庆祝我们2024年的开源贡献 - Trail of Bits博客

Trail of Bits以开发Slither、Medusa和Fickling等安全工具而闻名，但我们的工程努力远不止于自己的项目。在整个2024年，我们的团队深入参与了更广泛的安全生态系统，解决了安全工程师日常依赖的开源工具和基础设施中的挑战。

今年，我们的工程师提交了超过750个成功合并的拉取请求（比2023年的贡献增加了67%！），改进了80多个开源项目，范围从基础密码学库到包管理器和软件索引。每个贡献都是对现实世界安全工程挑战的回应——当我们遇到关键工具的限制时，我们会深入研究并改进它们。当我们发现加强每个人都依赖的安全原语的方法时，我们会将这些改进实施到上游，使整个社区受益。

其中一些变化单独来看可能很小——这里一个更健壮的解析器，那里更好的错误处理——但总的来说，它们代表了数千名工程师依赖的安全工具的有意义改进。从强化包签名工作流到增强模糊测试能力，每个贡献都有助于为每个人构建更安全的基础。

让我们深入探讨我们在2024年做出的一些关键贡献。

关键贡献

LLVM：我们对MLIR和AddressSanitizer进行了改进。例如，我们为std::string和std::deque容器添加了C++容器溢出检测。在我们的博客文章“消毒你的C++容器：ASan注解逐步指南”中阅读更多相关内容。

pwndbg：pwndbg是一个GDB和LLDB插件，有助于逆向工程和漏洞利用开发。我们的工程师继续维护该项目，修复了许多问题并合并了许多新功能，如LLDB端口、Binary Ninja集成（参见拉取请求）以及对嵌入式设备的更好支持。

hevm：hevm是EVM的一个实现，支持符号和具体执行，我们将其作为Echidna的基础。在整个2024年，我们贡献了几项性能改进，添加了对新Cancun操作码的支持，并实现了多个新的cheatcode以改善测试体验。

后量子密码学：我们发布了两种已被NIST标准化的后量子数字签名方案的开源实现，有助于改善后量子密码学的整体社区支持。我们发布了这些标准的Go和Rust版本，Rust版本已集成到RustCrypto中。

OSS-Fuzz：OSS-Fuzz是开源软件项目的持续模糊测试工具。我们添加了对Ruzzy的支持，这是我们为Ruby和Ruby C扩展提供的覆盖引导模糊测试器。

Python打包生态系统：我们继续为Python打包生态系统做出贡献，实现了PEP 740和许多其他供应链安全改进。在我们的博客文章“证明：PyPI上的新一代签名”中阅读更多相关内容。

这里列出的拉取请求捕捉了技术变化，但它们并没有讲述完整的故事。每个合并的拉取请求背后都有一个维护者社区，他们审查了我们的代码，提出了改进建议，并仔细考虑了每个变化的长期影响。这些维护者承担着开源开发的真正重量——确保一致性，维护测试覆盖，并在多年的变化中保持兼容性。

我们的许多贡献始于我们在安全评估或工具开发期间遇到的开源项目限制。我们没有为这些限制构建变通方案，而是选择在上游解决它们，改进整个安全社区依赖的工具。我们能够完成这项工作，是因为我们站在巨人的肩膀上——构建和培育这些关键项目的维护者和贡献者。

向每一位审查我们拉取请求的维护者、每一位提供反馈的开发人员以及每一位致力于改善安全生态系统的工程师——表示感谢。祝合作安全工程又一年！

Trail of Bits 2024年的一些开源贡献

AI/ML

• Repo: TabbyML/tabby
  Name: feat: Add Solidity language
  #1681 ret2libc: https://github.com/TabbyML/tabby/pull/1681

• Repo: astronomer/ask-astro

  #325 bismuthsalamander: https://github.com/astronomer/ask-astro/pull/325

• Repo: continuedev/continue
  Name: Add autocomplete support for Solidity
  #964 ret2libc: https://github.com/continuedev/continue/pull/964

• Repo: langchain-ai/langchain
  Name: core: runnables: special handling GeneratorExit because no error
  #22662 ret2libc: https://github.com/langchain-ai/langchain/pull/22662

• Repo: onyx-dot-app/onyx
  Name: backend: remove duplicated word in ANSWER_VALIDITY_PROMPT
  #1184 ret2libc: https://github.com/onyx-dot-app/onyx/pull/1184

• Repo: unoplat/vespa-helm-charts
  Name: Fix labels and service selector
  #14 oldsj: https://github.com/unoplat/vespa-helm-charts/pull/14

密码学

• Repo: C2SP/x509-limbo
  Name: render-testcases: fix linkification
  #162 woodruffw: https://github.com/C2SP/x509-limbo/pull/162

