From trailofbits.com
Attestations: A new generation of signatures on PyPI
1 13
Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digita…
on Thu, 3PM
From trailofbits.com
0 2
By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial…
on Wed, 12PM
From trailofbits.com
Fuzzing between the lines in popular barcode software
0 0
By Artur Cygan Fuzzing—one of the most successful techniques for finding security bugs, consistently featured in articles and industry conferences—has become so popular that you may think most impo…
on Oct 31
From trailofbits.com
A deep dive into Linux’s new mseal syscall
0 1
By Alan Cao If you love exploit mitigations, you may have heard of a new system call named mseal landing into the Linux kernel’s 6.10 release, providing a protection called “memory sealing.” Beyond…
on Oct 25
From trailofbits.com
Cryptography – Trail of Bits Blog
0 0
Posts about Cryptography written by Trail of Bits and Dan Guido
on Oct 17
From trailofbits.com
Auditing Gradio 5, Hugging Face’s ML GUI framework
0 0
This is a joint post with the Hugging Face Gradio team; read their announcement here! You can find the full report with all of the detailed findings from our security audit of Gradio 5 here. Huggin…
on Oct 16
From trailofbits.com
Microsoft didn’t sandbox Windows Defender, so I did
0 0
Microsoft exposed their users to a lot of risks when they released Windows Defender without a sandbox. This surprised me. Sandboxing is one of the most effective security-hardening techniques. Why …
on Oct 8
From trailofbits.com
Securing the software supply chain with the SLSA framework
0 0
By Cliff Smith Software supply chain security has been a hot topic since the Solarwinds breach back in 2020. Thanks to the Supply-chain Levels for Software Artifacts (SLSA) framework, the software …
on Oct 1
From trailofbits.com
A few notes on AWS Nitro Enclaves: Attack surface
0 4
By Paweł Płatek In the race to secure cloud applications, AWS Nitro Enclaves have emerged as a powerful tool for isolating sensitive workloads. But with great power comes great responsibility—and p…
on Sep 24
From trailofbits.com
Announcing the Trail of Bits and Semgrep partnership
0 0
At Trail of Bits, we aim to share and develop tools and resources used in our security assessments with the broader security community. Many clients, we observed, don’t use Semgrep to its ful…
on Sep 19
From trailofbits.com
Inside DEF CON: Michael Brown on how AI/ML is revolutionizing cybersecurity
0 0
At DEF CON, Michael Brown, Principal Security Engineer at Trail of Bits, sat down with Michael Novinson from Information Security Media Group (ISMG) to discuss four critical areas where AI/ML is re…
on Sep 17
From trailofbits.com
Friends don’t let friends reuse nonces
0 0
By Joe Doyle If you’ve encountered cryptography software, you’ve probably heard the advice to never use a nonce twice—in fact, that’s where the word nonce (number used once) comes from. Depending o…
on Sep 13
From trailofbits.com
Sanitize your C++ containers: ASan annotations step-by-step
0 0
By Dominik Klemba and Dominik Czarnota AddressSanitizer (ASan) is a compiler plugin that helps detect memory errors like buffer overflows or use-after-frees. In this post, we explain how to equip y…
on Sep 10
From trailofbits.com
“Unstripping” binaries: Restoring debugging information in GDB with Pwndbg
0 0
By Jason An GDB loses significant functionality when debugging binaries that lack debugging symbols (also known as “stripped binaries”). Function and variable names become meaningless addresses; se…
on Sep 6
From trailofbits.com
What would you do with that old GPU?
