2016 Year in Review

January 09, 2017

John Oliver may have written off 2016, but we’re darn proud of all that we accomplished and contributed this year.

We released a slew of the security tools that help us -and you- work smarter, and promoted a few more that deserved recognition. We helped the New York City InfoSec community build a foundation for future growth. Perhaps most importantly, we weighed in when we believed the record needed to be set straight.

Here are 14 reasons we’re counting 2016 as a success and feeling good about 2017.

1. Brought automatic bug discovery to market

2016 will go down in history as the year that software began finding and patching vulnerabilities automatically. Our Cyber Reasoning System (CRS), built to compete in DARPA’s Cyber Grand Challenge, made history on its own when it audited zlib. As far as we know, our CRS was the first ever to audit a much larger amount of code in less time, in greater detail, and at a lower cost than a human could. Read the audit report and Mozilla’s announcement.

Pretty nice work for a robot! https://t.co/Bxu6XhzO0k
— jeff bryner (@0x7eff) October 5, 2016

In January, we used our CRS to help settle a $1,000 bet about libotr, a popular library used in secure messaging software. Discover our insights about the challenges encrypted communications systems present for automated testing, how we solved them, and our testing methodology. And find out who won the bet.

If I was starting a Ph.D. this is the kind of subject (DSE/SMT/…) I would choose https://t.co/WVW6WHOoLr
— Julien Bachmann (@milkmix_) January 13, 2016

Our CRS is available for commercial engagements, but we’ve open sourced one of its companion tools: GRR, a high-throughput fuzzer built specifically for the CRS. Read about the challenges we overcame while designing and building GRR.

This INFILTRATE video relates to the Cyber Grand Challenge. It's great! https://t.co/eCHxvduCU9
— daveaitel (@daveaitel) October 14, 2016

Released And Reviewed Foundational Tools

2. Created a standardized benchmark suite for security tools

DARPA released the source code for over 100 challenge programs used in the Cyber Grand Challenge (CGC). The CGC challenge programs are realistic programs that contain documented vulnerabilities. Unfortunately, the programs don’t run on Windows, Linux, or macOS. We fixed this. We ported and packaged the challenge programs into a cross-platform benchmark suite. Now researchers in academia and industry can reliably evaluate and compare their program analysis tools and bug mitigations.

Explore the measurement power of #DARPACGC at home: @trailofbits has ported
Challenges to Linux, Windows & Mac! https://t.co/qkZfRIGS84
— DARPA (@DARPA) August 9, 2016

If you work on program analysis tools, this is probably the most significant outcome of the DARPA CGC so far https://t.co/fna4XjuS4L
— Sean Heelan (@seanhn) August 2, 2016

3. Ported Facebook’s osquery to Windows

Facebook’s osquery allows you to easily ask security and performance questions about your endpoint infrastructure. Until earlier this year, it was only available for macOS and Linux. We ported osquery to Windows, overcoming numerous technical challenges: completely different process and security models, incompatible APIs, and divergent compiler behavior. The port was worth the effort. Before, similar functionality would require cobbling together manual solutions or expensive and proprietary commercial products. Now, there’s a better option.

Introducing @osquery for Windows! https://t.co/imQ3183syg
— Alex Stamos (@alexstamos) September 27, 2016

4. Released Algo, a secure, user-friendly, and free VPN

We built Algo, a self-hosted VPN server designed for ease of deployment and security. Algo servers are not shared with other users, only use modern protocols and ciphers, and only include only the minimal software you need. Since Algo deploys to nearly all popular cloud computing platforms, it provides an effectively unlimited set of egress locations. For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.

.@nickdepetrillo always tells me to try @trailofbits algo because easy private IPSec VPNs are good things. Trivial to setup, iPhone config
— the grugq (@thegrugq) October 12, 2016

5. Showed how to automatically generate exploits with Binary Ninja

Ryan showed how to use Vector35’s Binary Ninja, a promising new interactive static analysis and reverse engineering platform, to generate exploits for 2,000 unique binaries in this year’s DEFCON CTF qualifying round. Its feature-rich and accessible APIs beat all competing products. Had he used IDA or radare2, Ryan would have had to divert his time and attention to implementing a stack model or using fragile heuristics instead of focusing on the true goal of the CTF: exploiting binaries. Read his full review.

