Trail of Bits 2023开源贡献庆祝 - The Trail of Bits博客
在Trail of Bits,我们以将最佳工具开源而自豪,例如Slither、PolyTracker和RPC Investigator。虽然这篇文章是关于开源的,但它不仅仅是关于我们的工具……
2023年,我们的员工提交了超过450个拉取请求(PR),这些请求被合并到非Trail of Bits的代码库中。这展示了我们对保护整个软件生态系统以及为每个人提高软件质量的承诺。贡献的代表性列表出现在本文末尾,但以下是一些亮点:
Sigstore-conformance是我们开源工程中Sigstore计划的重要组成部分,作为各种Sigstore客户端实现的集成测试套件。它确保符合Sigstore客户端测试套件,严格评估整体客户端行为,处理关键场景,并与建立官方Sigstore客户端规范的持续努力保持一致。这个以工作流为中心的测试套件可以无缝集成到工作流中,配置最少,为Sigstore客户端提供全面的测试。
Protobuf-specs是我们开源工程中的另一项计划。它是一个用于跨各种Sigstore客户端的标准化数据模型和协议的协作存储库,并包含Sigstore消息的规范。要更新protobuf定义,请使用Docker通过运行$ make all生成protobuf存根,结果会在gen/目录下生成Go和Python文件。
pyOpenSSL是集成OpenSSL功能的主要Python库。在过去大约九个月中,我们作为与STF合同的一部分,积极参与了pyOpenSSL的清理和维护任务。pyOpenSSL是OpenSSL库子集的一个薄包装,其中许多对象方法只是调用OpenSSL库中的相应函数。
Homebrew-core是默认Homebrew tap的中心存储库,包含一系列软件包和相关公式,用于无缝安装。一旦在Mac或Linux系统上配置了Homebrew,您就能够执行“brew install”命令来安装此存储库中的软件。应用安全工程师Emilio Lopez通过提交多个拉取请求并引入新公式或更新现有公式,积极为此存储库做出贡献。Emilio主要关注ToB开发的工具,如crytic-compile、solc-select、Caracal等。因此,个人可以通过简单的“brew install”命令轻松安装这些工具,简化安装过程。
Ghidra是美国国家安全局研究理事会的创作,是一个强大的软件逆向工程(SRE)框架。它提供用于在Windows、macOS和Linux上进行代码分析的高级工具,包括反汇编、反编译和脚本编写。支持各种处理器指令集,Ghidra作为一个可定制的SRE研究平台,有助于分析恶意代码以用于网络安全目的。我们修复了许多错误以增强其功能,特别是支持我们在DARPA的AMP(Assured Micropatching)计划上的工作。
我们想承认,提交PR只是开源体验的一小部分。必须有人审查PR。PR合并后必须有人维护代码。早期PR的提交者必须编写测试以确保其代码功能的保留。
我们为这些项目做出贡献,部分是因为我们热爱这门手艺,但也因为我们发现这些项目有用。为此,我们向开源社区致以最诚挚的感谢,并祝愿大家2024年快乐、安全和富有成效!
Trail of Bits 2023年的一些开源贡献
AI/ML
- Repo: run-llama/llama_index
Name: llms/openai: 修复Azure OpenAI流式处理 #7677
ret2libc: https://github.com/run-llama/llama_index/pull/7677 - Repo: run-llama/llama_index
Name: llms/openai: 通过考虑prompt_filter_results字段修复Azure OpenAI #7755
ret2libc: https://github.com/run-llama/llama_index/pull/7755
密码学
- Repo: 0xPARC/zk-bug-tracker
Name: 在算术溢出部分更新缓解措施 #10
fegge: https://github.com/0xPARC/zk-bug-tracker/pull/10 - Repo: mlswg/mls-architecture
Name: 更改rathr -> rather #203
tjade273: https://github.com/mlswg/mls-architecture/pull/203 - Repo: yi-sun/circom-pairing
Name: 让所有测试通过 #23
tjade273: https://github.com/yi-sun/circom-pairing/pull/23 - Repo: yi-sun/circom-pairing
Name: 修复计算(P – P) – P时的椭圆曲线加法公式 #22
tjade273: https://github.com/yi-sun/circom-pairing/pull/22 - Repo: pyca/cryptography
Name: rust: 为X.509路径验证添加crate骨架 #8873
woodruffw: https://github.com/pyca/cryptography/pull/8873 - Repo: pyca/cryptography
Name: verification: 添加缺失的max_chain_depth kwargs #9847
woodruffw: https://github.com/pyca/cryptography/pull/9847 - Repo: pyca/cryptography
Name: extensions: 添加Extensions::iter #9081
woodruffw: https://github.com/pyca/cryptography/pull/9081 - Repo: alex/rust-asn1
Name: 将版本提升至0.15.4 #403
woodruffw: https://github.com/alex/rust-asn1/pull/403 - Repo: alex/rust-asn1
Name: types: asn1::DateTime: PartialOrd #402
woodruffw: https://github.com/alex/rust-asn1/pull/402 - Repo: pyca/cryptography
Name: x509: Eq和Hash派生 #9076
woodruffw: https://github.com/pyca/cryptography/pull/9076 - Repo: alex/rust-asn1
Name: 将版本提升至0.15.3 #401
woodruffw: https://github.com/alex/rust-asn1/pull/401 - Repo: pyca/cryptography
Name: x509/common: 使SPKI算法公开 #9061
woodruffw: https://github.com/pyca/cryptography/pull/9061 - Repo: alex/rust-asn1
Name: types: 记录DateTime字段的域 #399
