of-bits-internship-blockchain-tealer/Wed, 05 Oct 2022 09:00:42 -0400https://miscreants.github.io/blog.trailofbits.com/2022/10/05/trail-of-bits-internship-blockchain-tealer/Earlier this year, I successfully completed my internship at Trail of Bits and secured a full-time position as a Blockchain Security Analyst. This post is not intended to be a technical description of the work I did during my internship. Rather, it is intended to describe my general experience as a […]https://miscreants.github.io/blog.trailofbits.com/2022/10/03/semgrep-maching-learning-static-analysis/Mon, 03 Oct 2022 09:00:53 -0400https://miscreants.github.io/blog.trailofbits.com/2022/10/03/semgrep-maching-learning-static-analysis/tl;dr: Our publicly available Semgrep ruleset now has 11 rules dedicated to the misuse of machine learning libraries. Try it out now! Picture this: You’ve spent months curating images, trying out different architectures, downloading pretrained models, messing with Kubernetes, and you’re finally ready to ship your sparkling new machine learning (ML) product. […]https://miscreants.github.io/blog.trailofbits.com/2022/08/25/magnifier-an-experiment-with-interactive-decompilation/Thu, 25 Aug 2022 09:00:30 -0400https://miscreants.github.io/blog.trailofbits.com/2022/08/25/magnifier-an-experiment-with-interactive-decompilation/Today, we are releasing Magnifier, an experimental reverse engineering user interface I developed during my internship. Magnifier asks, “What if, as an alternative to taking handwritten notes, reverse engineering researchers could interactively reshape a decompiled program to reflect what they would normally record?” With Magnifier, the decompiled C code isn’t the end—it’s […]https://miscreants.github.io/blog.trailofbits.com/2022/08/17/using-mutants-to-improve-slither/Wed, 17 Aug 2022 09:00:12 -0400https://miscreants.github.io/blog.trailofbits.com/2022/08/17/using-mutants-to-improve-slither/Improving static analysis tools can be hard; once you’ve implemented a good tool based on a useful representation of a program and added a large number of rules to detect problems, how do you further enhance the tool’s bug-finding power? One (necessary) approach to coming up with new rules […]https://miscreants.github.io/blog.trailofbits.com/2022/07/28/shedding-smart-contract-storage-with-slither/Thu, 28 Jul 2022 09:00:07 -0400https://miscreants.github.io/blog.trailofbits.com/2022/07/28/shedding-smart-contract-storage-with-slither/You think you’ve found a critical bug in a Solidity smart contract that, if exploited, could drain a widely used cryptocurrency exchange’s funds. To confirm that it’s really a bug, you need to figure out the value at an obscure storage slot that has no getter method. Adrenaline courses […]https://miscreants.github.io/blog.trailofbits.com/2022/05/17/interactive-decompilation-with-rellic-xref/Tue, 17 May 2022 07:00:09 -0400https://miscreants.github.io/blog.trailofbits.com/2022/05/17/interactive-decompilation-with-rellic-xref/Rellic is a framework for analyzing and decompiling LLVM modules into C code, implementing the concepts described in the original paper presenting the Dream decompiler and its successor, Dream++. It recently made an appearance on this blog when I presented rellic-headergen, a tool for extracting debug metadata from LLVM modules and turning […]https://miscreants.github.io/blog.trailofbits.com/2022/04/20/amarna-static-analysis-for-cairo-programs/Wed, 20 Apr 2022 07:00:04 -0400https://miscreants.github.io/blog.trailofbits.com/2022/04/20/amarna-static-analysis-for-cairo-programs/We are open-sourcing Amarna, our new static analyzer and linter for the Cairo programming language. Cairo is a programming language powering several trading exchanges with millions of dollars in assets (such as dYdX, driven by StarkWare) and is the programming language for StarkNet contracts. But, not unlike other languages, it has its […]https://miscreants.github.io/blog.trailofbits.com/2022/03/25/towards-practical-security-optimizations-for-binaries/Fri, 25 Mar 2022 08:58:54 -0400https://miscreants.github.io/blog.trailofbits.com/2022/03/25/towards-practical-security-optimizations-for-binaries/To be thus is nothing, but to be safely thus. (Macbeth: 3.1) It’s not enough that compilers generate efficient code, they must also generate safe code. Despite the extensive testing and correctness certification that goes into