We help secure the world’s most targeted organizations and products. We combine security research with an attacker mentality to reduce risk and fortify code.
Check out our ‘Fuzzing February’ Newsletter: we published a fuzzing chapter to our Testing Handbook, fuzzed Python, and added a smart fuzzer on top of Cosmos SDK.
Today, we are disclosing LeftoverLocals, a vulnerability that allows listening to LLM responses through leaked GPU local memory created by another process on Apple, Qualcomm, AMD, and Imagination GPUs (CVE-2023-4969)
For the last year, a 9-person team from
@trailofbits
has deeply studied the security of blockchains for
@DARPA
. Today, our analysis and tools are public:
Today, we are releasing RPC Investigator, made for exploring RPC clients and servers on Windows. This .NET application builds on the NtApiDotNet platform, adding features that offer a new way to explore RPC
Your code might be vulnerable! Our cryptography team has discovered a number of Fiat-Shamir vulnerabilities affecting proof systems such as Bulletproofs and PlonK. Check out this blog series for details and contact us if you think your codebase might be…
Event Tracing for Windows (ETW) is crucial for modern EDR solutions. But what do you really know about its internal workings? Dive into ETW to discover useful attack targets and forensic information.
We’re thrilled to announce our new Testing Handbook, which gathers insights we gained over years of experience using static and dynamic analysis tools. It goes beyond standard documentation, focusing on giving the right answers rather than all the answers.
Earlier this year, one of our interns found a vulnerability that affects applications using the SQLite library API. We are publicly disclosing that vuln today.
It's easy to find bugs when you know how to build the right tools. Check out our blog to learn how to model vulnerabilities with Binary Ninja's MLIL and SSA form.
Check out our _accessible_ Meltdown and Spectre explainer, made for developers without a background in computer architecture. No awkward analogies, we stick to the real details.
We’re releasing a Ghidra extension, BTIGhidra, that automatically recovers types with inter-procedural analysis and enhances decompilation for improved reverse engineering comprehension.
We've just released , a revamp of our guide to building secure contracts! It contains security guidelines, best practices, tool tutorials, and many other resources.
Over the years, we have accumulated advanced knowledge and guidance for writing better smart contracts. We are sharing this knowledge in the first release of building-secure-contracts:
Check out the repo to learn about best practices and tooling!
Process reparenting is a Windows technique used by malicious actors, but it can also be a benign, legitimate event.
@yarden_shafir
has insights on how to investigate this behavior
As smart contract security evolves, property-based fuzzing has become a go-to technique for developers and security engineers. To help the community define properties, we are releasing a set of 168 pre-built properties that can be used to guide Echidna.
We’re launching a new service: invariant development. We’ll identify, implement, and test security-critical invariants to prevent bugs & secure your codebase over the long term. Plus, we’ll upskill your team to write their own invariants!
We found critical flaws in common TSS libraries, a cryptographic protocol for distributed key generation and signing. We’ve released to help secure the rapidly advancing field of ZKPs, TSS, and similar schemes.
Warning:
@lfgexchange
is falsely claiming to have worked with us on an audit. The report on their page is fake. If you want to verify the authenticity of a
@trailofbits
report, find it on our publications repo, the authoritative source straight from us.
A new release of Slither is available, which now uses OpenAI's Codex to auto-generate solidity documentation and leverages GPT-3 to find vulnerabilities.
During research that led to our discovery of a vuln in SQLite, we found something we call "divergent representations." Once we started looking for them, we found them everywhere
There's a dark side to compiler optimizations that can inadvertently cause information leaks or remove code critical to security. Read about the research being done to mitigate this risk and reduce the exposure to code-reuse attacks in software.
We published a technical summary of the "AMD Flaws" so they can be of use to the security community without the distraction of the surrounding disclosure issues.
The
@raft_fi
issue is complex and we're actively investigating it. We've offered to help their team however we can. Here's some of what we know so far:
The
#RektTest
is a simple way for blockchain teams to assess their security posture. Created by top security experts, it includes 12 key questions.
Can you pass the Rekt Test?
Why should you care about the security of VSCode extensions? How does compromising a local machine, stealing all local files from that machine, or even swiping your SSH keys sound?
Is your centralized exchange, bridge, or L2 client using block delays to determine transaction finality? If so, it may be vulnerable to re-orgs, double-spend attacks, and stolen funds. Our new guide to blockchain finality helps you avoid these attacks.
