Open Source Tools

Trail of Bits is committed to Open Source

Open source software is key to Trail of Bits’ core mission — Advancing the science of security. Raising that bar requires sharing our work. We publicly release nearly all our internal and approved client-facing projects, contribute to and maintain promising open source security projects, and review the security of critical open-source infrastructure.

Table of Contents

Yearly Open Source Contribution Highlights

We publish a yearly blog post that highlights our open source contributions for that year. These posts are a great way to get a quick overview of our open source work.

Another Prolific Year of Open Source Contributions (2022)

Celebrating Our Open Source Contributions (2021)

eBPF Tools and Libraries

Trail of Bits has developed a collection of related libraries and resources that enable efficient monitoring of process and network events, function tracing, parsing of kernel debug symbols, and the generation and usage of eBPF code.

Linuxevents is a demonstration of how eBPF can monitor events on Linux platforms without the need for accurate kernel headers or other external dependencies. No more shipping kernel headers, multiple copies of pre-compiled eBPF bytecode, or dependencies on BCC!

The ebpfpub library allows for monitoring system calls and library calls across multiple Linux kernel versions while relying on minimal external run-time dependencies. It differs from linuxevents in that ebpfpub can target older Linux kernel versions.

The ebpf-common library is a set of utilities that assist with generating, loading and using eBPF code. It is the common substrate that underpins all of our eBPF-related tooling. Use epbf-common to create your own eBPF-based tools!

The btfparse library allows developers to easily read Linux kernel BTF data and generate code based on the parsed function and data structure definitions. The library comes with a tool, called btf-dump, that both serves as an example of using btfparse and as a standalone tool that can dump BTF data present in a Linux kernel image.

The ebpfault tool is a system-wide fault injector that does not require dangerous kernel drivers that may crash the system. It can start a specific program, target running processes, or target all processes except those on a specific list.

The Linux kernel "verifies" eBPF programs at load time and rejects any that it deems unsafe. Bundling eBPF bytecode is a CI / CD nightmare, because every kernel’s verification is ever so slightly different. Ebpf-verifier is a research prototype that aims to eliminate that nightmare by executing the eBPF verifier outside of the running kernel and opens the door to testing of eBPF programs across different kernel versions.

Rust Libraries and Utilities

Our Rust libraries and utilities are designed to enhance various aspects of software development and testing. These tools offer functionalities like dynamic linting, innovative testing strategies, interaction with Windows systems, identification of unsafe code segments, fuzz testing automation, and advanced cryptographic proofs.

cargo-unmaintained automatically identifies unmaintained packages in Rust projects, saving users from having to identify them manually.

Dylint is a Rust linting tool, similar to Clippy. But whereas Clippy runs a predetermined, static set of lints, Dylint runs lints from user-specified, dynamic libraries. Thus, Dylint allows developers to maintain their own personal lint collections.

Necessist runs tests with statements and method calls removed to help identify broken tests. Conventional mutation testing tries to identify gaps in test coverage, whereas Necessist tries to identify bugs in existing tests.

Siderophile finds the "most unsafe" functions in your Rust codebase, so you can fuzz them or refactor them out entirely. It checks the callgraph of each function in the codebase, estimates how many unsafe expressions are called in an evaluation of that function, then produces a list sorted by this value.

test-fuzz is a convenient front end for In more concrete terms, test-fuzz is a collection of Rust macros and a Cargo subcommand that automate certain fuzzing-related tasks, most notably, generating a fuzzing corpus and implementing a fuzzing harness.

weggli-native is a "native" C API for Google's weggli; it exposes a subset of weggli's public Rust API to C and C++ consumers.

Reverie is an implementation (prover and verifier) of the MPC-in-the-head NIZKPoK outlined in Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures.

AppJailLauncher-rs is akin to a simple version of xinetd for Windows but with sandboxing enabled for the spawned child processes. The sandboxing is accomplished via AppContainers and is a Rust rewrite of an earlier version in C.

mcircuit is a Rust library of types for working with A library of types for working with boolean & arithmetic circuits.