developing compilers and their optimization passes, they may inadvertently introduce information leaks […]https://miscreants.github.io/blog.trailofbits.com/2022/01/19/c-your-data-structures-with-rellic-headergen/Wed, 19 Jan 2022 07:00:12 -0500https://miscreants.github.io/blog.trailofbits.com/2022/01/19/c-your-data-structures-with-rellic-headergen/Have you ever wondered how a compiler sees your data structures? Compiler Explorer may help you understand the relation between the source code and machine code, but it doesn’t provide as much support when it comes to the layout of your data. You might have heard about padding, alignment, and “plain old […]https://miscreants.github.io/blog.trailofbits.com/2022/01/05/toward-a-best-of-both-worlds-binary-disassembler/Wed, 05 Jan 2022 07:00:51 -0500https://miscreants.github.io/blog.trailofbits.com/2022/01/05/toward-a-best-of-both-worlds-binary-disassembler/This past winter, I was fortunate to have the opportunity to work for Trail of Bits as a graduate student intern under the supervision of Peter Goodman and Artem Dinaburg. During my internship, I developed Dr. Disassembler, a Datalog-driven framework for transparent and mutable binary disassembly. Though this project is ongoing, this […]https://miscreants.github.io/blog.trailofbits.com/2020/10/09/detecting-iterator-invalidation-with-codeql/Fri, 09 Oct 2020 08:30:22 -0400https://miscreants.github.io/blog.trailofbits.com/2020/10/09/detecting-iterator-invalidation-with-codeql/Iterator invalidation is a common and subtle class of C++ bugs that often leads to exploitable vulnerabilities. During my Trail of Bits internship this summer, I developed Itergator, a set of CodeQL classes and queries for analyzing and discovering iterator invalidation. Results are easily interpretable by an auditor, […]https://miscreants.github.io/blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/Thu, 07 Nov 2019 07:00:06 -0500https://miscreants.github.io/blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/The Trail of Bits Assurance practice has received an influx of Go projects, following the success of our Kubernetes assessment this summer. As a result, we’ve been adapting for Go projects some of the security assessment techniques and tactics we’ve used with other compiled languages. We started by understanding the design of the language, identifying […]https://miscreants.github.io/blog.trailofbits.com/2019/10/24/watch-your-language-our-first-vyper-audit/Thu, 24 Oct 2019 07:00:04 -0400https://miscreants.github.io/blog.trailofbits.com/2019/10/24/watch-your-language-our-first-vyper-audit/A lot of companies are working on Ethereum smart contracts, yet writing secure contracts remains a difficult task. You still have to avoid common pitfalls, compiler issues, and constantly check your code for recently discovered risks. A recurrent source of vulnerabilities comes from the early state of the programming languages available. Most developers are using […]https://miscreants.github.io/blog.trailofbits.com/2019/08/29/reverse-taint-analysis-using-binary-ninja/Thu, 29 Aug 2019 06:50:20 -0400https://miscreants.github.io/blog.trailofbits.com/2019/08/29/reverse-taint-analysis-using-binary-ninja/We open-sourced a set of static analysis tools, KRFAnalysis, that analyze and triage output from our system call (syscall) fault injection tool KRF. Now you can easily figure out where and why, KRF crashes your programs. During my summer internship at Trail of Bits, I worked on KRF, […]https://miscreants.github.io/blog.trailofbits.com/2019/07/03/avoiding-smart-contract-gridlock-with-slither/Wed, 03 Jul 2019 14:42:53 -0400https://miscreants.github.io/blog.trailofbits.com/2019/07/03/avoiding-smart-contract-gridlock-with-slither/A denial-of-service (DoS) vulnerability, dubbed ‘Gridlock,’ was publicly reported on July 1st in one of Edgeware’s smart contracts deployed on Ethereum. As much as $900 million worth of Ether may have been processed by this contract. Edgeware has since acknowledged and fixed the “fatal bug.” When we heard about Gridlock, we ran Slither on the […]https://miscreants.github.io/blog.trailofbits.com/2019/06/27/use-constexpr-for-faster-smaller-and-safer-code/Thu, 27 Jun 2019 06:50:06 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/27/use-constexpr-for-faster-smaller-and-safer-code/With the release of C++14, the standards committee strengthened one of the coolest