• Repo: C2SP/x509-limbo
  Name: gocryptox509: handle a KeyUsage edge case
  #167 woodruffw: https://github.com/C2SP/x509-limbo/pull/167

• Repo: C2SP/x509-limbo
  Name: Update URLs post-transfer
  #172 woodruffw: https://github.com/C2SP/x509-limbo/pull/172

• Repo: C2SP/x509-limbo
  Name: Add an explicit curve test
  #173 woodruffw: https://github.com/C2SP/x509-limbo/pull/173

• Repo: C2SP/x509-limbo
  Name: testcases: add CVE-2024-0567
  #176 woodruffw: https://github.com/C2SP/x509-limbo/pull/176

• Repo: C2SP/x509-limbo
  Name: site: config cleanup, grammar
  #178 woodruffw: https://github.com/C2SP/x509-limbo/pull/178

• Repo: C2SP/x509-limbo

  #179 woodruffw: https://github.com/C2SP/x509-limbo/pull/179

• Repo: C2SP/x509-limbo
  Name: limbo: add RSA key size tests
  #184 woodruffw: https://github.com/C2SP/x509-limbo/pull/184

• Repo: C2SP/x509-limbo
  Name: webpki: improve pedantic “forbidden leaf key” tests
  #185 woodruffw: https://github.com/C2SP/x509-limbo/pull/185

• Repo: C2SP/x509-limbo
  Name: limbo: include peer keys, when possible
  #187 woodruffw: https://github.com/C2SP/x509-limbo/pull/187

• Repo: C2SP/x509-limbo
  Name: fixup peer_certificate_key in Go schema
  #193 woodruffw: https://github.com/C2SP/x509-limbo/pull/193

• Repo: C2SP/x509-limbo
  Name: ci: enforce schema.go’s updatedness
  #194 woodruffw: https://github.com/C2SP/x509-limbo/pull/194

• Repo: C2SP/x509-limbo
  Name: limbo: initial client testcases
  #196 woodruffw: https://github.com/C2SP/x509-limbo/pull/196

• Repo: C2SP/x509-limbo
  Name: site: undocumented REST API
  #198 woodruffw: https://github.com/C2SP/x509-limbo/pull/198

• Repo: C2SP/x509-limbo
  Name: Detect testcase regressions
  #201 woodruffw: https://github.com/C2SP/x509-limbo/pull/201

• Repo: C2SP/x509-limbo
  Name: limbo: NC DoS testcase
  #204 woodruffw: https://github.com/C2SP/x509-limbo/pull/204

• Repo: C2SP/x509-limbo
  Name: harness/openssl: multiple OpenSSL builds
  #205 woodruffw: https://github.com/C2SP/x509-limbo/pull/205

• Repo: C2SP/x509-limbo
  Name: limbo: don’t mark SAN as critical when subject is nonempty
  #206 woodruffw: https://github.com/C2SP/x509-limbo/pull/206

• Repo: C2SP/x509-limbo
  Name: PyCA harness, fix SAN
  #207 woodruffw: https://github.com/C2SP/x509-limbo/pull/207

• Repo: C2SP/x509-limbo
  Name: limbo: chonkify NC DoS cases
  #208 woodruffw: https://github.com/C2SP/x509-limbo/pull/208

• Repo: C2SP/x509-limbo
  Name: limbo, site: migrate another template
  #211 woodruffw: https://github.com/C2SP/x509-limbo/pull/211

• Repo: C2SP/x509-limbo
  Name: More template migration
  #212 woodruffw: https://github.com/C2SP/x509-limbo/pull/212

• Repo: C2SP/x509-limbo
  Name: _cli: add limbo extract
  #213 woodruffw: https://github.com/C2SP/x509-limbo/pull/213

• Repo: C2SP/x509-limbo
  Name: webpki/san: add a valid 127.0.0.1 testcase
  #214 woodruffw: https://github.com/C2SP/x509-limbo/pull/214

• Repo: C2SP/x509-limbo
  Name: add rfc5280::root-and-intermediate-swapped
  #220 woodruffw: https://github.com/C2SP/x509-limbo/pull/220

• Repo: C2SP/x509-limbo
  Name: limbo: add invalid email SAN/NC cases
  #221 woodruffw: https://github.com/C2SP/x509-limbo/pull/221

• Repo: C2SP/x509-limbo
  Name: rfc5280/nc: fix invalid-email-address
  #223 woodruffw: https://github.com/C2SP/x509-limbo/pull/223

• Repo: C2SP/x509-limbo
  Name: harness: add certvalidator
  #224 woodruffw: https://github.com/C2SP/x509-limbo/pull/224

• Repo: C2SP/x509-limbo
  Name: actions/run-harness: refine cache key
  #225 woodruffw: https://github.com/C2SP/x509-limbo/pull/225

• Repo: C2SP/x509-limbo
  Name: limbo: add othername NC testcase
  #228 woodruffw: https://github.com/C2SP/x509-limbo/pull/228