*Drools over keyboard* https://t.co/rLVe8hK0XX
— CΔGIN (@cagindonmez) June 4, 2016

another reminder to try https://t.co/f7QEpdun89. this is awesome! doable, but arg tracing in idapython is a pain https://t.co/LZIYdahTqz
— Nico Golde (@iamnion) June 3, 2016

6. Released Protofuzz, a protobuf fuzzer

Protofuzz helps find bugs in applications utilizing Google Protocol Buffers (protobuf). Applications use protobufs to specify the structure of messages, which are passed between processes or across networks. Protobufs automate the error-prone task of generating message serialization and deserialization code. Typical fuzzers that rely on random permutation cannot explore past the correct, auto-generated code. Protofuzz creates valid protobuf-encoded structures composed of malicious values — ensuring that permuted data passes through the hard auto-generated shell into the soft underbelly of the target program.

Great tool from @trailofbits team! https://t.co/j3LycoktDg
— Dmitri Alperovitch (@DAlperovitch) May 18, 2016

7. Made iOS’s Secure Enclave usable with Tidas

Apple’s Secure Enclave Crypto API promised to liberate us from the annoyance of passwords and using your Google account to log into Pokemon Go. But it was unusable in its original state. So, we filled the gap with Tidas, a simple SDK drop-in for iOS apps that provides cryptographically proven — and passwordless — authentication. The introduction of the T1 chip and TouchID on new MacBook Pros opens exciting new potential for Tidas on macOS. If you dream of a passwordless future, check out our DIY toolkit in Swift or Objective-C.

iOS developers: @trailofbits just open sourced their Tidas Secure Enclave API wrapper for key management via TouchIDhttps://t.co/hcnO4bmqYT
— Kenn White (@kennwhite) June 29, 2016

Shared With The Community

8. Explained Control Flow Integrity, and how to use it to mitigate exploits

Control Flow Integrity (CFI) prevents bugs from becoming exploits. Before indirect control flow transfers, CFI validates that the target of the flow belongs to a pre-determined set of valid targets. Unfortunately, instructions for using CFI are hard to find and very confusing. We fixed the problem. We published two blog posts that describe how CFI prevents exploitation, and how to use it with clang and Visual Studio. We also provided working examples showing how CFI protects Linux, MacOS, and Windows applications.

Great summary & examples of Control Flow Guard's current capabilities https://t.co/Iz3nSaaRkZ
— Matt Miller (@epakskape) December 27, 2016

I just love CFI. It's one of the (many) reasons why WS2016 is such a great secure OS. https://t.co/j4uNzggtJq
— Jeffrey Snover (@jsnover) December 27, 2016

9. Pulled back the veil on PointsTo, our whole-program static analysis tool

Dynamic program analysis tools like AddressSanitizer and Valgrind can tell developers when running code accesses uninitialized memory, leaks memory, or uses memory after it’s been freed. Despite this, memory bugs are still shipped and exploited in the wild. That’s because bugs have a nasty habit of hiding behind rarely executed code paths, and dynamic analysis tools can’t check every possible program path. PointsTo can. It’s a whole-program static analysis tool that we developed and use to find and report on potential use-after-free bugs in large codebases. Read about PointsTo.

Interesting blog post by @trailofbits about using data-flow tracking to find potential use-after-free bugs https://t.co/3aHuEmX7ap
— Jose Miguel Esparza (@EternalTodo) March 10, 2016

10. Continued to enrich NYC’s InfoSec community

Our bi-monthly meetup –Empire Hacking– really picked up steam in 2016. Membership passed 500 people; 100 of whom regularly attend our meetings. We heard 14 superb presentations on pragmatic security research and new discoveries in attack and defense. Many thanks to our hosts: Spotify, Two Sigma, DigitalOcean, and WeWork!

Lots of new faces at our meeting last week with almost 100 total attendees. Here's some feedback we received: pic.twitter.com/jBtv9e3wzA
— Empire Hacking (@EmpireHacking) October 17, 2016

Everyone is welcome at Empire Hacking, but it may not be for everyone. So we put together nyc-infosec.com, a directory of all of the gatherings, companies, and university programs in NYC that we could find. Our goals with nyc-infosec.com are to promote collaboration, to elevate NYC’s community to its rightful place on the InfoSec ‘stage,’ and to help researchers and practitioners benefit from each other’s work.

Useful directory of events and meetups in the NYC area with a handy Google calendar to boot https://t.co/al7FSyxL0h
— Michael Isbitski (@michaelisbitski) September 13, 2016

One local event even earned our sponsorship: O’Reilly’s Security Conference.