modern features of C++: constexpr. Now, C++ developers can write constant expressions and force their evaluation at compile-time, rather than at every invocation by users. This results in faster execution, smaller executables and, surprisingly, safer code. Undefined behavior has been the source […]https://miscreants.github.io/blog.trailofbits.com/2019/06/25/creating-an-llvm-sanitizer-from-hopes-and-dreams/Tue, 25 Jun 2019 06:50:21 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/25/creating-an-llvm-sanitizer-from-hopes-and-dreams/Each year, Trail of Bits runs a month-long winter internship aka “winternship” program. This year we were happy to host 4 winterns who contributed to 3 projects. This project comes from Carson Harmon, a new graduate from Purdue interested in compilers and systems engineering, and a new full-time member of our research practice. I set […]https://miscreants.github.io/blog.trailofbits.com/2019/06/19/trail-of-bits-icse-2019-recap/Wed, 19 Jun 2019 10:35:13 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/19/trail-of-bits-icse-2019-recap/Three weeks ago, we presented our work on Slither at WETSEB, an ICSE workshop. ICSE is a top-tier academic conference, focused on software engineering. This edition of the event went very well. The organizers do their best to attract and engage industrials to the discussions. The conference had many talks in parallel. We wish we […]https://miscreants.github.io/blog.trailofbits.com/2019/05/30/announcing-automated-reverse-engineering-trainings/Thu, 30 May 2019 07:00:28 -0400https://miscreants.github.io/blog.trailofbits.com/2019/05/30/announcing-automated-reverse-engineering-trainings/Consider our modular trainings. They can be organized to suit your company’s needs. You choose the number of skills and days to spend honing them.https://miscreants.github.io/blog.trailofbits.com/2019/05/27/slither-the-leading-static-analyzer-for-smart-contracts/Mon, 27 May 2019 06:30:58 -0400https://miscreants.github.io/blog.trailofbits.com/2019/05/27/slither-the-leading-static-analyzer-for-smart-contracts/We have published an academic paper on Slither, our static analysis framework for smart contracts, in the International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), colocated with ICSE. Our paper shows that Slither’s bug detection outperforms other static analysis tools for finding issues in smart contracts in terms of speed, robustness, and […]https://miscreants.github.io/blog.trailofbits.com/2018/10/19/slither-a-solidity-static-analysis-framework/Fri, 19 Oct 2018 06:50:09 -0400https://miscreants.github.io/blog.trailofbits.com/2018/10/19/slither-a-solidity-static-analysis-framework/Slither is the first open-source static analysis framework for Solidity. Slither is fast and precise; it can find real vulnerabilities in a few seconds without user intervention. It is highly customizable and provides a set of APIs to inspect and analyze Solidity code easily. We use it in all of our security reviews. Now you […]https://miscreants.github.io/blog.trailofbits.com/2018/04/04/vulnerability-modeling-with-binary-ninja/Wed, 04 Apr 2018 06:50:35 -0400https://miscreants.github.io/blog.trailofbits.com/2018/04/04/vulnerability-modeling-with-binary-ninja/Plenty of static analyzers can perform vulnerability discovery on source code, but what if you only have the binary? How can we model a vulnerability and then check a binary to see if it is vulnerable? The short answer: use Binary Ninja’s MLIL and SSA form. Together, they make it easy to build and solve a system of equations with a theorem prover that takes binaries and turns them, alchemy-like, into vulnerabilities!https://miscreants.github.io/blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/Fri, 23 Mar 2018 00:28:08 -0400https://miscreants.github.io/blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/Two years ago, when we began taking on blockchain security engagements, there were no tools engineered for the work. No static analyzers, fuzzers, or reverse engineering tools for Ethereum. So, we invested significant time and expertise to create what we needed, adapt what we already had, and refine the work continuously over dozens of audits. […]https://miscreants.github.io/blog.trailofbits.com/2017/07/30/an-extra-bit-of-analysis-for-clemency/Sun, 30 Jul 2017 18:41:30 -0400https://miscreants.github.io/blog.trailofbits.com/2017/07/30/an-extra-bit-of-analysis-for-clemency/This