blog.trailofbits.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | Detect Go's silent arithmetic bugs with go-panikintFuzzing | Library for detecting silent integer arithmetic bugs in Go projects. go-panikint modifies the Go compiler to transform integer overflows and truncations into explicit panics, making them detectable by fuzzers. It successfully identified an integer overflow vulnerability in the Cosmos SDK's RPC pagination logic. The library includes mechanisms to filter intentional overflows via source location whitelisting or in-code comments. |
| 2026-04-11 2026 | Unleashing Medusa: Smart Contract FuzzingFuzzing | Library for coverage-guided, parallel, and on-chain fuzzing of EVM smart contracts. Medusa v1, built on Geth and written in Go, uses Slither insights for smart mutational value generation and provides enhanced debugging with rich execution traces. It offers an alternative to Echidna, focusing on scalability and maintainability for faster vulnerability discovery in blockchain systems. |
| 2026-04-10 2026 | Supply Chain Attacks Are Exploiting Our AssumptionsSupply Chain | Library of techniques for defending against software supply chain attacks, addressing implicit trust assumptions exploited by attackers. It analyzes recent incidents such as the XZ Utils backdoor, npm and PyPI package compromises like `rustdecimal` and `torchtriton`, and attacks leveraging compromised accounts (e.g., `ctrl/tinycolor`, `Nx`, `rspack`). The library highlights methods to move beyond dependency scanning and SBOMs, focusing on verifying code provenance and build integrity to mitigate risks from deceptive doubles, stolen secrets, and poisoned pipelines. |
| 2026-04-10 2026 | Prompt Injection to RCE in AI AgentsRCE | Writeup on prompt injection leading to RCE in AI agents, detailing design antipatterns that enable argument injection attacks against pre-approved commands. The article demonstrates one-shot RCE exploits across three AI agent platforms, bypassing human approval through techniques like `go test -exec` and `git show --format`/`ripgrep --pre`. Recommendations focus on limiting impact via sandboxing and argument separation for developers, users, and security engineers. |
| 2026-04-10 2026 | Marshal Madness: A Brief History of Ruby Deserialization ExploitsDeser | Library detailing the historical evolution of Ruby Marshal deserialization exploits, from early bug tracker issues by Charlie Somerville Hailey to modern industrialized gadget discovery techniques. It traces the decade-long cycle of patches and bypasses, highlighting contributions from researchers like joernchen, Luke Jahnke, and Alex Leahu, and discusses the ongoing challenges presented by these vulnerabilities, referencing CVEs from Java and PHP as comparative examples. |
| 2025-08-14 2025 | Security assessment techniques for Go projects | Trail of Bits Blog | Library of Go security assessment techniques, this resource details static analysis tools like go-vet, staticcheck, and ineffassign, alongside dynamic approaches such as fuzzing with dvyukov/go-fuzz and property testing using the testing/quick sub-package or the gopter framework. It highlights language semantics like short variable declarations that can lead to vulnerabilities, and discusses compiler configurations for effective instrumentation. |
| 2020-05-27 2020 | Security assessment techniques for Go projects | Trail of Bits Blog | Library for assessing Go project security, covering static analysis with tools like go-vet, staticcheck, and ineffassign to identify issues such as unused return values and variable shadowing, as well as dynamic analysis techniques including fuzzing with dvyukov/go-fuzz and google/gofuzz, and property testing using the testing/quick sub-package and the gopter framework for detecting property violations and handling stateful tests. |