Publications from Trail of Bits
- Academic Papers
- Conference Presentations
- Datasets
- Podcasts
- Public Comments
- Security Reviews
- Disclosures
- Workshops
- Legend
Academic Papers
Conference Presentations
Automated bug finding and exploitation
Blockchain
Cryptography
Presentation Title | Author(s) | Year |
---|---|---|
Ergonomic codesigning for the Python ecosystem with Sigstore | William Woodruff | 2023 |
Sigstore for Python Packaging: Next Steps for Adoption | William Woodruff | 2022 |
die, PGP, die | William Woodruff | 2022 |
Seriously, stop using RSA | Ben Perez | 2019 |
Best Practices for Cryptography in Python | Paul Kehrer | 2019 |
Analyzing the MD5 collision in Flame | Alex Sotirov | 2012 |
Engineering
Presentation Title | Author(s) | Year |
---|---|---|
Python Packaging Mystery Meat | William Woodruff | 2022 |
Improving PyPI's security with Two Factor Authentication | William Woodruff | 2019 |
Linux Security Event Monitoring with osquery | Alessandro Gario | 2019 |
osql: The community oriented osquery fork | Stefano Bonicatti, Mark Mossberg | 2019 |
Getting started with osquery | Lauren Pearl, Andy Ying | 2018 |
osquery Super Features | Lauren Pearl | 2018 |
osquery Extension Skunkworks | Mike Myers | 2018 |
Build it Break it Fix it | Andrew Ruef | 2014 |
Education
Presentation Title | Author(s) | Year |
---|---|---|
A mostly gentle introduction to LLVM | William Woodruff | 2022 |
JWTs, and why they suck | Rory M | 2021 |
The Joy of Pwning | Sophia D'Antoine | 2017 |
How to CTF - Getting and using Other People's Computers (OPC) | Jay Little | 2014 |
Low-level Security | Andrew Ruef | 2014 |
Security and Your Business | Andrew Ruef | 2014 |
Bringing nothing to the party | Vincenzo Iozzo | 2013 |
From One Ivory Tower to Another | Vincenzo Iozzo | 2012 |
Infrastructure
Presentation Title | Author(s) | Year |
---|---|---|
Return to the 100 Acre Woods | Stefan Edwards | 2019 |
Swimming with the kubectl fish | Stefan Edwards | 2019 |
Machine Learning
Presentation Title | Author(s) | Year |
---|---|---|
Exploiting Machine Learning Pickle Files | Carson Harmon, Evan Sultanik, Jim Miller, Suha Hussain | 2021 |
PrivacyRaven: Comprehensive Privacy Testing for Deep Learning | Suha Hussain | 2020 |
Mobile security
Presentation Title | Author(s) | Year |
---|---|---|
Swift Reversing | Ryan Stortz | 2016 |
Modern iOS Application Security | Sophia D'Antoine, Dan Guido | 2016 |
The Mobile Exploit Intelligence Project | Dan Guido | 2012 |
A Tale of Mobile Threats | Vincenzo Iozzo | 2012 |
Programming
Presentation Title | Author(s) | Year |
---|---|---|
Python internals - let's talk about dicts | Dominik Czarnota | 2019 |
Low-level debugging with Pwndbg | Dominik Czarnota | 2018 |
Insecure Things to Avoid in Python | Dominik Czarnota | 2018 |
Program Transformation
Presentation Title | Author(s) | Year |
---|---|---|
A Broad Comparative Evaluation of x86-64 Binary Rewriters | Eric Schulte, Michael D. Brown, Vlad Folts | 2022 |
On the Optimization of Equivalent Concurrent Computations | Henrich Lauko, LukΓ‘Ε‘ KorenΔik, Peter Goodman | 2022 |
Side channels
Presentation Title | Author(s) | Year |
---|---|---|
Hardware side channels in virtualized environments | Sophia D'Antoine | 2015 |
Exploiting Out-of-Order Execution | Sophia D'Antoine | 2015 |
Supply chain
Presentation Title | Author(s) | Year |
---|---|---|
Automated Tools for Securing the Software Supply Chain | Michael D. Brown | 2022 |
Threat analysis & malware
Presentation Title | Author(s) | Year |
---|---|---|
Peeling back the 'Shlayers' of macOS Malware | Josh Watson, Erika Noerenberg | 2019 |
The Exploit Intelligence Project Revisited | Dan Guido | 2013 |
Datasets
Dataset | Date |
---|---|
Smart Contract Audit Findings | Aug 2019 |
Podcasts
We host our own podcast: Trail of Bits. You can download episodes from your favorite podcast app.