Today we're releasing Attacknet, a new tool in the blockchain security arsenal. Built in collaboration with the
@Ethereum
Foundation, it uses Chaos Engineering to test the most challenging network conditions imaginable for fault tolerance
Data from
@Hacker0x01
and
@facebook
proves that bug bounties only benefit a small elite group. Is this model meeting researchers' interests? Read our review of "New Solutions for Cybersecurity" by
@mitpress
.
Upgrading smart contracts can introduce new bugs, risking millions of dollars. We've developed Diffusc, a differential fuzzer that compares two smart contracts to uncover unexpected differences in behavior before an upgrade is deployed.
Earlier this week,
@UncipheredLLC
disclosed that BitcoinJS, the most widely used JavaScript library for bitcoin wallets, relied on weak randomness until 2014. This issue puts millions of wallets at risk. Here’s what we know:
Experts discover flaw leaving $1 billion in bitcoin and other cryptocurrencies exposed for stealing from early software wallets. Free link to my story in the The Post:
#bitcoin
#doge
#infosec
We’ve built many high-impact tools that we use for security reviews. But mastering them can take time. So we're bringing the mastery to you: we're going to be livestreaming tool workshops on our Twitch and YouTube channels!
Clang isn't a toolsmith's compiler. PASTA tries to fix this by providing safe-to-use C++ and Python wrappers to the Clang AST. PASTA also answers questions that Clang can't, like how parsed tokens relate back to macro expansions and files. Learn more:
Manticore now has a GUI that works with Binary Ninja! Our intern,
@tcode2k16
, explains how his summer project made symbolic execution easier to use and more intuitive.
Magnifier is a UI that helps reverse engineers explore decompiled programs interactively without all the manual note-taking. Read about this excellent work from our intern,
@tcode2k16
!
Fuzzing is preferred over formal verification because proving the absence of bugs is usually unattainable, and fuzzing identifies the same bugs with less effort.
Our stellar winter intern
@ezhes_
built our newest open-source tool named Honeybee. It speeds up the Intel Processor Trace and uses it for fast coverage-guided fuzzing.
We are now accepting applicants for our summer internship program! We will be hiring approximately 10-15 interns across our research, engineering, and assurance practices
Today we're releasing Caracal, our new static analysis tool for Starknet smart contracts. It has 10 detectors that detect reentrancies and other vulnerabilities, two printers, and more!
With Echidna 2.1.0 and later, you can retrieve on-chain data to fuzz deployed contracts and test how new code integrates with existing contracts. You can also use it to recreate real-world hacks!
Today, we are releasing a maintained repository of
@osquery
extensions. Our first extension uses the
@duo_labs
EFIgy API to determine if the EFI firmware on your Mac fleet is up to date.
Slither now supports Vyper and includes 5 new detectors, thanks to
@vyperlang
and
@dguido
😉
Foundry UX is also much improved: tests and scripts are now excluded, and Slither can run on single files.
Intern Francesco Bertolaccini developed rellic-headergen, a utility that creates C declarations from debug information in LLVM bitcode produced by Clang from C, C++, or Objective-C. Now you can easily “C” your data structures!
Trail of Bits is announcing a new practice focused on machine learning and artificial intelligence! We’re bringing together safety and security to create a new risk assessment and assurance program
The naive approach to searching for patterns in source code is to use regular expressions, but that has limitations. Our intern prototyped an internal tool that does searching on Clang ASTs to avoid these limitations
What does your code use, and is it vulnerable? It-depends! Our new tool, It-Depends, can automatically build a dependency graph and software bill of materials (SBOM) for arbitrary code, even C and C++, and alert you to any upstream vulnerabilities.
We assessed the YOLOv7 vision model and identified 11 security vulnerabilities that could enable RCE, DoS, and model differentials. We do not recommend using the codebase for mission-critical applications or applications that require high availability.
McSema now has an open-source Dyninst frontend that compares competitively with IDA Pro. Check out this amazing thesis by Lukáš Korenčik to see how all the parts fit together.
Struggling with fuzzing a huge blockchain protocol? Fuzzing tip
#1
: Start with stateless functions. Pure functions and libraries are your best friends in the early stages of fuzzing. Master the basics before getting complex.
Our report is dense and technical, so we summarized its key findings in a 20-minute podcast in plain language.
We believe it's crucial that a wider audience understand the risks of blockchain technology. Listen now: