HackDig : Dig high-quality web security articles for hackers

High-fidelity build instrumentation with blight

TL;DR: We’re open-sourcing a new framework, blight, for painlessly wrapping and instrumenting C and C++ build tools. We’re already using it on our research projects, and have included a set of useful actions. You can use it today for your own measurement and instrumentation needs: Why would you ever want to wrap a build tool? As engineers, we tend to treat
Publish At:2020-11-25 13:02 | Read:82 | Comments:0 | Tags:Compilers Research Practice

Graphtage: A New Semantic Diffing Tool

Graphtage is a command line utility and underlying library for semantically comparing and merging tree-like structures such as JSON, JSON5, XML, HTML, YAML, and TOML files. Its name is a portmanteau of “graph” and “graftage” (i.e., the horticultural practice of joining two trees together so they grow as one). Read on for: What Graphtage does differently and
Publish At:2020-08-28 18:09 | Read:485 | Comments:0 | Tags:DARPA Research Practice SafeDocs

Announcing the 1st International Workshop on Smart Contract Analysis

At Trail of Bits we do more than just security audits: We also push the boundaries of research in vulnerability detection tools, regularly present our work in academic conferences, and review interesting papers from other researchers (see our recent Real World Crypto and Financial Crypto recaps). In this spirit, we and Northern Arizona University are
Publish At:2020-05-03 17:57 | Read:1205 | Comments:0 | Tags:Blockchain Conferences Research Practice

64 Bits ought to be enough for anybody!

How quickly can we use brute force to guess a 64-bit number? The short answer is, it all depends on what resources are available. So we’re going to examine this problem starting with the most naive approach and then expand to other techniques involving parallelization. We’ll discuss parallelization at the CPU level with SIMD instructions, then via multiple c
Publish At:2019-11-30 08:25 | Read:1221 | Comments:0 | Tags:Research Practice

Announcing the Crytic $10k Research Prize

At Trail of Bits, we make a significant effort to stay up to date with the academic world. We frequently evaluate our work through peer-reviewed conferences, and we love to attend academic events (see our recent ICSE and Crypto recaps). However, we consistently see one recurring issue at these academic events: a lack of reliable tools and experiments. Resear
Publish At:2019-11-13 08:25 | Read:1686 | Comments:0 | Tags:Blockchain Paper Review Press Release Research Practice

Two New Tools that Tame the Treachery of Files

Parsing is hard, even when a file format is well specified. But when the specification is ambiguous, it leads to unintended and strange parser and interpreter behaviors that make file formats susceptible to security vulnerabilities. What if we could automatically generate a “safe” subset of any file format, along with an associated, verified parser? That’s o
Publish At:2019-11-12 03:25 | Read:1043 | Comments:0 | Tags:DARPA Dynamic Analysis Program Analysis Research Practice

Everything You Ever Wanted To Know About Test-Case Reduction, But Didn’t Know to Ask

Imagine reducing the amount of code and time needed to test software, while at the same time increasing the efficacy of your tests and making your debugging tasks easier—all with minimal human effort. It seems too good to be true, but we’re going to explain how test-case reduction can do all this (and maybe more). Understanding how reduction works can help w
Publish At:2019-11-12 03:25 | Read:1102 | Comments:0 | Tags:Dynamic Analysis Fuzzing Research Practice

TSC Frequency For All: Better Profiling and Benchmarking

Have you ever tried using LLVM’s X-Ray profiling tools to make some flame graphs, but gotten obscure errors like: ==65892==Unable to determine CPU frequency for TSC accounting. ==65892==Unable to determine CPU frequency. Or worse, have you profiled every function in an application, only to find the sum of all function runtimes accounted for ~15 minutes of a
Publish At:2019-10-03 09:30 | Read:1225 | Comments:0 | Tags:Containers Linux Research Practice