Need help with publications?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

trailofbits
493 Stars 81 Forks Creative Commons Attribution Share Alike 4.0 International 509 Commits 5 Opened issues

Description

Publications from Trail of Bits

Services available

!
?

Need anything else?

Contributors list

Publications from Trail of Bits

Academic papers

| Paper Title | Venue | Publication Date | | --- | --- | --- | | Echidna: effective, usable, and fast fuzzing for smart contracts | ISSTA 2020 | July 2020 | | Automated Grammar Extraction via Semantic Labeling of Parsers | LangSec 2020 | May 2020 | | What are the Actual Flaws in Important Smart Contracts? | FC 2020 | Feb 2020 | | Echidna: A Practical Smart Contract Fuzzer | FC 2020 | Feb 2020 | | RSA GTFO | PoC||GTFO 0x20 | Jan 2020 | | Manticore: Symbolic Execution for Binaries and Smart Contracts | ASE 2019 | Jun 2019 | | Slither: A Static Analysis Framework For Smart Contracts | WETSEB 2019 | May 2019 | | Toward Smarter Vulnerability Discovery Using Machine Learning | AISec 2018 | Oct 2018 | | The Past, Present, and Future of Cyberdyne | IEEE S&P | Apr 2018 | | DeepState - Symbolic Unit Testing for C and C++ | BAR 2018 | Feb 2018 | | Cyber-Deception and Attribution in Capture-the-Flag Exercises | FOSINT-SI 2015 | Jul 2015 |

Conference presentations

Automated bug finding and exploitation

| Presentation Title | Author(s) | Year | | --- | --- | --- | | How to find bugs when (ground) truth isn't real | William Woodruff | 2020 | | The Treachery of Files and Two New Tools that Tame It | Evan Sultanik | 2019 | | Symbolically Executing a Fuzzy Tyrant | Stefan Edwards | 2019 | | Kernel space fault injection with KRF | William Woodruff | 2019 | | Binary Symbolic Execution With KLEE-Native | Sai Vegasena | 2019 | | Going sicko mode on the Linux Kernel | William Woodruff | 2019 | | Vulnerability Modeling with Binary Ninja | Josh Watson | 2018 | | File Polyglottery; or, This PoC is also a picture of cats | Evan Sultanik | 2017 | | Be a binary rockstar | Sophia D'Antoine | 2017 | | Symbolic Execution for Humans | Mark Mossberg | 2017 | | The spirit of the 90s is still alive in Brooklyn | Ryan Stortz, Sophia D'Antoine | 2017 | | The dream of a static and dynamic analysis shootout | Ryan Stortz | 2016 | | Binary constraint solving for automatic exploit generation | Sophia D'Antoine | 2016 | | The Smart Fuzzer Revolution | Dan Guido | 2016 | | Making a scaleable automated hacking system | Artem Dinaburg | 2016 | | Cyberdyne - Automatic bug-finding at scale | Peter Goodman | 2016 | | McSema - Static translation of x86 instructions to LLVM IR | Andrew Ruef, Artem Dinaburg | 2014 |

Blockchain

| Presentation Title | Author(s) | Year | | --- | --- | --- | | Safely integrating with ERC20 tokens | Josselin Feist | 2021 | | Detecting transaction replacement attacks with Manticore | Sam Moelius | 2020 | | Fantastic Bugs and How to Squash Them; or, the Crimes of Solidity | Evan Sultanik | 2019 | | SlithIR: High-Precision Security Analysis with an IR for Solidity | Josselin Feist | 2019 | | Slither: A Static Analysis Framework for Smart Contracts | Josselin Feist | 2019 | | What blockchain got right | Dan Guido | 2019 | | Property-testing of smart contracts | JP Smith | 2018 | | Anatomy of an unsafe programming language | Evan Sultanik | 2018 | | Contract upgrade risks and recommendations | Josselin Feist | 2018 | | Blackhat Ethereum | Ryan Stortz, Jay Little | 2018 | | Blockchain Autopsies - Analyzing Smart Contract Deaths | Jay Little | 2018 | | Rattle - an Ethereum EVM binary analysis framework | Ryan Stortz | 2018 | | Securing value on the Ethereum blockchain | Dan Guido | 2018 | | Binary analysis, meet the blockchain | Mark Mossberg | 2018 | | Automatic bug finding for the blockchain | Felipe Manzano, Josselin Feist | 2017 |

Cryptography

| Presentation Title | Author(s) | Year | | --- | --- | --- | | Seriously, stop using RSA | Ben Perez | 2019 | | Best Practices for Cryptography in Python | Paul Kehrer | 2019 | | Analyzing the MD5 collision in Flame | Alex Sotirov | 2012 |

