Trail of Bits

🔒Gradio 5 Just Got Even More Secure!🔒 🛡️A comprehensive Security overhaul with Trail of Bits! Following the launch of Gradio 5, we are very excited to share about one of the most significant enhancements in Gradio 5 -- Web Security. With Gradio becoming the go-to framework for building and sharing machine learning apps (over 6M monthly downloads & 470K apps on Hugging Face Spaces), we knew that security had to be a top priority. That's why we went ahead and partnered with the cybersecurity experts at Trail of Bits for an in-depth security audit. 🔍 𝐈𝐧 𝐭𝐡𝐞 𝐬𝐩𝐢𝐫𝐢𝐭 𝐨𝐟 𝐭𝐫𝐚𝐧𝐬𝐩𝐚𝐫𝐞𝐧𝐜𝐲 𝐚𝐧𝐝 𝐨𝐩𝐞𝐧-𝐬𝐨𝐮𝐫𝐜𝐞, 𝐰𝐞'𝐫𝐞 𝐦𝐚𝐤𝐢𝐧𝐠 𝐭𝐡𝐞 𝐟𝐮𝐥𝐥 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐫𝐞𝐩𝐨𝐫𝐭 𝐩𝐮𝐛𝐥𝐢𝐜! 📄 Keep reading to access the report and to learn more 👇 Gradio has successfully addressed all the issues identified by the Trail of Bits team in our security audit. The key highlights are: 1️⃣ Local Apps Security: Addressed CORS misconfigurations to prevent unauthorized access and token theft when running Gradio apps locally. 2️⃣ Deployed Apps Protection: Fixed SSRF vulnerabilities to secure internal networks and prevent data leaks for apps deployed on servers. 3️⃣ Shared Links Safety: Secured communication between frp-client and frp-server to prevent interception and unauthorized access when sharing apps via built-in share links. 4️⃣ Supply Chain Defense: Hardened our CI pipeline against supply chain threats by pinning dependencies and enhancing workflow security. 👉 Read the Full Security Report here: https://lnkd.in/djFewzS5 Q: What Does Gradio's Security Audit mean for You? 🤔 A: Your Gradio apps are now safer by default, without requiring significant changes to your code! You can continue building and sharing amazing ML apps with greater peace of mind. 🚀 💪 Upgrade to Gradio 5 Today with Full Confidence : pip install --upgrade gradio Dive Deeper: Check out our latest blog post on Hugging Face for an in-depth look at our security journey and the steps we've taken to make Gradio more secure: https://lnkd.in/dYcxMumQ We'd Love to Hear From our Community ! Your feedback is invaluable to us. Together, let's build a safer and more robust ecosystem for machine learning applications! 🙌 Let us know your thoughts on the new security enhancements with Gradio 5, or any other features you'd like to see in Gradio. 💬

📚 tl;dr sec 251 Vuln Discovery at Scale, Multi-Cloud Testing Tool, AI-powered Container Scanning ✨ Highlights 🙌 Shout-outs 🙌 My friend Zack Allen, for his excellent Detection Engineering Weekly newsletter hitting 10K subscribers. My bud Matt Johansen has started a “Newsroom,” covering relevant current events in security. 👨💻 AppSec 👨💻 - Probing Slack Workspaces for Authentication Information and other Treats - Vulnerabilities Caused by China's Great Firewall - Shubham Shah ☁ Cloud Security ☁ - Halberd: Open-Source Multi-Cloud Security Tool - Arpan Abani Sarkar - Hacking misconfigured Cloudflare R2 buckets - Intigriti - Using Lightweight Formal Methods to Validate a Key-Value Storage Node in Amazon S3 - Leveraging Big Data for Vulnerability Discovery at Scale - Bill Demirkapi 📦 Container Security 📦 - Docker Honeypot Logs - Safe Ride into the Dangerzone: Reducing attack surface with gVisor ⛓ Supply Chain ⛓ - Auto generate requirements.txt based on imports - Vadim Kravcenko - Securing the software supply chain with the SLSA framework - Cliff Smith 😈 Red Team 😈 - Bring-Your-Own-Script-Interpreter - Red Teaming in the age of EDR: Fox-IT's Boudewijn Meijer, Rick Veldhoven 🤖 AI + Security 🤖 - Deepfake Ukrainian diplomat targeted US senator on Zoom call - How My Projects Fit Together - Daniel Miessler - Vulnerability Analysis for Container Security - NVIDIA - Introducing Java fuzz harness synthesis using LLMs - Google 📖 OSINT / Recon 📖 - Ax: Scale scanning infrastructre across cloud providers - A Guide To Subdomain Takeovers 2.0 - Ed Foudil - How to build a secure recon network using Tailscale - Rami Tawil https://lnkd.in/dd737gnq #cybersecurity #infosec #ciso #ai

We're excited to share our recent security audit of Gradio 5, Hugging Face's popular ML GUI framework. Read the blog: https://lnkd.in/dDFgdVAa Our team at Trail of Bits went beyond traditional vulnerability assessment, providing comprehensive consulting on Software Development Life Cycle (SDLC) improvements. We recommended and helped implement security testing integration, fuzz testing, and streamlined deployment processes, significantly enhancing Gradio's overall security posture. For those unfamiliar, Gradio is a powerful tool that allows machine learning engineers to create interactive web demos for their models with minimal code. It's the engine behind widely-used projects like Stable-diffusion-webui and text-generation-webui. This project underscores the importance of regular security assessments for rapidly evolving open-source projects in the AI/ML space. These systems often face unique vulnerabilities that differ from traditional software, and early identification is crucial. Security audit report: https://lnkd.in/djFewzS5 Hugging Face's blog: https://lnkd.in/dYcxMumQ