• Repo: C2SP/x509-limbo
  Name: limbo: add an OtherName NC “no-op” case
  #229 woodruffw: https://github.com/C2SP/x509-limbo/pull/229

• Repo: C2SP/x509-limbo
  Name: limbo: fixup docstrings
  #231 woodruffw: https://github.com/C2SP/x509-limbo/pull/231

• Repo: C2SP/x509-limbo
  Name: mkdocs, site: make rendered tables sortable
  #232 woodruffw: https://github.com/C2SP/x509-limbo/pull/232

• Repo: C2SP/x509-limbo
  Name: rfc5280/nc: fixup client auth EKUs
  #233 woodruffw: https://github.com/C2SP/x509-limbo/pull/233

• Repo: C2SP/x509-limbo
  Name: Add importance qualifier to each testcase
  #236 woodruffw: https://github.com/C2SP/x509-limbo/pull/236

• Repo: C2SP/x509-limbo
  Name: limbo: more validity cases
  #237 woodruffw: https://github.com/C2SP/x509-limbo/pull/237

• Repo: C2SP/x509-limbo
  Name: Add a GnuTLS harness
  #240 woodruffw: https://github.com/C2SP/x509-limbo/pull/240

• Repo: C2SP/x509-limbo
  Name: Makefile: fix test-gnutls
  #241 woodruffw: https://github.com/C2SP/x509-limbo/pull/241

• Repo: C2SP/x509-limbo
  Name: limbo: importance API in builder, fill some in
  #244 woodruffw: https://github.com/C2SP/x509-limbo/pull/244

• Repo: C2SP/x509-limbo
  Name: limbo: add san-wildcard-only test
  #250 woodruffw: https://github.com/C2SP/x509-limbo/pull/250

• Repo: C2SP/x509-limbo
  Name: schema: regenerate
  #254 woodruffw: https://github.com/C2SP/x509-limbo/pull/254

• Repo: C2SP/x509-limbo

  #271 woodruffw: https://github.com/C2SP/x509-limbo/pull/271

• Repo: C2SP/x509-limbo
  Name: site: trophy case
  #272 woodruffw: https://github.com/C2SP/x509-limbo/pull/272

• Repo: C2SP/x509-limbo
  Name: remove SAN from root in nc::permitted-dn-match
  #287 woodruffw: https://github.com/C2SP/x509-limbo/pull/287

• Repo: C2SP/x509-limbo
  Name: openssl: add 3.3 harness
  #296 woodruffw: https://github.com/C2SP/x509-limbo/pull/296

• Repo: C2SP/x509-limbo
  Name: limbo: add underscore SAN test
  #305 woodruffw: https://github.com/C2SP/x509-limbo/pull/305

• Repo: C2SP/x509-limbo
  Name: limbo: add rfc5280::eku::ee-eku-empty
  #313 woodruffw: https://github.com/C2SP/x509-limbo/pull/313

• Repo: C2SP/x509-limbo
  Name: add openssl 3.4 harness
  #330 woodruffw: https://github.com/C2SP/x509-limbo/pull/330

• Repo: C2SP/x509-limbo
  Name: gocryptox509: fix schema.go
  #352 woodruffw: https://github.com/C2SP/x509-limbo/pull/352

• Repo: C2SP/x509-limbo
  Name: zizmor fixes
  #359 woodruffw: https://github.com/C2SP/x509-limbo/pull/359

• Repo: C2SP/x509-limbo
  Name: add rfc5280::san::ip-in-dns
  #369 woodruffw: https://github.com/C2SP/x509-limbo/pull/369

• Repo: RustCrypto/signatures
  Name: Add SLH-DSA
  #812 tjade273: https://github.com/RustCrypto/signatures/pull/812

• Repo: RustCrypto/signatures
  Name: SLH-DSA: Fix tests with –no-default-features and enable CI
  #814 tjade273: https://github.com/RustCrypto/signatures/pull/814

• Repo: RustCrypto/signatures
  Name: slh-dsa: implement changes from FIP 205 Initial Public Draft -> FIPS 205 Final
  #844 tjade273: https://github.com/RustCrypto/signatures/pull/844

• Repo: alex/rust-asn1
  Name: types: add const generics for SequenceOf length limits
  #470 woodruffw: https://github.com/alex/rust-asn1/pull/470

• Repo: alex/rust-asn1
  Name: rust-asn1: bump to 0.17.0
  #471 woodruffw: https://github.com/alex/rust-asn1/pull/471

• Repo: alex/rust-asn1
  Name: Add GeneralizedTime
  #492 DarkaMaul: https://github.com/alex/rust-asn1/pull/492

• Repo: alex/rust-asn1
  Name: Rename GeneralizedTime to X509Generalized