Engineering

| Presentation Title | Author(s) | Year | | --- | --- | --- | | Improving PyPI's security with Two Factor Authentication | William Woodruff | 2019 | | Linux Security Event Monitoring with osquery | Alessandro Gario | 2019 | | osql: The community oriented osquery fork | Stefano Bonicatti, Mark Mossberg | 2019 | | Getting started with osquery | Lauren Pearl, Andy Ying | 2018 | | osquery Super Features | Lauren Pearl | 2018 | | osquery Extension Skunkworks | Mike Myers | 2018 | | Build it Break it Fix it | Andrew Ruef | 2014 |

Education

| Presentation Title | Author(s) | Year | | --- | --- | --- | | The Joy of Pwning | Sophia D'Antoine | 2017 | | How to CTF - Getting and using Other People's Computers (OPC) | Jay Little | 2014 | | Low-level Security | Andrew Ruef | 2014 | | Security and Your Business | Andrew Ruef | 2014 | | Bringing nothing to the party | Vincenzo Iozzo | 2013 | | From One Ivory Tower to Another | Vincenzo Iozzo | 2012 |

Infrastructure

| Presentation Title | Author(s) | Year | | --- | --- | --- | | Return to the 100 Acre Woods | Stefan Edwards | 2019 | | Swimming with the kubectl fish | Stefan Edwards | 2019 |

Machine Learning

| Presentation Title | Author(s) | Year | | --- | --- | --- | | PrivacyRaven: Comprehensive Privacy Testing for Deep Learning | Suha Hussain | 2020 |

Mobile security

| Presentation Title | Author(s) | Year | | --- | --- | --- | | Swift Reversing | Ryan Stortz | 2016 | | Modern iOS Application Security | Sophia D'Antoine, Dan Guido | 2016 | | The Mobile Exploit Intelligence Project | Dan Guido | 2012 | | A Tale of Mobile Threats | Vincenzo Iozzo | 2012 |

Programming

| Presentation Title | Author(s) | Year | | --- | --- | --- | | Python internals - let's talk about dicts | Dominik Czarnota | 2019 | | Low-level debugging with Pwndbg | Dominik Czarnota | 2018 | | Insecure Things to Avoid in Python | Dominik Czarnota | 2018 |

Side channels

| Presentation Title | Author(s) | Year | | --- | --- | --- | | Hardware side channels in virtualized environments | Sophia D'Antoine | 2015 | | Exploiting Out-of-Order Execution | Sophia D'Antoine | 2015 |

Threat analysis

| Presentation Title | Author(s) | Year | | --- | --- | --- | | The Exploit Intelligence Project Revisited | Dan Guido | 2013 |

Datasets

| Dataset | Date | | --- |---| | Smart Contract Audit Findings | Aug 2019 |

Podcasts

| Podcast | Guest | Date | Topic(s) | | --- | --- | --- | --- | | How to onboard yourself as the first People Leader | Hannah Hanks | Mar 2021 | People Operations | | Risky Business 614 | Dan Guido | Feb 2021 | iVerify | | Building Better Systems #6 | Dan Guido | Jan 2021 | What blockchain got right | | WCBS 880 | Dan Guido | Sep 2020 | Gap years and intern hiring | | Risky Business 594 | Dan Guido | Aug 2020 | Apple security | | Epicenter 346 | Dan Guido | Jun 2020 | Smart contract security | | Absolute AppSec 97 | Stefan Edwards | May 2020 | Threat modeling | | Unchained 170 | Dan Guido | May 2020 | DeFi security | | Risky Business 580 | Dan Guido | Apr 2020 | Mobile voting | | Absolute AppSec 91 | Stefan Edwards | Apr 2020 | Mobile voting | | Zero Knowledge 122 | Ben Perez | Mar 2020 | Cryptography reviews, ZKPs | | Changelog | Dan Guido | Jan 2020 | AlgoVPN | | Risky Business 559 | Stefan Edwards | Oct 2019 | Kubernetes | | FOSS Weekly 545 | William Woodruff | Sep 2019 | PyPI security improvements | |

