Crypto 2019 Takeaways

September 11, 2019

This year’s IACR Crypto conference was an excellent blend of far-out theory and down-to-earth pragmatism. A major theme throughout the conference was the huge importance of getting basic cryptographic primitives right. Systems ranging from TLS servers and bitcoin wallets to state-of-the-art secure multiparty computation protocols were broken when one small sub-component was either chosen poorly or misused. People need to stop using RSA, drop AES-CBC, and make sure they’re generating…

Read More >>

DeepState Now Supports Ensemble Fuzzing

September 3, 2019

by Alan Cao, Francis Lewis High School, Queens, NY We are proud to announce the integration of ensemble fuzzing into DeepState, our unit-testing framework powered by fuzzing and symbolic execution. Ensemble fuzzing allows testers to execute multiple fuzzers with varying heuristics in a single campaign, while maintaining an architecture for synchronizing generated input seeds across fuzzer queues. This new ensemble fuzzer includes a new deepstate-ensembler tool and several notable fuzzer…

Read More >>

Rewriting Functions in Compiled Binaries

by Aditi Gupta, Carnegie Mellon UniversityAs a summer intern at Trail of Bits, I’ve been working on building Fennec, a tool to automatically replace function calls in compiled binaries that’s built on top of McSema, a binary lifter developed by Trail of Bits. The Problem Let’s say you have a compiled binary, but you don’t have access to the original source code. Now, imagine you find something wrong with your…

September 2, 2019
Read More >>

Rewriting Functions in Compiled Binaries

by Aditi Gupta, Carnegie Mellon UniversityAs a summer intern at Trail of Bits, I’ve been working on building Fennec, a tool to automatically replace function calls in compiled binaries that’s built on top of McSema, a binary lifter developed by Trail of Bits. The Problem Let’s say you have a compiled binary, but you don’t have access to the original source code. Now, imagine you find something wrong with your…

September 2, 2019
Read More >>

Binary symbolic execution with KLEE-Native

August 30, 2019

by Sai Vegasena, New York University, and Peter Goodman, Senior Security Engineer KLEE is a symbolic execution tool that intelligently produces high-coverage test cases by emulating LLVM bitcode in a custom runtime environment. Yet, unlike simpler fuzzers, it’s not a go-to tool for automated bug discovery. Despite constant improvements by the academic community, KLEE remains difficult for bug hunters to adopt. We’re working to bridge this gap! My internship project…

Read More >>

Reverse Taint Analysis Using Binary Ninja

August 29, 2019

by Henry Wildermuth, Horace Mann High School We open-sourced a set of static analysis tools, KRFAnalysis, that analyze and triage output from our system call (syscall) fault injection tool KRF. Now you can easily figure out where and why, KRF crashes your programs. During my summer internship at Trail of Bits, I worked on KRF, a fuzzer that directly faults syscalls to cause crashes. KRF works extremely well and pumps…

Read More >>

Wrapper’s Delight

August 26, 2019

by Patrick Palka, University of Illinois at Chicago During my summer at Trail of Bits, I took full advantage of the latest C++ language features to build a new SQLite wrapper from scratch that is easy to use, lightweight, high performance, and concurrency friendly—all in under 750 lines of code. The wrapper is available at https://github.com/trailofbits/sqlite_wrapper under the Apache 2.0 license. Comments and pull requests are welcome. The motivation for…

Read More >>

A Day in the Life of Alessandro Gario, Senior Security Engineer

August 9, 2019

People interested in joining Trail of Bits often ask us what it’s like to work on the Engineering Services team. We felt that the best answer would be a profile of some of the talented individuals on our team, and let them describe their experiences at Trail of Bits in their own words. Today, we’re featuring Alessandro Gario, a member of our Engineering Team who lives in Italy. Alessandro works…

Read More >>

246 Findings From our Smart Contract Audits: An Executive Summary

August 8, 2019

Until now, smart contract security researchers (and developers) have been frustrated by limited information about the actual flaws that survive serious development efforts. That limitation increases the risk of making critical smart contracts vulnerable, misallocating resources for risk reduction, and missing opportunities to employ automated analysis tools. We’re changing that. Today, Trail of Bits is disclosing the aggregate data from every full smart contract security review we’ve ever done. The…

Read More >>

From The Depths Of Counterfeit Smartphones

August 7, 2019

In an age of online second-hand retailers, marketplace exchanges, and third-party refurb shops, it’s easier than ever to save hundreds of dollars when buying a phone. These channels provide an appealing alternative for people foregoing a retail shopping experience for a hefty discount. However, there is an additional option for those bargain hunters seeking even more savings: counterfeits of popular phone models. These knock-offs have become a burgeoning industry, transforming…

Read More >>