The Latest News and Information from Trail of Bits
- Evaluating Solidity support in AI coding assistantsby Trail of Bits on November 19, 2024 at 2:00 pm
By Artem Dinaburg AI-enabled code assistants (like GitHub’s Copilot, Continue.dev, and Tabby) are making software development faster and more productive. Unfortunately, these tools are often bad at Solidity. So we decided to improve them! To make it easier to write, edit, and understand Solidity with AI-enabled tools, we have: Added support for Solidity into Tabby
- Attestations: A new generation of signatures on PyPIby William Woodruff on November 14, 2024 at 2:00 pm
For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring
- Killing Filecoin nodesby Trail of Bits on November 13, 2024 at 11:00 am
By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is caused by an incorrect validation of an index, resulting in an index out-of-range panic. The vulnerability
- Fuzzing between the lines in popular barcode softwareby Trail of Bits on October 31, 2024 at 1:00 pm
By Artur Cygan Fuzzing—one of the most successful techniques for finding security bugs, consistently featured in articles and industry conferences—has become so popular that you may think most important software has already been extensively fuzzed. But that’s not always the case. In this blog post, we show how we fuzzed the ZBar barcode scanning library
- A deep dive into Linux’s new mseal syscallby Trail of Bits on October 25, 2024 at 1:00 pm
By Alan Cao If you love exploit mitigations, you may have heard of a new system call named mseal landing into the Linux kernel’s 6.10 release, providing a protection called “memory sealing.” Beyond notes from the authors, very little information about this mitigation exists. In this blog post, we’ll explain what this syscall is, including
- Auditing Gradio 5, Hugging Face’s ML GUI frameworkby Trail of Bits on October 10, 2024 at 4:00 pm
This is a joint post with the Hugging Face Gradio team; read their announcement here! You can find the full report with all of the detailed findings from our security audit of Gradio 5 here. Hugging Face hired Trail of Bits to audit Gradio 5, a popular open-source library that provides a web interface that
- Securing the software supply chain with the SLSA frameworkby Trail of Bits on October 1, 2024 at 1:00 pm
By Cliff Smith Software supply chain security has been a hot topic since the Solarwinds breach back in 2020. Thanks to the Supply-chain Levels for Software Artifacts (SLSA) framework, the software industry is now at the threshold of sustainably solving many of the biggest challenges in securely building and distributing open-source software. SLSA is a
- A few notes on AWS Nitro Enclaves: Attack surfaceby Trail of Bits on September 24, 2024 at 1:00 pm
By Paweł Płatek In the race to secure cloud applications, AWS Nitro Enclaves have emerged as a powerful tool for isolating sensitive workloads. But with great power comes great responsibility—and potential security pitfalls. As pioneers in confidential computing security, we at Trail of Bits have scrutinized the attack surface of AWS Nitro Enclaves, uncovering potential
- Announcing the Trail of Bits and Semgrep partnershipby Trail of Bits on September 19, 2024 at 1:00 pm
At Trail of Bits, we aim to share and develop tools and resources used in our security assessments with the broader security community. Many clients, we observed, don’t use Semgrep to its fullest potential or even at all. To bridge this gap and encourage broader adoption, our CEO, Dan Guido, initiated discussions with the Semgrep
- Inside DEF CON: Michael Brown on how AI/ML is revolutionizing cybersecurityby Trail of Bits on September 17, 2024 at 1:00 pm
At DEF CON, Michael Brown, Principal Security Engineer at Trail of Bits, sat down with Michael Novinson from Information Security Media Group (ISMG) to discuss four critical areas where AI/ML is revolutionizing security. Here’s what they covered: AI/ML techniques surpass the limits of traditional software analysis As Moore’s law slows down after 20 years of