Podcast.__init__
225 | William Woodruff | Aug 2019 | PyPI security, UX, and sustainability | | Absolute AppSec 68 | Stefan Edwards, Bobby Tonic | Aug 2019 | Kubernetes | | Hashing it Out 53 | Dan Guido | Jul 2019 | Smart contract testing | | Absolute AppSec 60 | Stefan Edwards | May 2019 | Android, programming languages | | Absolute AppSec 55 | Stefan Edwards | Apr 2019 | Security testing | | Hashing it Out 35 | Dan Guido, Josselin Feist | Jan 2019 | Ethereum's failed EIP-1283 | | Risky Business | JP Smith | Jan 2019 | Post-quantum crypto in CTFs | | Absolute AppSec 37 | Stefan Edwards | Nov 2018 | Programming languages, symbex | | Risky Business 510 | Lauren Pearl | Aug 2018 | Open source security engineering | | Absolute AppSec 34 | Stefan Edwards | Oct 2018 | Security testing, blockchain | | Zero Knowledge 16 | JP Smith | Mar 2018 | Smart contract security | | Risky Business 488 | JP Smith | Feb 2018 | Smart contract testing w/ Manticore | | Risky Business 474 | Dan Guido | Oct 2017 | How to engineer secure software | | Georgian Partners 47 | Dan Guido | May 2017 | AlgoVPN and Tor | | VUC 643 | Dan Guido | Apr 2017 | AlgoVPN | | Risky Business 449 | Dan Guido | Mar 2017 | Control Flow Integrity | | Risky Business 425 | Dan Guido | Sep 2016 | Recap the week's news | | Risky Business 421 | Dan Guido | Aug 2016 | Car hacking and the week's news | | Risky Business 416 | Dan Guido | Jul 2016 | DARPA Cyber Grand Challenge | | Risky Business 399 | Dan Guido | Feb 2016 | Apple vs the FBI | | Risky Business 370 | Dan Guido | Feb 2015 | DARPA Cyber Grand Challenge | | Risky Business 348 | Dan Guido | Jun 2015 | DARPA Cyber Grand Challenge |

Security Reviews

Companies that have allowed us to speak about our work can be found here. Many more remain confidential.

Technology products

| Product | Review Date | Level of Effort | Deliverables | Announcement | | --- | --- | --- | --- | --- | | SecureDrop | Dec 2020 | 8 person-weeks | Security Review | 2nd audit of SecureDrop Workstation | | Citizen Browser | Dec 2020 | 3 person-days | | How We Built a Facebook Inspector| | Azure Sphere | Jun 2020 | 12 person-weeks | | Azure Sphere 20.07 Security Enhancements | | Zoom | May 2020 | 9 person-weeks | | 90 Days Done, What’s Next for Zoom | Secure Transport | Apr 2020 | 4 person-weeks | | | ZeroTier 2.0 | Mar 2020 | 2 person-weeks | Security Review | ZeroTier | | Standard Notes | Mar 2020 | 1 person-week | Security Review | Standard Notes Completes Crypto Audit | Voatz | Feb 2020 | 12 person-weeks | Security Review, Threat Model | Voatz, Tusk | Voice | Jan 2020 | 4 person-weeks | | | Sweet B | Jan 2020 | 4 person-weeks | Security Review | Western Digital | | Azure Sphere | Jun 2019 | 12 person-weeks | | | | SanDisk X600 | May 2019 | 6 person-weeks | Security Review | Multiple vulnerabilities in SanDisk X600 | Project Callisto | Aug 2018 | 5 person-weeks | | zlib | Sep 2016 | 1 person-week | Security Review|

Cloud-native

| Product | Review Date | Level of Effort | Deliverables | Announcement | | --- | --- | --- | --- | --- | | Consul | Oct 2020 | 10 person-weeks | | | Nomad | Aug 2020 | 6 person-weeks | | | Helm | Aug 2020 | 4 person-weeks | | | Terraform | Mar 2020 | 6 person-weeks | | | OPA | Mar 2020 | 2 person-weeks | | | Vault | Feb 2020 | 12 person-weeks | | | etcd | Jan 2020 | 4 person-weeks | Security Review | CNCF | | Rook | Dec 2019 | 2 person-weeks | Security Review | CNCF | Kubernetes | May 2019 | 12 person-weeks | Security Review, Threat Model, Whitepaper | Google, CNCF

