Trail of Bits

Our recursion research was featured on the Application Security Weekly #312 podcast hosted by Mike Shema, John Kinsella, and Kalyani Pawar, leading to broader discussions about secure system architecture and defensive design patterns. The hosts explored how fundamental flaws in parsing implementations affect security across all programming languages. Recursing on user input is bad and you shouldn’t do it. Using simple CodeQL queries, we uncovered vulnerabilities across major codebases - from Protocol Buffers to ElasticSearch. Episode #312: https://hubs.la/Q031TKyR0 Read the paper: https://hubs.la/Q031TLlp0

There are 3 job openings at Trail of Bits! Join us in boldly advancing security and addressing technology’s newest and most challenging risks. Director, Technical Marketing Security Engineer II, AI/ML Security Senior Security Engineer, Blockchain See https://lnkd.in/eD5i6Nf3

With the announcement of Trail of Bits being named Built Ins 2025 Best Remote Midsize Place to Work for 2025, we have opened a brand new position on one of our teams! We are actively seeking a Director, Technical Marketing to join us as we kick off the new year! We're looking for someone who can translate complex security concepts into compelling content that really resonates with our audience. This person will continue to expand our reach and cement our position as the go-to experts in the industry. If you're passionate about cybersecurity and have a knack for marketing, apply for the position below or send me a DM if you are interested in learning more! https://lnkd.in/eJ3JZY46

We're honored to be recognized among Built In's 100 Best Remote Midsize Places to Work for 2025. This recognition reflects our commitment to building a world-class distributed engineering team. What sets our culture apart? We invest in our people through thoughtful, comprehensive benefits that enable deep technical work: ➡️ Full premium health coverage with no monthly premiums ➡️ 4 months paid parental leave ➡️ Industry-leading compensation ➡️ 4 weeks PTO + 15 company holidays ➡️ Robust continuing education and research opportunities ➡️ 401k with 5% company matching Learn more: https://hubs.la/Q031qNcM0

Start the year off right and register/submit a talk for the Real World MPC workshop! The MPC Alliance is hosting this as a co-located event for Real World Crypto, and the CFP is now open and accepting talks across a wide variety of MPC topics. The workshop will be a 1-day event on March 25 (in Sofia, Bulgaria, with RWC). The content of the event will cover a wide variety of practical MPC use cases and challenges: currently accepting potential talks across real-world deployments, standards, security, formal verification, legal/policy implications, and more! Here is the link for the CFP: https://lnkd.in/evUu9eCP Here is the link to register/attend the event: https://lnkd.in/eYRd6d5M The MPC Alliance has selected me to be on the program committee, so feel free to message me if you have any questions. I'm excited for this event and hope to see you all in Sofia! #MPC #RealWorldCrypto #RWC2025 #Cryptography

We would like to thank everyone for participating and congratulate the winners. Also, a great thanks to all the sponsors Zellic, CloudDefense.AI, IITB Trust Lab, Google Cloud, and Trail of Bits who helped us make this event possible.

We are glad to announce Trail of Bits as our silver Sponsor. ToB - Since 2012, Trail of Bits has helped secure some of the world’s most targeted organizations and products. We combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

Exciting news from Trail of Bits! Evan Sultanik recently enhanced our open-source SBOM tool to support CycloneDX. You can now download the updates here: https://lnkd.in/ekxK2AxJ Unlike other SBOM tools, it-depends stands out by capturing the *entirety* of potential versions that could lead to a satisfactory outcome. While most SBOM tools focus on package installations, it-depends delves into the source code itself, encompassing all feasible installation configurations. This unique approach is particularly valuable for developers. Evan has also tailored it-depends to generate outputs that align with conventional tools, offering versatility. The timing for these enhancements is no coincidence. One driving force was the engagement in CMU/SEI's SBOM Harmonization Plugfest. Learn more about this initiative at: https://lnkd.in/e6x7AJpD Additionally, Prof. L Jean Camp and her team have conducted research on SBOM visualizations, including the usage of it-depends. Their findings underscore the immense support these visualizations provide to developers. Dive into the results here: https://lnkd.in/eJY2GvdV #TrailOfBits #SBOM #OpenSource #Developers #ToolEnhancements

Do you remember what you were doing 9,039 days ago? John Kinsella and Kalyani Pawar did when I covered curl's newly discovered most ancient bug. That bug reinforced the message that merely focusing on memory safety isn't sufficient for #appsec. Moving to languages like Rust is a great start, but there are plenty of other types of flaws to address. And speaking of flaws, we talked about problems that plague package repositories. The "Census III" report from The Linux Foundation had several good insights to help prioritize security investments in protecting open source software. But there was one line about a package repo that really stood out to me: "...47% of the packages have 0 or 1 functions..." Now I want to start a chiptunes band called "0 or 1 functions". Show notes at https://lnkd.in/e95Kkamm https://lnkd.in/eZybVURV

‼️ Recursing on user input is bad; don’t do it ‼️ Our research reveals a concerning reality: processing user input with recursive functions is a common practice that creates significant security risks - even in security-conscious projects like Protocol Buffers, ElasticSearch, and OpenSearch. Using a relatively simple CodeQL query, we demonstrated how maliciously crafted input can reliably crash these systems through recursive processing. This isn't just theoretical - we discovered multiple CVEs, including CVE-2024-7254 in Google's Protocol Buffers. The most concerning finding? This vulnerable pattern appears frequently in production code, even among projects with robust security practices. Our analysis shows why developers should avoid recursive processing of untrusted input entirely. Our white paper paper includes: ➡️ Multiple real-world examples of this vulnerability pattern ➡️ CodeQL queries to identify recursive vulnerabilities in your code ➡️ Practical alternatives to recursive processing of user input ➡️ Detailed case studies with proof-of-concept examples Download our white paper to understand this widespread risk and protect your systems: https://hubs.la/Q0301hQC0