Trail of Bits

The Latest News and Information from Trail of Bits

  • Auditing the Ruby ecosystem’s central package repository
    by Trail of Bits on December 11, 2024 at 2:00 pm

    Ruby Central hired Trail of Bits to complete a security assessment and a competitive analysis of RubyGems.org, the official package management system for Ruby applications. With over 184+ billion downloads to date, RubyGems.org is critical infrastructure for the Ruby language ecosystem. This is a joint post with the Ruby Central team; read their announcement here!

  • 35 more Semgrep rules: infrastructure, supply chain, and Ruby
    by Trail of Bits on December 9, 2024 at 2:00 pm

    By Matt Schwager and Travis Peters We are publishing another set of custom Semgrep rules, bringing our total number of public rules to 115. This blog post will briefly cover the new rules, then explore two Semgrep features in depth: regex mode (especially how it compares against generic mode), and HCL language support for technologies

  • Evaluating Solidity support in AI coding assistants
    by Trail of Bits on November 19, 2024 at 2:00 pm

    By Artem Dinaburg AI-enabled code assistants (like GitHub’s Copilot, Continue.dev, and Tabby) are making software development faster and more productive. Unfortunately, these tools are often bad at Solidity. So we decided to improve them! To make it easier to write, edit, and understand Solidity with AI-enabled tools, we have: Added support for Solidity into Tabby

  • Attestations: A new generation of signatures on PyPI
    by William Woodruff on November 14, 2024 at 2:00 pm

    For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring

  • Killing Filecoin nodes
    by Trail of Bits on November 13, 2024 at 11:00 am

    By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is caused by an incorrect validation of an index, resulting in an index out-of-range panic. The vulnerability

  • Fuzzing between the lines in popular barcode software
    by Trail of Bits on October 31, 2024 at 1:00 pm

    By Artur Cygan Fuzzing—one of the most successful techniques for finding security bugs, consistently featured in articles and industry conferences—has become so popular that you may think most important software has already been extensively fuzzed. But that’s not always the case. In this blog post, we show how we fuzzed the ZBar barcode scanning library

  • A deep dive into Linux’s new mseal syscall
    by Trail of Bits on October 25, 2024 at 1:00 pm

    By Alan Cao If you love exploit mitigations, you may have heard of a new system call named mseal landing into the Linux kernel’s 6.10 release, providing a protection called “memory sealing.” Beyond notes from the authors, very little information about this mitigation exists. In this blog post, we’ll explain what this syscall is, including

  • Auditing Gradio 5, Hugging Face’s ML GUI framework
    by Trail of Bits on October 10, 2024 at 4:00 pm

    This is a joint post with the Hugging Face Gradio team; read their announcement here! You can find the full report with all of the detailed findings from our security audit of Gradio 5 here. Hugging Face hired Trail of Bits to audit Gradio 5, a popular open-source library that provides a web interface that

  • Securing the software supply chain with the SLSA framework
    by Trail of Bits on October 1, 2024 at 1:00 pm

    By Cliff Smith Software supply chain security has been a hot topic since the Solarwinds breach back in 2020. Thanks to the Supply-chain Levels for Software Artifacts (SLSA) framework, the software industry is now at the threshold of sustainably solving many of the biggest challenges in securely building and distributing open-source software. SLSA is a

  • A few notes on AWS Nitro Enclaves: Attack surface
    by Trail of Bits on September 24, 2024 at 1:00 pm

    By Paweł Płatek In the race to secure cloud applications, AWS Nitro Enclaves have emerged as a powerful tool for isolating sensitive workloads. But with great power comes great responsibility—and potential security pitfalls. As pioneers in confidential computing security, we at Trail of Bits have scrutinized the attack surface of AWS Nitro Enclaves, uncovering potential

Share Websitecyber