woodruffw: https://github.com/alex/rust-asn1/pull/399 - Repo: pyca/cryptography
Name: 添加对LibreSSL中ChaCha20的支持 #9758
facutuesca: https://github.com/pyca/cryptography/pull/9758 - Repo: pyca/cryptography
Name: 添加对BoringSSL中ChaCha20的支持 #9762
facutuesca: https://github.com/pyca/cryptography/pull/9762 - Repo: pyca/cryptography
Name: 添加对LibreSSL中ChaCha20的支持 #9209
facutuesca: https://github.com/pyca/cryptography/pull/9209 - Repo: pyca/cryptography
Name: 添加ChaCha20计数器溢出的测试向量 #9221
facutuesca: https://github.com/pyca/cryptography/pull/9221 - Repo: pyca/cryptography
Name: 为BoringSSL和LibreSSL添加poly1305实现 #9392
facutuesca: https://github.com/pyca/cryptography/pull/9392 - Repo: sfackler/rust-openssl
Name: 在libressl和boringssl上暴露Poly1305绑定 #1998
facutuesca: https://github.com/sfackler/rust-openssl/pull/1998 - Repo: pyca/cryptography
Name: 修复ChaCha20文档 #9192
facutuesca: https://github.com/pyca/cryptography/pull/9192 - Repo: pyca/cryptography
Name: 添加对BoringSSL中ChaCha20-Poly1305的支持 #8946
facutuesca: https://github.com/pyca/cryptography/pull/8946 - Repo: pyca/cryptography
Name: certificate: 添加get_extension辅助函数 #8892
woodruffw: https://github.com/pyca/cryptography/pull/8892 - Repo: alex/rust-asn1
Name: types: 为SequenceOf和SetOf添加全面Eq #400
woodruffw: https://github.com/alex/rust-asn1/pull/400 - Repo: pyca/cryptography
Name: CHANGELOG: 记录ChaCha20Poly1305更改 #8955
woodruffw: https://github.com/pyca/cryptography/pull/8955 - Repo: pyca/cryptography
Name: validation: 移除未使用的From实现 #9891
woodruffw: https://github.com/pyca/cryptography/pull/9891 - Repo: pyca/cryptography
Name: validation: 扁平化错误类型 #9890
woodruffw: https://github.com/pyca/cryptography/pull/9890 - Repo: alex/rust-asn1
Name: types: 添加BigInt::is_negative API #425
woodruffw: https://github.com/alex/rust-asn1/pull/425 - Repo: pyca/cryptography
Name: 修复转置的文档,简化信任存储测试中的类型 #9874
woodruffw: https://github.com/pyca/cryptography/pull/9874 - Repo: pyca/cryptography
Name: verification: 添加VerificationError,文档API #9873
woodruffw: https://github.com/pyca/cryptography/pull/9873 - Repo: pyca/cryptography
Name: validation/policy: 分离测试更改 #9872
woodruffw: https://github.com/pyca/cryptography/pull/9872 - Repo: pyca/cryptography
Name: tests, ci: 连接x509-limbo-root #9871
woodruffw: https://github.com/pyca/cryptography/pull/9871 - Repo: pyca/cryptography
Name: validation/policy: 移除旧的关键扩展检查逻辑 #9855
woodruffw: https://github.com/pyca/cryptography/pull/9855 - Repo: pyca/cryptography
Name: actions: 泛化wycheproof获取操作 #9848
woodruffw: https://github.com/pyca/cryptography/pull/9848 - Repo: pyca/cryptography
Name: validation: 主题是非可选的 #9846
woodruffw: https://github.com/pyca/cryptography/pull/9846 - Repo: pyca/cryptography
Name: src, tests: 向验证API添加max_chain_depth #9844
woodruffw: https://github.com/pyca/cryptography/pull/9844 - Repo: pyca/cryptography
Name: x509/validation: 使算法集非可选 #9821
woodruffw: https://github.com/pyca/cryptography/pull/9821 - Repo: pyca/cryptography
Name: 添加顶级ServerVerifier.verify API #9805
woodruffw: https://github.com/pyca/cryptography/pull/9805 - Repo: pyca/cryptography
Name: validation: 添加permitted_public_key_algorithms #9801
woodruffw: https://github.com/pyca/cryptography/pull/9801 - Repo: pyca/cryptography
Name: X.509: 添加WebPKI SPKI AlgorithmIdentifiers #9800