Podcast | Guest | Date | Topic(s) |
---|---|---|---|
Risky Biz 707 | Dan Guido May 2023 | ML security | |
ASW 229 | Nick Selby | Feb 2023 | Threat modeling, cloud-native audits |
Risky Biz 690 | Dan Guido | Jan 2023 | Vuln disclosure |
Risky Biz 672 | Dan Guido | Jul 2022 | Blockchain security |
Cloud Security Reinvented | Nick Selby | Jun 2022 | Cloud security |
Skiff Office Hours | Dan Guido | Mar 2022 | Privacy technology |
Risky Biz 652 | Dan Guido | Jan 2022 | Zero-knowledge proofs |
Secureum Safecast #3 | Josselin Feist | Nov 2021 | Blockchain security |
Secureum Safecast #2 | Dan Guido | Oct 2021 | Blockchain security |
Press Freedom Foundation | Dan Guido | Jul 2021 | Mobile security and iVerify |
Employee Cycle | Hannah Hanks | Mar 2021 | First PeopleOps hire |
Risky Biz 614 | Dan Guido | Feb 2021 | iVerify |
Building Better Systems 6 | Dan Guido | Jan 2021 | What blockchain got right |
WCBS 880 | Dan Guido | Sep 2020 | Gap years and intern hiring |
Risky Biz 594 | Dan Guido | Aug 2020 | Apple security |
Epicenter 346 | Dan Guido | Jun 2020 | Smart contract security |
Absolute AppSec 97 | Stefan Edwards | May 2020 | Threat modeling |
Unchained 170 | Dan Guido | May 2020 | DeFi security |
Risky Biz 580 | Dan Guido | Apr 2020 | Mobile voting |
Absolute AppSec 91 | Stefan Edwards | Apr 2020 | Mobile voting |
Zero Knowledge 122 | Ben Perez | Mar 2020 | Cryptography reviews, ZKPs |
Changelog | Dan Guido | Jan 2020 | AlgoVPN |
Risky Business 559 | Stefan Edwards | Oct 2019 | Kubernetes |
FOSS Weekly 545 | William Woodruff | Sep 2019 | PyPI security improvements |
Podcast.__init__ 225 |
William Woodruff | Aug 2019 | PyPI security, UX, and sustainability |
Absolute AppSec 68 | Stefan Edwards, Bobby Tonic | Aug 2019 | Kubernetes |
Hashing it Out 53 | Dan Guido | Jul 2019 | Smart contract testing |
Absolute AppSec 60 | Stefan Edwards | May 2019 | Android, programming languages |
Absolute AppSec 55 | Stefan Edwards | Apr 2019 | Security testing |
Hashing it Out 35 | Dan Guido, Josselin Feist | Jan 2019 | Ethereum's failed EIP-1283 |
Risky Biz 526 | JP Smith | Jan 2019 | Post-quantum crypto in CTFs |
Absolute AppSec 37 | Stefan Edwards | Nov 2018 | Programming languages, symbex |
Risky Biz 510 | Lauren Pearl | Aug 2018 | Open source security engineering |
Absolute AppSec 34 | Stefan Edwards | Oct 2018 | Security testing, blockchain |
Zero Knowledge 16 | JP Smith | Mar 2018 | Smart contract security |
Risky Biz 488 | JP Smith | Feb 2018 | Smart contract testing w/ Manticore |
Risky Biz 474 | Dan Guido | Oct 2017 | How to engineer secure software |
Georgian Partners 47 | Dan Guido | May 2017 | AlgoVPN and Tor |
VUC 643 | Dan Guido | Apr 2017 | AlgoVPN |
Risky Biz 449 | Dan Guido | Mar 2017 | Control Flow Integrity |