0 3
By Artem Dinaburg and Peter Goodman (Would you get up and throw it away?) [sing to the tune of The Beatles – With A Little Help From My Friends] Here’s a riddle: when new GPUs are constantly …
on Sep 5
From trailofbits.com
Provisioning cloud infrastructure the wrong way, but faster
0 1
By Artem Dinaburg Today we’re going to provision some cloud infrastructure the Max Power way: by combining automation with unchecked AI output. Unfortunately, this method produces cloud infrastruct…
on Aug 27
From trailofbits.com
“YOLO” is not a valid hash construction
0 0
By Opal Wright Among the cryptographic missteps we see at Trail of Bits, “let’s build our own tool out of a hash function” is one of the most common. Clients have a problem along the li…
on Aug 24
From trailofbits.com
We wrote the code, and the code won
0 0
By Tjaden Hess Earlier this week, NIST officially announced three standards specifying FIPS-approved algorithms for post-quantum cryptography. The Stateless Hash-Based Digital Signature Algorithm (…
on Aug 15
From trailofbits.com
Trail of Bits Advances to AIxCC Finals
0 2
Trail of Bits has qualified for the final round of DARPA’s AI Cyber Challenge (AIxCC)! Our Cyber Reasoning System, Buttercup, placed in the top 7 out of 39 teams competing in the semifinal ro…
on Aug 13
From trailofbits.com
Trail of Bits’ Buttercup heads to DARPA’s AIxCC
0 0
With DARPA’s AI Cyber Challenge (AIxCC) semifinal starting today at DEF CON 2024, we want to introduce Buttercup, our AIxCC submission. Buttercup is a Cyber Reasoning System (CRS) that combin…
on Aug 9
From trailofbits.com
Beyond the best: A new era of recommendations
0 0
By Josiah Dykstra We continuously aim to question assumptions and challenge conventional wisdom, even our own. Today, we are pleased to announce that we are dropping our use of the problematic phra…
on Aug 7
From trailofbits.com
Cloud cryptography demystified: Google Cloud Platform
0 0
By Scott Arciszewski This post, the second in our series on cryptography in the cloud, provides an overview of the cloud cryptography services offered within Google Cloud Platform (GCP): when to us…
on Aug 5
From trailofbits.com
0 1
By William Woodruff This is a joint post with the Homebrew maintainers; read their announcement here! Last summer, we performed an audit of Homebrew. Our audit’s scope included Homebrew/brew itself…
on Jul 30
From trailofbits.com
Our crypto experts answer 10 key questions
0 1
By Justin Jacob Cryptography is a fundamental part of electronics and the internet that helps secure credit cards, cell phones, web browsing (fingers crossed you’re using TLS!), and even top-secret…
on Jul 25
From trailofbits.com
Announcing AES-GEM (AES with Galois Extended Mode)
0 0
By Scott Arciszewski Today, AES-GCM is one of two cipher modes used by TLS 1.3 (the other being ChaCha20-Poly1305) and the preferred method for encrypting data in FIPS-validated modules. But despit…
on Jul 12
From trailofbits.com
Trail of Bits named a leader in cybersecurity consulting services
0 0
Trail of Bits has been recognized as a leader in cybersecurity consulting services according to The Forrester Wave™: Cybersecurity Consulting Services, Q2 2024. In this evaluation, we were compared…
on Jul 9
From trailofbits.com
Auditing the Ask Astro LLM Q&A app
0 0
Today, we present the second of our open-source AI security audits: a look at security issues we found in an open-source retrieval augmented generation (RAG) application that could lead to chatbot …
on Jul 5
From trailofbits.com
Quantum is unimportant to post-quantum
0 0
By Opal Wright You might be hearing a lot about post-quantum (PQ) cryptography lately, and it’s easy to wonder why it’s such a big deal when nobody has actually seen a quantum computer.…
on Jul 1
From trailofbits.com
The Good, the Bad, and the Weird
0 1
Let’s automatically identify weird machines in software. Combating software exploitation has been a cat-and-mouse game ever since the Morris worm in 1988. Attackers use specific exploitation primit…
on Jun 30
From trailofbits.com
0 0
By Marek Surovič and Henrich Lauko EuroLLVM is a developer meeting focused on projects under the LLVM Foundation umbrella that live in the LLVM GitHub monorepo, like Clang and—more recently, thanks…
on Jun 26
From trailofbits.com
Finding mispriced opcodes with fuzzing
0 0
By Max Ammann Fuzzing—a testing technique that tries to find bugs by repeatedly executing test cases and mutating them—has traditionally been used to detect segmentation faults, buffer overflows, a…
on Jun 25
From trailofbits.com
Themes from Real World Crypto 2024
0 0
In March, Trail of Bits engineers traveled to the vibrant (and only slightly chilly) city of Toronto to attend Real World Crypto 2024, a three-day event that hosted hundreds of brilliant minds in t…
on Jun 25
