We’re so excited about the work we did to close 2022 and what it means for 2023. We took a look at the last few months in our newsletter mailchi.mp/trailofbits/tr
Pinned Tweet
Show this thread
Follow
Trail of Bits
@trailofbits
We help secure the world’s most targeted organizations and products. We combine security research with an attacker mentality to reduce risk and fortify code.
Trail of Bits’s Tweets
Found this little gem of an article while looking into WebAuthn: blog.trailofbits.com/2019/06/20/get via
2
1
Echidna 2.0.5 is out - we can prank now! (spoof message senders)
2
13
71
Do you use ebpf (ahem, EDR vendors..)? Check out this cool test harness created by Laura Bauman, an intern at - it might make your verifier testing less of a nightmare.
Quote Tweet
Harnessing the eBPF Verifier blog.trailofbits.com/2023/01/19/ebp
2
8
This looks amazing. There's so much "treasure" lurking just under the surface of Windows buried in RPC calls.
Quote Tweet
Today, we are releasing RPC Investigator, made for exploring RPC clients and servers on Windows. This .NET application builds on the NtApiDotNet platform, adding features that offer a new way to explore RPC blog.trailofbits.com/2023/01/17/rpc
2
2
. announced the first stable release of sigstore-python, improving software supply chain security. #cybersecurity #infosec #ITsecurity
7
8
Today, we are releasing RPC Investigator, made for exploring RPC clients and servers on Windows. This .NET application builds on the NtApiDotNet platform, adding features that offer a new way to explore RPC
7
155
404
Today the results of my internship at were published! blog.trailofbits.com/2023/01/12/wol
Thanks to everyone involved at and and !
4
14
45
Show this thread
i'm extremely excited to announce the first-stable release of sigstore-python!
blog.trailofbits.com/2023/01/13/sig
this release comes exactly one year after we started working on sigstore-python at ; this will be a thread on what you can expect now that we're at 1.0!
1/7
1
15
22
Show this thread
Our goals with sigstore-python are two-fold: provide an extremely intuitive CLI and API and be one of the most authoritative clients in terms of succinctly and correctly implementing the intricacies of Sigstore’s security model. Read how we're doing it!
1
6
Show this thread
If you aren’t already familiar with , we’ve written an explainer, including an explanation of what Sigstore is and how you can use it on your own projects
1
5
14
Show this thread
We are thrilled to announce the first stable release of sigstore-python, a client implementation of Sigstore that we’ve been developing for nearly a year!
1
12
42
Show this thread
Pumped about this release from slither , GPT3 and codex detector in solidty audit. Check out how we use it in ERC721M github.com/magiceden-oss/
1
5
I love me a good hacker con talk, but blogs like this from are objectively so much better for learning about and jumping into the problem space, yourself
2
11
We also have released an update to Dylint, which improves its usability. Use it to create custom Rust lints and security rules
6
9
Show this thread
The use of the codex detector is not turned on by default, as it can provide false positives/negatives. However, we are excited about the possibilities this new feature brings to Slither
1
12
Show this thread
A new release of Slither is available, which now uses OpenAI's Codex to auto-generate solidity documentation and leverages GPT-3 to find vulnerabilities.
1
39
179
Show this thread
Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL. Last year, an intern found these automatically using the novel protocol fuzzer tlspuffin. Read more about our intern's work:
12
38
just added codex to Slither 🔥 what happens 2 mins later, I hit the quota limit lol. Need to consider upgrading I guess github.com/crytic/slither
1
3
16
Show this thread
We're thrilled to announce that Trail of Bits is a #2023BuiltInBest winner among the 50 Best Startup Places to Work in NYC! Learn more about our company culture and view the roles we’re hiring for! builtin.com/awards/new-yor
5
9
While we take great pride in the tools we develop, we also benefit from tools maintained outside of the company. In 2022, we had more than 400 pull requests merged into non-ToB repos. We thank the maintainers for innumerable hours spent on this work!
9
29
If you want to keep up with everything we are doing, make sure you subscribe to our newsletter eepurl.com/gPs_Rb
6
Show this thread
1/ The DeFi Security Summit (DSS) is an annual event that brings together experts in blockchain security to discuss the latest developments and best practices for protecting your code.
8
40
116
Show this thread
Now up, an explanation of "end-to-end" voting, which is designed to provide security and privacy for remote voting.
educatedguesswork.org/posts/voting-c
This is a simplified (minimal math) explanation of the pioneering work of Josh Benaloh, , and others.
3
7
38
Show this thread
You can read the review, the threat model we produced for cURL and 's blog at the links below github.com/trailofbits/pu
github.com/trailofbits/pu
daniel.haxx.se/blog/2022/12/2
2
Show this thread
We believe software providers should follow 's lead if they choose to publish their security reviews. It's a great example of how engineering teams can work with us -- we are proud of the compliments and cognizant of our responsibility to consider his critiques.
1
1
2
Show this thread
His blog post provides terrific and meaningful context. gives us high praise, but also highlights findings he disagrees with, provides context on why, and provides links to the responses cURL made to each of the audit points
1
1
2
Show this thread
We were really thrilled to see cURL founder write a blog post about our recent security review, and wanted to highlight some important things he pointed out
2
12
32
Show this thread
we at released sigstore-python 0.9.0 today!
this is a big deal for the Python implementation of , since it’s the first version using TUF to automagically establish trust in Sigstore’s “public good” instances! 🎉
as always, just `pip install`:
1/3
2
15
43
Show this thread
This is cool: the grammar for queries is derived from the indexed code. A query that can't parse can't be matched. Unifying synthetic query ASTs against compiler ASTs makes matched variables a stepping off point for further analysis. There is more to searching than finding!
Quote Tweet
The naive approach to searching for patterns in source code is to use regular expressions, but that has limitations. Our intern prototyped an internal tool that does searching on Clang ASTs to avoid these limitations blog.trailofbits.com/2022/12/22/syn
1
3
13
The naive approach to searching for patterns in source code is to use regular expressions, but that has limitations. Our intern prototyped an internal tool that does searching on Clang ASTs to avoid these limitations
3
17
96
Quote Tweet
Tomorrow will be the last episode of our smart contract fuzzing livestream workshop. Join us at 12 ET on Twitch/YouTube (twitch.tv/trailofbits)(youtube.com/trailofbits) and catch up on what you've missed with this YouTube playlist youtube.com/playlist?list=
8
Tomorrow will be the last episode of our smart contract fuzzing livestream workshop. Join us at 12 ET on Twitch/YouTube (twitch.tv/trailofbits)(youtube.com/trailofbits) and catch up on what you've missed with this YouTube playlist
1
16
69
A really nice title (and a good article) on process reparenting for offensive #cybersecurity: blog.trailofbits.com/2022/12/20/pro And a perfect 10/10, , for the seasonal name :)
2
6
Process reparenting is a Windows technique used by malicious actors, but it can also be a benign, legitimate event. has insights on how to investigate this behavior
95
202
An intern implemented new features in ManticoreUI, and then used those features to find a vulnerability in set of libraries used in medical imaging
1
6
33
We are going to be starting in a few minutes! come by and fuzz with us
twitch.tv/trailofbits
youtu.be/vQTexNuWDrM
Quote Tweet
24 hours from now, we'll be hosting another livestream tool workshop. If you want to join us, make sure you subscribe to our Twitch and YouTube channels for a notification on when we go live! twitch.tv/trailofbits youtube.com/trailofbits
2