woodruffw: https://github.com/pyca/cryptography/pull/9800 - Repo: pyca/cryptography
Name: validation: 添加Rust端扩展验证辅助函数 #9781
tetsuo-cpp: https://github.com/pyca/cryptography/pull/9781 - Repo: pyca/cryptography
Name: validation: 添加Rust端证书验证辅助函数 #9757
tetsuo-cpp: https://github.com/pyca/cryptography/pull/9757 - Repo: pyca/cryptography
Name: x509: 构造IPAddress和IPRange类型 #9346
tnytown: https://github.com/pyca/cryptography/pull/9346 - Repo: pyca/cryptography
Name: validation/ops: 使public_key返回Option #9356
woodruffw: https://github.com/pyca/cryptography/pull/9356 - Repo: pyca/cryptography
Name: noxfile, docs: 修复posargs处理 #9354
woodruffw: https://github.com/pyca/cryptography/pull/9354 - Repo: pyca/cryptography
Name: 迁移更多类型 #9254
woodruffw: https://github.com/pyca/cryptography/pull/9254 - Repo: pyca/cryptography
Name: name: 退化NameReadable变体 #9282
woodruffw: https://github.com/pyca/cryptography/pull/9282 - Repo: pyca/cryptography
Name: extensions: 显式生命周期 #9225
woodruffw: https://github.com/pyca/cryptography/pull/9225 - Repo: pyca/cryptography
Name: x509: 更多扩展API #9213
woodruffw: https://github.com/pyca/cryptography/pull/9213 - Repo: pyca/cryptography
Name: oid: 添加更多扩展、EKU OID #9212
woodruffw: https://github.com/pyca/cryptography/pull/9212 - Repo: pyca/cryptography
Name: Certificate: 有用的API #9300
woodruffw: https://github.com/pyca/cryptography/pull/9300 - Repo: pyca/cryptography
Name: validation: 配置文件特征,错误类型 #9299
woodruffw: https://github.com/pyca/cryptography/pull/9299 - Repo: pyca/cryptography
Name: rust: 更新锁文件 #9298
woodruffw: https://github.com/pyca/cryptography/pull/9298 - Repo: pyca/cryptography
Name: validation: 添加CryptoOps特征 #9297
woodruffw: https://github.com/pyca/cryptography/pull/9297 - Repo: pyca/cryptography
Name: rust: 添加PyCryptoOps,测试 #9355
woodruffw: https://github.com/pyca/cryptography/pull/9355 - Repo: pyca/cryptography
Name: 路径验证: 构建器/验证器API骨架 #9405
woodruffw: https://github.com/pyca/cryptography/pull/9405 - Repo: pyca/cryptography
Name: validation: 添加Rust端信任存储API #9744
woodruffw: https://github.com/pyca/cryptography/pull/9744 - Repo: pyca/cryptography
Name: validation/types: 添加DNSConstraint,重命名IPConstraint #9700
woodruffw: https://github.com/pyca/cryptography/pull/9700 - Repo: pyca/cryptography
Name: x509/policy: 添加WebPKI允许的算法 #9548
woodruffw: https://github.com/pyca/cryptography/pull/9548 - Repo: pyca/cryptography
Name: verification: 填充策略API内部 #9642
woodruffw: https://github.com/pyca/cryptography/pull/9642 - Repo: pyca/cryptography
Name: validation/policy: 通用名称匹配 #9659
woodruffw: https://github.com/pyca/cryptography/pull/9659 - Repo: pyca/cryptography
Name: certificate: 增加生命周期精度 #9651
woodruffw: https://github.com/pyca/cryptography/pull/9651 - Repo: pyca/cryptography
Name: extensions: 移除不必要的self生命周期绑定 #9650
woodruffw: https://github.com/pyca/cryptography/pull/9650 - Repo: pyca/cryptography
Name: validation/ops: 添加仅测试的NullOps #9608
woodruffw: https://github.com/pyca/cryptography/pull/9608 - Repo: pyca/cryptography
Name: verification: 添加PolicyBuilder API #9601
woodruffw: https://github.com/pyca/cryptography/pull/9601 - Repo: pyca/cryptography
Name: ops: 使用Result<…, Self::Err>作为返回 #9599
woodruffw: https://github.com/pyca/crypt