year’s DEF CON CTF used a unique hardware architecture, cLEMENCy, and only released a specification and reference tooling for it 24 hours before the final event began. cLEMENCy was purposefully designed to break existing tools and make writing new ones harder. This presented a formidable challenge given the timeboxed competition occurs over a single […]https://miscreants.github.io/blog.trailofbits.com/2017/02/13/devirtualizing-c-with-binary-ninja/Mon, 13 Feb 2017 06:50:32 -0500https://miscreants.github.io/blog.trailofbits.com/2017/02/13/devirtualizing-c-with-binary-ninja/In my first blog post, I introduced the general structure of Binary Ninja’s Low Level IL (LLIL), as well as how to traverse and manipulate it with the Python API. Now, we’ll do something a little more interesting. Reverse engineering binaries compiled from object-oriented languages can be challenging, particularly when it comes to virtual functions. […]https://miscreants.github.io/blog.trailofbits.com/2017/01/31/breaking-down-binary-ninjas-low-level-il/Tue, 31 Jan 2017 06:50:09 -0500https://miscreants.github.io/blog.trailofbits.com/2017/01/31/breaking-down-binary-ninjas-low-level-il/Hi, I’m Josh. I recently joined the team at Trail of Bits, and I’ve been an evangelist and plugin writer for the Binary Ninja reversing platform for a while now. I’ve developed plugins that make reversing easier and extended Binary Ninja’s architecture support to assist in playing the microcorruption CTF. One of my favorite features of […]https://miscreants.github.io/blog.trailofbits.com/2016/10/04/first-ever-automated-code-audit/Tue, 04 Oct 2016 07:50:46 -0400https://miscreants.github.io/blog.trailofbits.com/2016/10/04/first-ever-automated-code-audit/Last month our Cyber Reasoning System (CRS) -developed for DARPA’s Cyber Grand Challenge– audited a much larger amount of code in less time, in greater detail, and at a lower cost than a human could. Our CRS audited zlib for the Mozilla Secure Open Source (SOS) Fund. To our knowledge, this is the first instance […]https://miscreants.github.io/blog.trailofbits.com/2016/06/03/2000-cuts-with-binary-ninja/Fri, 03 Jun 2016 12:14:34 -0400https://miscreants.github.io/blog.trailofbits.com/2016/06/03/2000-cuts-with-binary-ninja/Using Vector35’s Binary Ninja, a promising new interactive static analysis and reverse engineering platform, I wrote a script that generated “exploits” for 2,000 unique binaries in this year’s DEFCON CTF qualifying round. If you’re wondering how to remain competitive in a post-DARPA DEFCON CTF, I highly recommend you take a look at Binary Ninja.https://miscreants.github.io/blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program-analysis/Wed, 09 Mar 2016 13:53:34 -0500https://miscreants.github.io/blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program-analysis/Developers have access to tools like AddressSanitizer and Valgrind that will tell them when the code that they’re running accesses uninitialized memory, leaks memory, or uses memory after it’s been freed. Despite the availability of these excellent tools, memory bugs still persist, still get shipped to users, and still get exploited in the wild. Most […]https://miscreants.github.io/blog.trailofbits.com/2014/04/27/using-static-analysis-and-clang-to-find-heartbleed/Sun, 27 Apr 2014 12:25:50 -0400https://miscreants.github.io/blog.trailofbits.com/2014/04/27/using-static-analysis-and-clang-to-find-heartbleed/Background Friday night I sat down with a glass of Macallan 15 and decided to write a static checker that would find the Heartbleed bug. I decided that I would write it as an out-of-tree clang analyzer plugin and evaluate it on a few very small functions that had the spirit of the Heartbleed bug […]https://miscreants.github.io/blog.trailofbits.com/2014/02/23/semantic-analysis-of-native-programs-introducing-codereason/Sun, 23 Feb 2014 22:59:13 -0500https://miscreants.github.io/blog.trailofbits.com/2014/02/23/semantic-analysis-of-native-programs-introducing-codereason/Have you ever wanted to make a query into a native mode program asking about program locations that write a specific value to a register? Have you ever wanted to automatically deobfuscate obfuscated strings? Reverse engineering a native program involves understanding its semantics at a low level until a high level picture of functionality emerges. […]