We do Windows now

At Trail of Bits, we pride ourselves on building tools that everyone can use to help improve the security ecosystem. Given how ingrained Microsoft is with a large portion of our work — binary analysis, cryptography, cloud security — our teams’ research and development has resulted in numerous tool releases for the public to incorporate into their own security strategies.

To build upon these efforts, we now have established a dedicated team filled with some of the world’s foremost Windows security experts that will incubate new research projects and execute engineering initiatives focused on the security of one of the world’s most prevalent operating systems.

The team will leverage the company’s existing relationships in both the public and private sector to work on various Microsoft technologies and initiatives. As Trail of Bits has helped secure some of the world’s most targeted organizations and devices, this team will bring high-end security research together with a real-world attacker mentality to discover, analyze, and solve security issues in one of the world’s most popular operating systems.

The team in composed of the following members:

  • Aaron LeMasters, a principal security engineer, is a technologist and researcher with over 16 years of experience in malware analysis, reverse engineering, Windows internals and kernel driver development. In addition to several issued and provisional patents, he has numerous publications on various research topics and has spoken at renowned conferences such as Blackhat USA, No Such Con, SyScan and Brucon.
  • Yarden Shafir, a senior security researcher, is a world-renowned expert on Windows internals and security tools. She teaches security courses on advanced Windows topics with Winsider Seminars and Solutions. Previously she worked at CrowdStrike and SentinelOne, researching and developing EDR features. Outside of her primary work duties, she has spoken extensively on various topics, such as CET internals, kernel exploitation techniques, extension host hooking and kernel exploit mitigations.
  • Adam Meily, a senior security research engineer, previously architected an agentless proactive malware hunting and incident response framework that scaled to over 500,000 systems across a wide variety of Windows versions, configurations, and architectures. He has also built hardened Windows-based memory forensic and analysis tools to securely run critical processes on contested systems and identify advanced attacks, indicators of compromise, and deviations from baseline configurations.

The team will focus on the security boundaries of three logical architectural layers: operating systems, virtualization, and hardware and architecture support. Initial research will cover hardware and firmware microarchitectures to the operating system and related system libraries, with plans to expand to other software ecosystems in the future. The work will result in outputs similar to other projects conducted by Trail of Bits: client assessment reports, conference presentations, blog posts and other publications, and open-source tools posted on GitHub.

The new effort will build upon years of Windows-related work Trail of Bits has conducted, such as a project with Facebook that resulted in the first Windows platform support for the osquery open-source endpoint agent. An extremely popular operating system analysis tool, osquery allows security teams to build customized queries needed to track security-related data.

Other Windows-based security projects include a tool to verify Authenticode signatures on Windows executables, a Rust-based sandbox for Windows Defender, and training code that allows researchers to study bugs and prevent them from turning into exploits.

Any organizations interested in working with this team can contact Trail of Bits to inquire about future projects. You can keep up with our latest news and announcements on Twitter (@trailofbits) and explore our public repositories on GitHub.

Leave a Reply