Risky Biz 425 | Dan Guido | Sep 2016 | Recap the week's news |
Risky Biz 421 | Dan Guido | Aug 2016 | Car hacking and the week's news |
Risky Biz 416 | Dan Guido | Jul 2016 | DARPA Cyber Grand Challenge |
Risky Biz 399 | Dan Guido | Feb 2016 | Apple vs the FBI |
Risky Biz 370 | Dan Guido | Feb 2015 | DARPA Cyber Grand Challenge |
Risky Biz 348 | Dan Guido | Jun 2015 | DARPA Cyber Grand Challenge |
Public Comments
Title | Agency | Date |
---|---|---|
Understanding Crypto Markets Security | CFTC | Mar 2023 |
Security Reviews
Companies that have allowed us to speak about our work can be found here. Many more remain confidential.
Technology Product Reviews
Cloud-Native Reviews
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
KEDA | Dec 2022 | 6 | Audit of Kubernetes Event Driven Autoscaling (KEDA) | |
Terraform Enterprise | Nov 2022 | 6 | ||
Nomad Enterprise | Nov 2022 | 6 | ||
HashiCorp Cloud | Jun 2022 | 9 | ||
Tekton | Mar 2022 | 4 | Tekton Security Review Completed | |
Linkerd | Feb 2022 | 4 | ||
CoreDNS | Jan 2022 | 4 | ||
Terraform Enterprise | Nov 2021 | 6 | ||
Nomad Enterprise | Nov 2021 | 6 | ||
Consul Enterprise | Oct 2021 | 6 | ||
Vault Enterprise | Oct 2021 | 6 | ||
HashiCorp Cloud | Jun 2021 | 8 | ||
Argo | Mar 2021 | 4 | ||
Terraform Cloud | Jan 2021 | 6 | ||
Consul | Oct 2020 | 10 | ||
Nomad | Aug 2020 | 6 | ||
Helm | Aug 2020 | 4 | Helm 2nd Security Audit | |
Terraform | Mar 2020 | 6 | ||
OPA | Mar 2020 | 2 | Open Policy Agent (OPA) Graduation Proposal | |
etcd | Jan 2020 | 4 | CNCF | |
Rook | Dec 2019 | 2 | CNCF | |
Kubernetes | May 2019 | 12 | Google, CNCF |
Blockchain Reviews
Algorand
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
Folks Finance Protocol | Nov 2022 | 6 | ||
wXTZ | Nov 2020 | 4 | ||
wALGO | Nov 2020 | 4 | ||
Meld Gold | Jul 2020 | 2 | ||
Algorand | Mar 2019 | 14 | Success and momentum of Algorand | |
Pixel | Dec 2019 | 4 |
Avalanche
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
Alkimiya Silica V2 | Jun 2022 | 6 | ||
Ava Labs | Apr 2022 | 8 | ||
Flare Network | Mar 2021 | 8 |
Bitcoin & Derivatives
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
STAS SDK | Oct 2021 | 4 | ||
STAS-JS SDK | Sept 2021 | 4 | ||
Bitcoin SV | Jan 2021 | 6 | ||
Zcoin | Jul 2020 | 2 | Lelantus Cryptographic Library Audit Results | |
Zcash | Apr 2020 | 3 | Heartwood security assessment results | |
Zcash | Nov 2019 | 6 | NU3, Blossom, and Sapling security reviews | |
Zcash | Nov 2019 | 6 | ||
Paymail Protocol | Nov 2019 | 7 | ||
Bitcoin SV | Nov 2018 | 12 | ||
Simple Ledger | Oct 2019 | 3 | ||
ZecWallet | Apr 2019 | 2 | ||
RSKj | Nov 2017 | 6 | RSK security audit results |
Ethereum/EVM
NervOS
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
xUDT | Jun 2021 | 2 | ||
Nervos -RSA | Mar 2021 | 4 | ||
Nervos SUDT | Oct 2020 | 6 | ||
