Slándáil Research:
Feeds
Feeds
Search
Search Engine
Feed: Trail of Bits
Link
5 reasons to strive for better disclosure processes
Introducing Ruzzy, a coverage-guided Ruby fuzzer
Why fuzzing over formal verification?
Streamline your static analysis triage with SARIF Explorer
Read code like a pro with our weAudit VSCode extension
Releasing the Attacknet: A new tool for finding bugs in blockchain nodes using chaos testing
Secure your blockchain project from the start
DARPA awards $1 million to Trail of Bits for AI Cyber Challenge
Out of the kernel, into the tokens
Cryptographic design review of Ockam
Relishing new Fickling features for securing ML systems
How we applied advanced fuzzing techniques to cURL
When try, try, try again leads to out-of-order execution bugs
Our response to the US Army’s RFI on developing AIBOM tools
Circomspect has been integrated into the Sindri CLI
Continuously fuzzing Python C extensions
Breaking the shared key in threshold signature schemes
A few notes on AWS Nitro Enclaves: Images and attestation
Cloud cryptography demystified: Amazon Web Services
Why Windows can’t follow WSL symlinks
Master fuzzing with our new Testing Handbook chapter
Binary type inference in Ghidra
Improving the state of Cosmos fuzzing
Chaos Communication Congress (37C3) recap
Introducing DIFFER, a new tool for testing and validating transformed programs
Enhancing trust for SGX enclaves
We build X.509 chains so you don’t have to
Celebrating our 2023 open-source contributions
Our thoughts on AIxCC’s competition format
30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more
LeftoverLocals: Listening to LLM responses through leaked GPU local memory
Internet freedom with the Open Technology Fund
How to introduce Semgrep to your organization
Securing open-source infrastructure with OSTIF
Tag, you’re it: Signal tagging in Circom
Billion times emptiness
AI In Windows: Investigating Windows Copilot
We’ve added more content to ZKDocs
Catching OpenSSL misuse using CodeQL
Summer associates 2023 recap
Summer interns 2023 recap
A trail of flipping bits
DARPA’s AI Cyber Challenge: We’re In!
Say hello to the next chapter of the Testing Handbook!
Publishing Trail of Bits’ CodeQL queries
ETW internals for security research and forensics
How CISA can improve OSS security
Assessing the security posture of a widely used vision model: YOLOv7
Our audit of PyPI
Adding build provenance to Homebrew
The issue with ATS in Apple’s macOS and iOS
Numbers turned weapons: DoS in Osmosis’ math library
Introducing invariant development as a service
Pitfalls of relying on eBPF for security monitoring (and some solutions)
Don’t overextend your Oblivious Transfer
Security flaws in an SSO plugin for Caddy
Holy Macroni! A recipe for progressive language enhancement
Secure your Apollo GraphQL server with Semgrep
iVerify is now an independent company!
The Engineer’s Guide to Blockchain Finality
Can you pass the Rekt test?
Use our suite of eBPF libraries
A mistake in the bulletproofs paper could have led to the theft of millions of dollars
How AI will affect cybersecurity: What we told the CFTC
The future of Clang-based tooling
Announcing the Trail of Bits Testing Handbook
Fuzzing on-chain contracts with Echidna
Trail of Bits’s Response to OSTP National Priorities for AI RFI
Evaluating blockchain security maturity
What we told the CFTC about blockchain threats
Differential fuzz testing upgradeable smart contracts with Diffusc
Trail of Bits’s Response to NTIA AI Accountability RFC
Trusted publishing: a new benchmark for packaging security
Real World Crypto 2023 Recap
Introducing Windows Notification Facility’s (WNF) Code Integrity
Loose code, sinks nodes: What should governments consider when getting involved with blockchain?
Loose code sinks nodes: What should governments consider when getting involved with blockchain?
What should governments consider when getting involved with blockchain?
Typos that omit security features and how to test for them
A Winter’s Tale: Improving messages and types in GDB’s Python API
How to avoid the aCropalypse
Can you pass The Rekt Test?
Codex (and GPT-4) can’t beat humans on smart contract audits
Circomspect has more passes!
We need a new way to measure AI security
Reusable properties for Ethereum contracts
Escaping well-configured VSCode extensions (for profit)
Escaping misconfigured VSCode extensions
Readline crime: exploiting a SUID logic bug
cURL audit: How a joke led to significant findings
Harnessing the eBPF Verifier
Introducing RPC Investigator
Announcing a stable release of sigstore-python
Keeping the wolves out of wolfSSL
Another prolific year of open-source contributions
How to share what you’ve learned from our audits
Fast and accurate syntax searching for C and C++
What child is this?
How I gave ManticoreUI a makeover
Manticore GUIs made easy
Hybrid fuzzing: Sharpening the spikes of Echidna
Specialized Zero-Knowledge Proof failures
Are you sure your Python ABI is actually stable?
ABI compatibility in Python: How hard could it be?
We’re streamers now
Look out! Divergent representations are everywhere!
We sign code now
Stranger Strings: An exploitable flaw in SQLite
We do Windows now
Porting the Solana eBPF JIT compiler to ARM64
Working on blockchains as a Trail of Bits intern
Secure your machine learning with Semgrep
It pays to be Circomspect
Magnifier: An Experiment with Interactive Decompilation
Using mutants to improve Slither
The road to the apprenticeship
Shedding smart contract storage with Slither
libmagic: The Blathering
A Typical Day as a Trail of Bits Engineer-Consultant
The Trail of Bits Hiring Process
Managing risk in blockchain deployments
Are blockchains decentralized?
Announcing the new Trail of Bits podcast
Themes from PyCon US 2022
Interactive decompilation with rellic-xref
Themes from Real World Crypto 2022
Improving the state of go-fuzz
Amarna: Static analysis for Cairo programs
The Frozen Heart vulnerability in PlonK
The Frozen Heart vulnerability in Bulletproofs
The Frozen Heart vulnerability in Girault’s proof of knowledge
Part 1: Coordinated Disclosure of Vulnerabilities Affecting Girault, Bulletproofs, and PlonK
Coordinated disclosure of vulnerabilities affecting Girault, Bulletproofs, and PlonK
Towards Practical Security Optimizations for Binaries
Optimizing a smart contract fuzzer
Maat: Symbolic execution made easy
Part 2: Improving crypto code in Rust using LLVM’s optnone
Part 1: The life of an optimization barrier
C your data structures with rellic-headergen
Finding unhandled errors using CodeQL
Toward a Best-of-Both-Worlds Binary Disassembler
Celebrating our 2021 Open Source Contributions
Disclosing Shamir’s Secret Sharing vulnerabilities and announcing ZKDocs
Detecting MISO and Opyn’s msg.value reuse vulnerability with Slither
What does your code use, and is it vulnerable? It-depends!
MUI: Visualizing symbolic execution with Manticore and Binary Ninja
How to choose an interesting project
Motivating global stabilization
Announcing osquery 5: Now with EndpointSecurity on macOS
All your tracing are belong to BPF
PrivacyRaven: Implementing a proof of concept for model inversion
Write Rust lints without forking Clippy
Discovering goroutine leaks with Semgrep
Solar: Context-free, interactive analysis for Solidity
A Year in the Life of a Compiler Fuzzing Campaign
Un-bee-lievable Performance: Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace
Never a dill moment: Exploiting machine learning pickle files
The Tao of Continuous Integration
Serving up zero-knowledge proofs
Confessions of a smart contract paper reviewer
PDF is Broken: a justCTF Challenge
Breaking Aave Upgradeability
Reverie: An optimized zero-knowledge proof system