11. Hired three interns for meaningful work

This winter we are once again giving college students paid internships to work on interesting security problems. We work with each student to create a project that is interesting both for them and beneficial for us, and provide them with resources and mentorship to make progress. This year, our interns are working on applying machine learning to fuzzing, porting challenge binaries to Windows, and improving our program analysis tools. We’ll have a post summarizing their work when it’s done; meanwhile, you can read about our past interns’ experience. We’ll also be hiring interns for the summer: contact us if you are interested.

Congratulations to our interns, @japesinator and @krx__, for qualifying for @CSAW_NYUTandon CTF https://t.co/0JtjDPD4Fl
— Trail of Bits (@trailofbits) October 6, 2016

12. Delivered 9 new talks at 13 separate conferences

When we can, we share the science that fuels our work – the successes and the failures. This year we spoke with an exceptional number of people at conferences all over the world.

Automated Bug Finding at Scale by Peter Goodman at COUNTERMEASURE
Automated Exploit Generation by Sophia D’Antoine at CanSecWest
The Bad Neighbor by Sophia D’Antoine at HITB Amsterdam
Be a Binary Rockstar by Sophia D’Antoine at INBOT and CodeBlue
Building a Scalable, Automated Hacking Machine by Artem Dinaburg at Infiltrate, ShakaCon, HCSS, and NCC Open Forum Chicago
iOS Application Security by Dan Guido and Sophia D’Antoine at Code as Craft, QCon NY
Static and Dynamic Analysis Shootout by Ryan Stortz and Kareem El-Faramawi at INBOT and CSAW SOS
The Smart Fuzzer Revolution by Dan Guido at BSides Lisbon
Swift Reversing by Ryan Stortz at Infiltrate and ShakaCon

Spoke The Truth

13. Called out Verizon for publishing bad data

Verizon’s Data Breach Investigations Report (DBIR) represents a collaborative effort involving 60+ organizations’ proprietary data. It’s the single best source of information for enterprise defenders, which is why it was a travesty that the report’s section on vulnerabilities used in data breaches contained misleading data, analysis, and recommendations. We chided Verizon and Kenna -the section’s contributor- and offered suggestions that would improve the quality of future DBIR. In response to criticism, Verizon and Kenna posted mea culpas on their blogs.

The Verizon DBIR thingie seems to be a good example of a lot of quantitative work without qualitative understanding. A sign of our times.
— halvarflake (@halvarflake) May 6, 2016

All this and more in @dguido’s post: https://t.co/gdbYCzFfcl — the short of it is: the VZN DBIR can’t possibly be correct.
— Thomas H. Ptáček (@tqbf) May 5, 2016

Scathing critique of Verizon’s DBIR vulnerability analysis & why following its recommendations makes you less safe: https://t.co/QQoGDvyoxC
— Dan Goodin (@dangoodin001) May 5, 2016

14. Clarified the technical details of the Apple-FBI standoff

In February, a federal judge ordered Apple to help the FBI recover encrypted data from the San Bernardino gunman’s iPhone 5C. Many argued the FBI’s request was technically infeasible given the support for strong encryption on iOS devices. Based on our reading of the request and knowledge of iOS, we explained why Apple could comply with the FBI in this instance. (If the iPhone had had a Secure Enclave, it would have been much harder.) For more detail, listen to Dan’s interview on the Risky Business podcast.

Here's our piece on Encryption from last night…https://t.co/NJhWnriNhR
— John Oliver (@iamjohnoliver) March 14, 2016

2017 won’t know what hit it

This year, we are looking forward to publicizing more of our research, continuing our commitment to our open source projects, and releasing more of our internal tools. We will:

Release Manticore, a ruthlessly effective hybrid symbolic-concrete (“concolic”) execution system that scales to large programs with numerous dependencies, complex interaction, and manual setup.
Add ARM support to McSema so we can lift binaries from all kinds of embedded systems such as hard drive firmware, phones, and IoT devices.
Publicly release a tool that combines a set of LLVM passes to detect side-channel vulnerabilities in sensitive codebases.
Sponsor Infiltrate 2017 and attend en masse. We really appreciate the forum they provide for a focused, quality review of the techniques attackers use to break systems. It’s a service to the community. We’re happy to support it.
Deliver a project inspired by Mr. Robot. Yeah, the TV show. More on that soon.