Trail of Bits

The mighty Trail of Bits audits Homebrew using Semgrep. Kudos to Homebrew team for their transparency and taking software security seriously. 👏

We want to share some highlights from #Web3SecSummit where Petr Korolev led a security pannel discussion with 4 industry leaders. We discussed: • The boundaries of applicability for each method • How clients should decide what needs to be done for their projects • The bottlenecks in these approaches Panel participants included: Josselin Feist from Trail of Bits - Representing one of the strongest teams in the industry, thank you Josselin for sharing your deep expertise on the intricacies of fuzzing, offering invaluable insights! Josef Gattermayer from Ackee Blockchain Security - Pushing the boundaries of security, Josef is dedicated to advancing fuzzing algorithms and integrating them with traditional audits for comprehensive solutions. Raoul S. from Runtime Verification Inc - Bridging the gap between fuzzing and formal verification, Raoul combines the best of both worlds to develop robust security solutions. Mooly Sagiv from Certora - An OG in the formal verification field, Mooly is renowned for his critical perspective and pioneering contributions to the approach, which we find very impressive! Thank you to everyone who made this conversation possible, really grateful for the opportunity to connect with like-minded experts and talk about the things that truly matter for our work! #web3 #security #pannel

Join our webinar tomorrow for an in-depth look at Burp Suite featuring special guest James Kettle. He'll share his favorite features, tips, and insights on upcoming Burp releases! ⌚ July 31st at 12 PM ET! Register here 👇 https://buff.ly/3WpODVu

Homebrew, the missing package manager for macOS, produces the binaries that millions of users download daily. Last summer, we completed an audit of Homebrew’s CI/CD pipeline and brew. Our audit revealed some non-critical issues that could have allowed attackers to load executable code unexpectedly and modify binary builds. By addressing these vulnerabilities, we help maintain the trust and reliability that Homebrew users depend on daily. This audit was sponsored by the Open Tech Fund as part of their mission to secure vital internet infrastructure. We collaborated closely with the Homebrew maintainers, whose expertise was invaluable throughout the process. Check out our blog for a deep dive into our findings:

We're hiring on our Blockchain team! Open Positions: Security Engineer II, Blockchain https://buff.ly/3Wu0nGo Senior Security Engineer, Blockchain https://buff.ly/3WoTYMN ⚒️ What You'll Do: Review blockchain code & smart contracts for vulnerabilities Advise clients on robust security practices Develop and enhance tools like Slither, Echidna & Medusa Lead innovative blockchain security research 🌟 Why Trail of Bits: Empowered Living: Competitive salary, performance-based bonuses, fully-paid insurance, 401(k) match, and flexible vacation. Nurturing New Beginnings: Parental leave and relocation assistance. Work & Life Enrichment: Home office stipend, learning & development budget, and company-sponsored celebrations. And more!

Shoutout to Trail of Bits for supporting #EuroRust24! 🦀✨ Your contribution helps make this event even better. Learn more about Trail of Bits: trailofbits.link ➡️ eurorust.eu #rustlang

One of our Trail of Bits blockchain engineers asked our cryptography team 10 key questions to uncover some of the mysteries behind the field. In this comprehensive blog, our experts explore the intricacies of polynomial commitment schemes, explore the security nuances of elliptic curve cryptography, and shed light on advanced topics like fully homomorphic encryption and zero-knowledge proofs. Whether you're looking to understand the fundamentals or seeking insights into the latest cryptographic techniques, this blog is a must-read for anyone in the cybersecurity or blockchain space. Here are the questions: 1. Can you outline the most common commitment schemes employed for SNARKS? 2. Hashing is ubiquitous, yet few people grasp its inner workings. Can you clarify popular constructions (e.g., MD, Sponge) and highlight their differences? 3. Elliptic curve cryptography (ECC) is even more enigmatic and considered a major “black box” in cryptography. Numerous pitfalls and technical attacks exist. Can you shed light on some theoretical assaults on elliptic curves, like Weil descent and the MOV attack? 4. As technology ramps up and the threat of quantum computers looms over us, efforts have been made to create post-quantum cryptosystems, like lattice-based cryptography and isogeny-based cryptography. Could you provide an overview of these systems? 5. The Fiat-Shamir heuristic is widely used throughout the field of interactive oracle proofs. What are some interesting things to note about this heuristic and its theoretical security? 6. There have recently been notable advancements in the PLONK Interactive Oracle Proof system. Could you elaborate on what’s being improved and how? 7. We often hear about zkEVMs and projects building them, like Scroll, Polygon, and zkSync. Can you explain the various design decisions involved in building one? (Type 1/2/3, etc.) 8. We currently have zkEVMs in production, with Scroll, zkSync, and Polygon having mainnet deployments. How many more improvements can we make to these zkEVMs to unlock consumer grade proving/verification? 9. Can you discuss secret sharing schemes like Shamir’s secret sharing, their potential use cases, and common mistakes you’ve observed? 10. Folding schemes for recursive proofs have become really popular lately. Could you give a rough summary on how they work?

Calling out all the security enthusiasts, our very own Reetik Rajan is sharing stage with Josselin, Engineering Director at Trail of Bits. Mark your calendars for an exciting AMA: 📅 26th July, 8:30pm IST . RSVP: https://lnkd.in/gDy5GzaV

Join us for a 🌟 Burp Suite 🌟 webinar ft. special guest James Kettle from PortSwigger. We will cover: - Web research techniques using Burp Suite - Optimizing your Burp setup - Effectively using Burp tools in various scenarios - Future of Burp with BChecks - Comparison of dynamic and static analysis approaches based on real-world examples. ++ We will end with a Q&A session with our experts! 🗓️ When: July 31st @ 12 PM EDT 📌 Register here: https://buff.ly/3WpODVu Get started using Burp Suite with our Testing Handbook Chapter! https://lnkd.in/gzvWmW6z

Having read some of the reactions and discussions around this post/micro-report, I want to reframe things a bit and restate what is (IMHO) the primary takeaway. Even though high-quality RAG software packages like Ask Astro already exist, it would be a grave mistake to think that safety and security for RAG systems are solved problems. Suppose you're at a startup social media company, and one of your cofounders says, "We don't need to spend all this engineering time on security, privacy, and safety. Facebook, Twitter and Mastodon have already solved those problems." That would be an inane statement. Every social media platform will need to figure out how they'll manage data deletion requests, moderation of harmful content, and all aspects of application security. Addressing these challenges is part of the price of entry for any social media company. They may be heavily studied problems, but they're certainly not "solved" to the point where companies no longer need to worry about them. They come with the territory, and they always will. Any company deploying a RAG application needs to develop a strategy for addressing data provenance and data quality, and they need to understand the novel ways that attackers can manipulate these systems (e.g., the data poisoning attacks we discussed). Don't expect anyone else to solve those problems for your organization, because no two organizations have the same needs or the same risk profile. Also, it's not news that software has bugs. (As an aside, only one of our findings is actually an implementation error in Ask Astro's codebase.) But what *is* noteworthy are the novel ways that such bugs can affect security and safety outcomes for different types of generative AI software. Some of these bugs will be very missable for teams who haven't spent enough time threat modeling their latest magical AI tool. So if you want to deploy RAG in production, use Ask Astro as it was intended: a reference implementation, a template for solving technical problems. It's up to you to understand the unique risks associated with RAG (or generative AI in general), and it's up to you to come up with a strategy for addressing these risks.