Cheque Cell & ORU | Feb 2021 | 8 | ||
Force Bridge - Solidity | Feb 2021 | 4 | ||
Force Bridge - Rust | Feb 2021 | 3 |
StarkWare
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
Nostra | Dec 2022 | 8 | ||
StarkGate | Dec 2022 | 2 | ||
StarkEx | Oct 2022 | 1 | ||
StarkNet token | Jul 2022 | 1 | ||
StarkPerpetual | Jan 2022 | 8 | ||
StarkEx | Nov 2021 | 8 |
Solana
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
Token-2022 Program | Feb 2023 | 1 | ||
Drift Protocol | Dec 2022 | 6 | Announcement (Tweet) | |
Solana | Apr 2022 | 12 |
Substrate
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
ParaSpace | Dec 2022 | 1 | ||
ParaSpace | Nov 2022 | 7 | ||
Parallel Finance | Mar 2022 | 6 | ||
Polkadex | Feb 2022 | 10 | ||
Polkadex | Dec 2021 | 4 | ||
PINT | Sept 2021 | 4 | ||
Polkaswap | Jul 2021 | 6 | ||
AlephBFT | Jun 2021 | 4 | ||
Acala Network | Jun 2021 | 4 | ||
Compound Chain | May 2021 | 6 | ||
Acala Network | Jan 2021 | 6 | ||
Parity Fether | Aug 2019 | 4 | ||
Parity | Jul 2018 | 12 | Parity completes Trail of Bits security review |
Tendermint/Cosmos
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
Umee | Feb 2022 | 8 | ||
Columbus-5 | Jan 2022 | 2 | ||
IBC Protocol | Dec 2021 | 4 | ||
THORChain | Aug 2021 | 12 | ||
Tendermint | Mar 2019 | 12 | ||
ndau | Nov 2018 | 8 | ndau Holders Elect Inaugural Policy Council |
Tezos
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
Kolibri | Apr 2022 | 4 | ||
Tezori (T2) | Dec 2020 | 4 | ||
Tezori | Jul 2018 | 2 | Thanks to @trailofbits for their security review | |
Magma | Jun 2020 | 1 | ||
Dexter | Jun 2020 | 4 |
Other/Multi-Chain
ML/AI Reviews
Product | Date | Level of Effort |
Announcement | Report |
---|---|---|---|---|
EleutherAI, Hugging Face, & Stability AI SafeTensors Library |
Mar 2023 | 2 |
Disclosures
Product | Date | CVE | CVSS | Exploits | Report |
---|---|---|---|---|---|
SQLite | Jul 2022 | CVE-2022-35737 | 7.5 | Crash Live lock Code execution |
Workshops
Workshop Title | Venue | Date |
---|---|---|
Smart Contract Security Automation Workshop | TruffleCon 2019 | Oct 2019 |
Manticore EVM Workshop | Devcon4 2018 | Nov 2018 |
Introduction to Smart Contract Exploitation | GreHack 2018 | Nov 2018 |
DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle | SecDev 2018 | Oct 2018 |
Smart Contract Security Automation Workshop | TruffleCon 2018 | Oct 2018 |
Smart Contract Security Automation Workshop | ETH Berlin 2018 | Sep 2018 |
Manticore EVM Workshop | EthCC 2018 | Mar 2018 |
Manticore Workshop | GreHack 2017 | Oct 2017 |
Legend
Icon | Definition |
---|---|
Blog post or other social media | |
Security Assessment report | |
Fix review report | |
Threat Model report | |
Whitepaper |
Header | Definition |
---|---|
Level of Effort | Defined in person-weeks for the project |