From trailofbits.com
Understanding Apple’s On-Device and Server Foundation Models release
0 0
By Artem Dinaburg Earlier this week, at Apple’s WWDC, we finally witnessed Apple’s AI strategy. The videos and live demos were accompanied by two long-form releases: Apple’s Private Cloud Compute a…
on Jun 25
From trailofbits.com
PCC: Bold step forward, not without flaws
0 1
By Adelin Travers Earlier this week, Apple announced Private Cloud Compute (or PCC for short). Without deep context on the state of the art of Artificial Intelligence (AI) and Machine Learning (ML)…
on Jun 25
From trailofbits.com
Disarming Fiat-Shamir footguns
0 0
By Opal Wright The Fiat-Shamir transform is an important building block in zero-knowledge proofs (ZKPs) and multi-party computation (MPC). It allows zero-knowledge proofs based on interactive proto…
on Jun 25
From trailofbits.com
Announcing the Burp Suite Professional chapter in the Testing Handbook
0 0
By Maciej Domanski Based on our security auditing experience, we’ve found that Burp Suite Professional’s dynamic analysis can uncover vulnerabilities hidden amidst the maze of various t…
on Jun 25
From trailofbits.com
Exploiting ML models with pickle file attacks: Part 2
0 0
By Boyan Milanov In part 1, we introduced Sleepy Pickle, an attack that uses malicious pickle files to stealthily compromise ML models and carry out sophisticated attacks against end users. Here we…
on Jun 24
From trailofbits.com
Exploiting ML models with pickle file attacks: Part 1
0 0
By Boyan Milanov We’ve developed a new hybrid machine learning (ML) model exploitation technique called Sleepy Pickle that takes advantage of the pervasive and notoriously insecure Pickle file form…
on Jun 24
From trailofbits.com
Announcing AI/ML safety and security trainings
0 0
By Michael D. Brown We are offering AI/ML safety and security training in summer and fall of this year! Recent advances in AI/ML technologies opened up a new world of possibilities for businesses t…
on Jun 17
From trailofbits.com
0 0
Here at Trail of Bits we review a lot of code. From major open source projects to exciting new proprietary software, we’ve seen it all. But one common denominator in all of these systems is that fo…
on Jun 7
From trailofbits.com
Internship Projects – Trail of Bits Blog
0 0
Posts about Internship Projects written by Trail of Bits
on Jun 4
From trailofbits.com
Part 1: The life of an optimization barrier
0 0
By Fredrik Dahlgren Many engineers choose Rust as their language of choice for implementing cryptographic protocols because of its robust security guarantees. Although Rust makes safe cryptographic…
on May 27
From trailofbits.com
Understanding AddressSanitizer: Better memory safety for your code
0 0
By Dominik Klemba and Dominik Czarnota This post will guide you through using AddressSanitizer (ASan), a compiler plugin that helps developers detect memory issues in code that can lead to remote c…
on May 16
From trailofbits.com
A peek into build provenance for Homebrew
0 0
By Joe Sweeney and William Woodruff Last November, we announced our collaboration with Alpha-Omega and OpenSSF to add build provenance to Homebrew. Today, we are pleased to announce that the core o…
on May 14
From trailofbits.com
Using benchmarks to speed up Echidna
0 0
By Ben Siraphob During my time as a Trail of Bits associate last summer, I worked on optimizing the performance of Echidna, Trail of Bits’ open-source smart contract fuzzer, written in Haskell. Thr…
on May 8
From trailofbits.com
The life and times of an Abstract Syntax Tree
0 0
By Francesco Bertolaccini You’ve reached computer programming nirvana. Your journey has led you down many paths, including believing that God wrote the universe in LISP, but now the truth is …
on May 2
From trailofbits.com
Curvance: Invariants unleashed
0 0
By Nat Chin Welcome to our deep dive into the world of invariant development with Curvance. We’ve been building invariants as part of regular code review assessments for more than 6 years now, but …
on Apr 30
From trailofbits.com
Announcing two new LMS libraries
0 0
By Will Song The Trail of Bits cryptography team is pleased to announce the open-sourcing of our pure Rust and Go implementations of Leighton-Micali Hash-Based Signatures (LMS), a well-studied NIST…
on Apr 26
From trailofbits.com
0 0
I think you’ll agree when I say: there’s no VPN option on the market designed with equal emphasis on security and ease of use. That changes now. Today we’re introducing Algo, a self-hosted personal…
on Apr 25
From trailofbits.com
5 reasons to strive for better disclosure processes
0 0
By Max Ammann This blog showcases five examples of real-world vulnerabilities that we’ve disclosed in the past year (but have not publicly disclosed before). We also share the frustrations we faced…
on Apr 15