Trail of Bits

@trailofbits@infosec.exchange
1.4K Followers
5 Following
307 Posts
We help secure the world’s most targeted organizations and products. We combine security research with an attacker mentality to reduce risk and fortify code.
Websitehttps://trailofbits.com
Podcasthttps://trailofbits.audio
GitHubhttps://github.com/trailofbits
Bloghttps://blog.trailofbits.com

"Failed to compile: missing dependency" sound familiar?
Whether you're building open-source software or running mystery binaries, our new tool, Deptective automatically discovers the packages you need for successful execution.

Read the blog: https://blog.trailofbits.com/2025/07/08/investigate-your-dependencies-with-deptective/
Another tool in our software supply chain security arsenal. Try Deptective: https://github.com/trailofbits/deptective

Investigate your dependencies with Deptective

Deptective, our new open-source tool, automatically finds the packages needed to install software dependencies. It does so not based on the software’s self-reported requirements, but by observing what the software needs at runtime.

The Trail of Bits Blog

DARPA's AI Cyber Challenge finals are underway. Seven autonomous AI systems are competing to find and patch vulnerabilities in critical open-source programs like the Linux kernel, SQLite, and cURL that power our digital infrastructure.

Learn more: https://blog.trailofbits.com/2025/07/02/buckle-up-buttercup-aixccs-scored-round-is-underway/

We’re sponsoring REcon this weekend with a team of security engineers attending. See you there! https://www.recon.cx/

Did you know the biggest cause of crypto hacks in 2024 goes entirely unnoticed by most security audits? This attack vector was responsible for 43% of the crypto stolen in 2024, and isn't eligible as a finding in audit contests or most audit engagements

Answer: Private key compromise.

In this post, you'll learn how to make protocols resilient to private key leaks using our 4-level framework: https://blog.trailofbits.com/2025/06/25/maturing-your-smart-contracts-beyond-private-key-risk/

As a Go developer, do you fully understand Go's JSON/XML/YAML parsers? They are surprisingly prone to attacks with simple misconfigurations:
Three unexpected attack scenarios:
1. Marshaling private data with misconfigured tags
2. Parser differentials in a microservices architecture
3. Cross-format confusion attacks (JSON→XML)

https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/

Unexpected security footguns in Go's parsers

File parsers in Go contain unexpected behaviors that can lead to serious security vulnerabilities. This post examines how JSON, XML, and YAML parsers in Go handle edge cases in ways that have repeatedly resulted in high-impact security issues in production systems. We explore three real-world attack scenarios: marshaling/unmarshaling unexpected data, exploiting parser differentials, and leveraging data format confusion. Through examples, we demonstrate how attackers can bypass authentication, circumvent authorization controls, and exfiltrate sensitive data by exploiting these parser behaviors.

The Trail of Bits Blog
In 2023, we reviewed one of the first DKLs23 libraries built by Silence Laboratories. Read more about our process and dive into the key issues and recommendations we identified:
https://blog.trailofbits.com/2025/06/10/what-we-learned-reviewing-one-of-the-first-dkls23-libraries-from-silence-laboratories/
What we learned reviewing one of the first DKLs23 libraries from Silence Laboratories

In October 2023, we audited Silence Laboratories’ DKLs23 threshold signature scheme (TSS) library—one of the first production implementations of this then-novel protocol that uses oblivious transfer (OT) instead of traditional Paillier cryptography. Our review uncovered serious flaws that could enable key destruction attacks, which Silence Laboratories promptly fixed.

The Trail of Bits Blog

$5B in revenue, millions of mobile players, one question: are the dice rolls fair?

When Monopoly GO! players questioned their dice roll outcomes, the game's developers hired us to conduct an independent cryptographic design assessment of their PRNG architecture.

Our cryptographic design assessment evaluated two core concerns:
✅ If the random number generator produces unbiased outcomes for all players
✅ Do the countermeasures effectively prevent malicious actors from predicting or manipulating results through client-side attacks

Read the case study: https://trailofbits.info/monopolygo-casestudy

We released new Pwndbg: https://github.com/pwndbg/pwndbg/releases/tag/2025.05.30 !

Among others it brings:
- New & improved kernel debugging commands (buddydump, msr, slab) and more x64 regs in context
- New command for dealing with armcm exceptions: dump-register-frame
- Disasm now shows an ✘ marker for emulated branches we know won't be taken
- Improved disasm for ARM, MIPS and LoongArch64 architectures
- Initial support for the IBM s390x architecture
- IDA sync integration fixes

And also cool portable one-liner installers:
$ curl -qsL 'https://install.pwndbg.re' | sh -s -- -t pwndbg-gdb
$ curl -qsL 'https://install.pwndbg.re' | sh -s -- -t pwndbg-lldb

Want to support us? Sponsor us at https://github.com/sponsors/pwndbg !

#pwning #gdb #ctfs #lldb #security #ctf #pwndbg

🔒 Member Spotlight: Trail of Bits
From PEP 740 to OpenSSF Scorecard dashboards, they’re shaping the future of #OpenSourceSecurity with standards, prototypes, & policy leadership.

Read more 👇
🔗https://openssf.org/blog/2025/05/30/member-spotlight-trail-of-bits-driving-open-source-security-through-standards-prototypes-and-policy/

In 2023, we audited Axiom's Halo2 circuits and found 35 security issues, including 4 high-severity soundness bugs that could break the ZK system entirely.

The Axiom team engaged us early in development. They fixed all issues, and we helped them build comprehensive test suites to strengthen their security posture.

https://trailofbits.info/axiom-blog

A deep dive into Axiom’s Halo2 circuits

Over two audits in 2023, we reviewed a blockchain system developed by Axiom that allows computing over the entire history of Ethereum, all verified by zero-knowledge proofs (ZKPs) on-chain using ZK-verified elliptic curve and SNARK recursion operations. This system is built using the Halo2 framework—a complex, emerging technology that presents many challenges when building a secure application, including potential under-constrained issues resulting from its low-level API.

The Trail of Bits Blog
×

We released new Pwndbg: https://github.com/pwndbg/pwndbg/releases/tag/2025.05.30 !

Among others it brings:
- New & improved kernel debugging commands (buddydump, msr, slab) and more x64 regs in context
- New command for dealing with armcm exceptions: dump-register-frame
- Disasm now shows an ✘ marker for emulated branches we know won't be taken
- Improved disasm for ARM, MIPS and LoongArch64 architectures
- Initial support for the IBM s390x architecture
- IDA sync integration fixes

And also cool portable one-liner installers:
$ curl -qsL 'https://install.pwndbg.re' | sh -s -- -t pwndbg-gdb
$ curl -qsL 'https://install.pwndbg.re' | sh -s -- -t pwndbg-lldb

Want to support us? Sponsor us at https://github.com/sponsors/pwndbg !

#pwning #gdb #ctfs #lldb #security #ctf #pwndbg