Ever wanted to create a Rust lint that addresses your project's requirements, but didn't want to deal with the Clippy PR process? Sam Moelius is presenting Dylint, a rustling tool that enables dynamic, custom lint rules, at EuroRust at 4:45pm CEST tomorrow. https://hubs.ly/Q02SQwHq0

Hugging Face's new OpenAI #Gradio tool enables #devs to build #AI-powered web apps quickly and easily with just a few lines of code, accelerating innovation and simplifying AI integration for businesses of all sizes. Read more: https://bit.ly/3NfEk0U

Done!! I just completed the Application Security Foundations Level I course via Semgrep Academy, taught by the renowned Tanya Janca (SheHacksPurple)! As a recruiter for Trail of Bits, you might wonder why I took this course. Here's the scoop: - To deepen my understanding of AppSec fundamentals - Be stronger at evaluating candidates' skills and knowledge - Have more insightful conversations with clients about their AppSec needs Tanya does a fantastic job teaching how to weave security into your software development lifecycle. She breaks down core AppSec principles and brings them to life with real-world examples! I highly recommend taking this course if you want to understand security's crucial role in today's software development world. Excited to start level 2 next week!

We're competing in the xTech Scalable AI Competition, which seeks AI solutions to improve the testing and evaluation of Army AI/ML capabilities. We will present ModelInspector on October 15 in Washington, DC, as one of 16 finalists selected from the initial 32 concepts. ModelInspector detects AI/ML model weaknesses through bill-of-materials-based analysis. It enhances the integrity of AI pipeline operations by tracking data flow across the model lifecycle and implementing comprehensive dependency vetting. https://hubs.ly/Q02StPzT0

Answers to some questions in advanced cryptography topics by Trail of Bits. Love to read this kind of content where I get to learn something new or dive deeper into a subject of which I've only had rudimentary knowledge. YMMV

📚 tl;dr sec 250 CNAPP Guide, OpenAI's o1 vs CTFs, Cloud Logging Tips ✨ Highlights 👨💻 AppSec 👨💻 - Using YouTube to steal your files - Lyra - Hacking Kia: Remotely Controlling Cars With Just a License Plate - @Neiko Rivera, Sam Curry, Justin Rhinehart, Ian Carroll - Announcing the Security Exceptions program pack 1.0 - Robert Auger - Memory Safety Strategies and Techniques - Florian Noeding - Eliminating Memory Safety Vulnerabilities at the Source - Jeffrey Vander Stoep, Alex Rebert ☁ Cloud Security ☁ - Lambda Watchdog - CloudShovel - Eduard Agavriloae, Matei Anthony Josephs - Cloud Logging Tips and Tricks - Alice Klimovitsky - Cedar, Rego, and OpenFGA Policy Languages Comparison - Ian Smith, Kelly Kaoudis - Implementing CNAPP: Day 2 Focus Areas - Naman Sogani - Redefining CNAPP: A Complete Guide - Francis Odum, James Berthoty 📦 Container Security 📦 - encap-attack - Matthew Grove - Kubernetes CRD generation pitfalls - Ahmet Alp Balkan ⛓ Supply Chain ⛓ - Fuzzing confused dependencies with Depfuzzer - Pierre MARTIN, Kévin Schouteeten - Mitigating Attack Vectors in GitHub Workflows - Joyce Brum - GitHub Users Targeted by Spambots - Sarah Gooding 🛡 Blue Team 🛡 - segugio - track the malware detonation process - Investigating Vulnerable Drivers and Mitigating Risks - Jiri Vinopal 😈 Red Team 😈 - remotechrome - “All your loaders suck until further notice” 🤖 AI + Security 🤖 - ai-goat - Winning the AIxCC Qualification Round - Theori - OpenAI o1 System Card https://lnkd.in/gc774Bp9 #cybersecurity #infosec #security #ciso #ai

Since I'm a cryptographer, I don't have normal hobbies; instead, I spend my weekends looking for fun zero-knowledge proof bugs. Here's research that I've been working on for the past 2-3 years. If you follow zero-knowledge proofs, you may have heard about the Fiat-Shamir transformation: it's a theoretical concept that gets used in essentially all ZKPs used today. The problem is that most people don't fully understand it, and it's often implemented insecurely. The bonus is that it's usually a critical vulnerability when it's done incorrectly. My teammates, collaborators, and I have spent the last 2-3 years researching as many ZKP implementations as possible (over 75). From that research, we reported 36 vulnerabilities across 12 different proof systems. One critical vulnerability we found affected a privacy coin protocol, which could have resulted in unlimited amounts of money being stolen and completely untraceable. The vulnerability was present for 4 years until my collaborators and I disclosed the issue, which was promptly fixed. We promise we didn't transfer any of this coin to ourselves :). That research culminated in me giving a talk at Real World Crypto '24, which you can check out in the link below: https://lnkd.in/eKtACe8p #ZeroKnowledgeProof #ZKP #Cryptography #CyberSecurity