Smart contracts

| Product | Review Date | Level of Effort | Announcement | | --- | --- | --- | --- | | C.R.E.A.M. | Jan 2021 | 1 person-week | | | LUSD | Dec 2020 | 8 person-weeks | | | Origin Dollar | Nov 2020 | 4 person-weeks | Origin Dollar Relaunches | | wXTZ | Nov 2020 | 4 person-weeks | | | wALGO | Nov 2020 | 4 person-weeks | | | Hermez | Nov 2020 | 4 person-weeks | Hermez Second Audit, by Trail of Bits | | Nervos| Oct 2020 | 6 person-weeks | | | OVM | Oct 2020 | 6 person-weeks | | | DODO | Sep 2020 | 3 person-weeks | | | Yield Protocol | Aug 2020 | 6 person-weeks | | | DeFiner | Aug 2020 | 1 person-week | | | Smart Pool | Aug 2020 | 1 person-week | | | Argent | Aug 2020 | 4 person-weeks | | | MYKEY | Jul 2020 | 4 person-weeks | | | CurveDAO | Jul 2020 | 6 person-weeks | | | Amp | Jul 2020 | 3 person-weeks | | | Federated Bridge | Jul 2020 | 1 person-week | | | dForce dToken | Jul 2020 | 2 person-weeks | | | Dexter | Jun 2020 | 4 person-weeks | | | QTUM | Apr 2020 | 3 person-days | | | Hegic | Apr 2020 | 3 person-days | | | Golem Network | Mar 2020 | 2 person-weeks | | | Reddit | Mar 2020 | 1 person-week | A New Frontier | | Compound | Feb 2020 | 2 person-weeks | | | Chai | Feb 2020 | 2 person-days | | | WorkLock | Jan 2020 | 2 person-weeks | WorkLock Security Audit | | Balancer | Jan 2020 | 4 person-weeks | | | Curve.fi | Jan 2020 | 1 person-week | | | Livepeer | Oct 2019 | 3 person-weeks | | | Topo Finance | Oct 2019 | 4 person-weeks | | | Dharma Wallet | Oct 2019 | 4 person-weeks | | | 0x Protocol | Oct 2019 | 10 person-weeks | | | Flexa | Sep 2019 | 2 person-weeks | Announcing Flexa Capacity | | Aave Protocol | Sep 2019 | 4 person-weeks | | | MC Dai | Aug 2019 | 13 person-weeks | MCD Security Roadmap Update: Oct 2019 | | Compound | Aug 2019 | 2 person-weeks | | | Staked | Aug 2019 | 4 person-weeks | | | Computable | Jul 2019 | 8 person-weeks | Computable Contract Audit | | Numerai | May 2019 | 3 person-weeks | NMR 2.0 is now live! | | MerkleX | May 2019 | 4 person-weeks | | | Interest Token | May 2019 | 2 person-days | | | TokenCard | May 2019 | 5 person-weeks | | | Compound | Apr 2019 | 8 person-weeks | Compound v2 is Live | | Unity Coin | Apr 2019 | 1 person-week | | | Ocean Protocol | Mar 2019 | 4 person-weeks | One Protocol. One Network. One Community. | | UMA Project | Mar 2019 | 3 person-weeks | | | Nomisma | Mar 2019 | 1 person-week | | | Reserve Protocol | Mar 2019 | 1 person-week | | | Set Protocol | Mar 2019 | 5 person-weeks | The Road to MainNet | | NuCypher | Feb 2019 | 4 person-weeks | Security Audits (Round 2) | | AMP StableWire | Jan 2019 | 1 person-week | | | EIP-1283 | Jan 2019 | 1 person-week | Constantinople Security Update | Ampleforth | Nov 2018 | 4 person-weeks | Source Code and Security Audits with Trail of Bits | Origin Protocol | Nov 2018 | 4 person-weeks | How We Approach Security at Origin | Paxos Standard | Oct 2018 | 4 person-weeks | | Basecoin | Oct 2018 | 12 person-weeks | | Compound | Sep 2018 | 12 person-weeks | Compound launches money markets for Ethereum | NuCypher | Aug 2018 | 12 person-weeks | Security audits: round 1 | | CENTRE | Jul 2018 | 4 person-weeks | Designing an upgradeable Ethereum contract | Bloom | Jul 2018 | 1 person-week | Bloom development update | Gemini Dollar | Jun 2018 | 8 person-weeks | Stablecoins: Understanding Counterparty Risk | Dharma | May 2018 | 1 person-week | Dharma protocol v1 is live on mainnet | Golem | Apr 2018 | 4 person-weeks | Smart contracts: audit report | LivePeer | Mar 2018 | 4 person-weeks | Livepeer smart contract security audit #1 results | DappHub | Dec 2017 | 8 person-weeks | | MakerDAO Sai | Oct 2017 | 8 person-weeks | Single-collateral Dai security reviews | Omega One | Aug 2017 | 6 person-weeks | |

