| Website | https://trailofbits.com |
| Podcast | https://trailofbits.audio |
| GitHub | https://github.com/trailofbits |
| Blog | https://blog.trailofbits.com |
DARPA's AI Cyber Challenge finals are underway. Seven autonomous AI systems are competing to find and patch vulnerabilities in critical open-source programs like the Linux kernel, SQLite, and cURL that power our digital infrastructure.
Learn more: https://blog.trailofbits.com/2025/07/02/buckle-up-buttercup-aixccs-scored-round-is-underway/
Did you know the biggest cause of crypto hacks in 2024 goes entirely unnoticed by most security audits? This attack vector was responsible for 43% of the crypto stolen in 2024, and isn't eligible as a finding in audit contests or most audit engagements
Answer: Private key compromise.
In this post, you'll learn how to make protocols resilient to private key leaks using our 4-level framework: https://blog.trailofbits.com/2025/06/25/maturing-your-smart-contracts-beyond-private-key-risk/
Our new Testing Handbook section on snapshot fuzzing helps security engineers test software that's traditionally difficult to analyze, such as kernel components and antivirus, where a single crash can take down the entire system.
Snapshot fuzzing captures memory and register states at critical execution points, allowing security engineers to:
- Test thousands of code paths without time-consuming system restarts
- Ensure fully deterministic testing where the same input always produces the same result
- Eliminate unreproducible crashes by starting each test from identical states
-Easily track code coverage and detect failures in emulated environments
In this section, we provide step-by-step instructions for building custom harnesses, fuzz campaigns, and more using What the Fuzz (wtf), an open-source snapshot-based fuzzer.
Snapshot Fuzzing enables security engineers to effectively test software that is traditionally difficult to analyze, such as kernel-level software (though the technique is not limited to such software). Whether you’re auditing drivers or other kernel-mode components, including antivirus software, snapshot fuzzing provides a robust way to discover critical vulnerabilities. Consult our new Testing Handbook section for a walkthrough on how to conduct snapshot fuzzing on your system.
Just as you regularly update your computer's software, you should also regularly update your threat model.
Read our blog: https://blog.trailofbits.com/2025/03/03/continuous-trail/
You and your team should incrementally update your threat model as your system changes, integrating threat modeling into each phase of your SDLC to create a Threat and Risk Analysis Informed Lifecycle (TRAIL). Here, we cover how to do that: how to further tailor the threat model we built, how to maintain it, when to update it as development continues, and how to make use of it.
Invariant Driven development is the future of smart contracts development.
Read more here: https://hubs.la/Q036nQM40
In this week's @riskybusiness episode, @dguido talks about all things post-quantum cryptography:
• Quantum computer timeline
• PQC implementation challenges
• Hybrid encryption solutions
• Device lifespan considerations
https://risky.biz/RBNEWSSI62/
A few of our fav PQC resources:
https://blog.trailofbits.com/2024/08/15/we-wrote-the-code-and-the-code-won/
https://blog.trailofbits.com/2024/07/01/quantum-is-unimportant-to-post-quantum/
https://blog.trailofbits.com/2024/08/21/yolo-is-not-a-valid-hash-construction/
https://blog.trailofbits.com/category/cryptography/