Blockchain protocols and software

| Product | Review Date | Level of Effort | Announcement | | --- | --- | --- | --- | | Teller Protocol | Nov 2020 | 4 person-weeks | | | Highway Consensus | Nov 2020 | 4 person-weeks | ToB Audit of the Casper Highway Protocol | | Zerion SDK | Nov 2020 | 4 person-weeks | | | MobileCoin BFT | Oct 2020 | 4 person-weeks | | | Graph Protocol | Oct 2020 | 3 person-weeks | | | Stacks V2 | Sep 2020 | 6 person-weeks | | | Prysm | Sep 2020 | 6 person-weeks | | | ETH2.0 Deposit CLI | Aug 2020 | 4 person-weeks | | VRFs | Aug 2020 | 2 person-weeks | | | MobileCoin | Aug 2020 | 4 person-weeks | | | Ren | Aug 2020 | 4 person-weeks | August Development Update | | Meld Gold | Jul 2020 | 2 person-weeks | | | Ledger Filecoin | Jul 2020 | 2 person-weeks | | | Arbitrum | Jul 2020 | 6 person-weeks | | | Symbol | Jul 2020 | 4 person-weeks | Symbol from NEM completes Trail of Bits Security Audit | | Zcoin | Jul 2020 | 2 person-weeks | Lelantus Cryptographic Library Audit Results | | Magma | Jun 2020 | 1 person-week | | | Lighthouse | Jun 2020 | 4 person-weeks | | | Matic | Jun 2020 | 4 person-weeks | | | tBTC | May 2020 | 6 person-weeks | | | Chainlink Flux | May 2020 | 4 person-weeks | | | Zcash | Apr 2020| 3 person-weeks | Heartwood security assessment results | | Elrond | Mar 2020 | 6 person-weeks | | | EOSIO SDK | Jan 2020 | 4 person-weeks | | | Pixel | Dec 2019 | 4 person-weeks | | | Paymail Protocol | Nov 2019 | 7 person-weeks | | | Zcash | Nov 2019 | 6 person-weeks | NU3, Blossom, and Sapling security reviews| | Zcash | Nov 2019 | 6 person-weeks | | | NEAR Protocol | Nov 2019 | 8 person-weeks | | | Status-go | Oct 2019 | 9 person-weeks | | | Simple Ledger | Oct 2019 | 3 person-weeks | | | EOSIO 2.0 | Oct 2019 | 8 person-weeks | | | Oasis Labs | Sep 2019 | 13 person-weeks | | | AZTEC Protocol | Sep 2019 | 10 person-weeks | | | Celo | Sep 2019 | 8 person-weeks | | | Parity Fether | Aug 2019 | 4 person-weeks | | | Blockchain.com | Aug 2019 | 4 person-weeks | | | RandomX | Jun 2019 | 2 person-weeks | Monero and Arweave to Validate RandomX | | ZecWallet | Apr 2019 | 2 person-weeks | | | Loom | May 2019 | 10 person-weeks | Loom SDK Q1 2019 Security Audit | | Algorand | Mar 2019 | 14 person-weeks | Success and momentum of Algorand | | Centrifuge | Mar 2019 | 5 person-weeks | | | Tendermint | Mar 2019 | 12 person-weeks | | | ndau | Nov 2018 | 8 person-weeks | ndau Holders Elect Inaugural Policy Council | | Bitcoin SV | Nov 2018 | 12 person-weeks | | Pantheon | Oct 2018 | 8 person-weeks | What we learned from auditing our Ethereum client | Building Blocks | Aug 2018 | 7 person-weeks | UN WFP uses Ethereum to aid 100,000 refugees | | Parity | Jul 2018 | 12 person-weeks | Parity completes Trail of Bits security review | Tezori | Jul 2018 | 2 person-weeks | Thanks to @trailofbits for their security review | Web3 | Mar 2018 | 2 person-weeks | W3F and TOB hardware wallet security guidance | RSKj | Nov 2017 | 6 person-weeks | RSK security audit results

Workshops

| Workshop Title | Venue | Date | | --- | --- | --- | | Smart Contract Security Automation Workshop | TruffleCon 2019 | Oct 2019 | | Manticore EVM Workshop | Devcon4 2018 | Nov 2018 | | Introduction to Smart Contract Exploitation | GreHack 2018 | Nov 2018 | | DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle | SecDev 2018 | Oct 2018 | | Smart Contract Security Automation Workshop | TruffleCon 2018 | Oct 2018 | | Smart Contract Security Automation Workshop | ETH Berlin 2018 | Sep 2018 | | Manticore EVM Workshop | EthCC 2018 | Mar 2018 | | Manticore Workshop | GreHack 2017 | Oct 2017 |

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.