Go Libraries and Utilities

The collection of libraries and utilities focuses on enhancing the development and testing processes in Go programming. They provide a range of functionalities, from generating random values for fuzz testing and detecting improper usage patterns, to offering a platform for understanding and remedying common vulnerabilities, as well as verifying assumptions about mutex locking mechanisms in Go applications.

go-fuzz-utils is a helper package for use with go-fuzz or other fuzzing utilities. It provides a simple interface to produce random values for various data types and can recursively populate complex structures from raw fuzz data generated by go-fuzz.

On-Edge is a library for detecting certain improper uses of the Defer, Panic, and Recover pattern in Go programs. OnEdge is lightweight in that it is easy to incorporate into your project and tries to stay out of your way as much as possible.

Not Go-ing Anywhere is a set of vulnerable Golang programs meant to show common vulnerabilities and provide a test bed for users to find, fix, and remediate Golang vulnerabilities.

go-mutex-asserts is a small library that checks if Go mutexes are locked. It can be used to verify invariants/assumptions about (un)locking mutexes within certain functions.

Binary Decompilation and Lifting

These tools focus on code translation, decompilation, and reverse engineering. They encompass technologies for translating machine code into LLVM bitcode, enhancing the quality of decompiled code, providing snapshot-based process emulation, and offering a framework for instrumenting and enhancing build tools and systems in various programming environments.

Remill is a static binary translator that translates machine code instructions into LLVM bitcode. It translates AArch64 (64-bit ARMv8), SPARC32 (SPARCv8), SPARC64 (SPARCv9), x86 and amd64 machine code (including AVX and AVX512) into LLVM bitcode. Remill focuses on accurately lifting instructions. It is meant to be used as a library for other tools (like McSema).

Anvill implements simple machine code lifting primitives using Remill to produce high quality bitcode, which can then be further decompiled to C (via Clang ASTs) using Rellic. We define "high quality bitcode" as being similar in form to what the Clang compiler would produce if it were executed on a semantically equivalent C function.

VMill is a snapshot-based process emulator that uses remill to lift machine code to LLVM bitcode, and enables that bitcode to be instrumented, compiled to machine code and executed.

Codex Decompiler is proof-of-concept Ghidra plugin that utilizes OpenAI's language models to improve the decompilation and reverse engineering experience.

We also provide a CMake-based build project for Ghidra’s Sleigh so that it can be built and packaged as a standalone library and be reused in projects other than Ghidra.

blight is a framework for wrapping and instrumenting build tools and build systems. It contains: A collection of high-fidelity models for various common build tools (e.g. the C and C++ compilers, the standard linker, the preprocessor, etc.); A variety of "actions" that can be run on each build tool or specific classes of tools (e.g. "whenever the build system invokes $CC, add this flag") and Command-line wrappers (blight-env and blight-exec) for instrumenting builds.

Symbolic Execution

These tools leverage symbolic execution for security and analysis, particularly for smart contracts, binaries, and WebAssembly programs.

Manticore is a symbolic execution tool for the analysis of smart contracts, binaries and WebAssembly programs. Manticore is designed for extensibility and simplicity, and includes a rich API for creating custom tools using its analysis engine.

ManticoreUI and ManticoreUI-Ghidra are prototype GUIs to make it easy to use Manticore from existing binary analysis platforms.

sandshrew is a prototype concolic unit testing tool for cryptographic verification. It harnesses the Manticore API in order to perform unconstrained concolic execution on C cryptographic primitives.

Maat is a dynamic symbolic execution and binary analysis framework. It provides various functionalities such as symbolic execution, taint analysis, constraint solving, binary loading, environment simulation, and leverages Ghidra's sleigh library for assembly lifting.

C++ Tools and Libraries

Our C++ tools and libraries streamline various aspects of C++ development at Trail of Bits. These include centralized management of dependencies, bridging gaps between different programming frameworks, easy integration with SQLite, abstracting compiler toolchains, program analysis and instrumentation, automatic code rewriting for constexpr contexts, and dynamic data race detection.

cxx-common is a set of libraries used to build Trail of Bits' C++-based projects. Many of our tools utilize the same dependencies and it is easier to manage them in one place.

gap is a utility library to bridge the LLVM and MLIR gap -- that is, it provides tools, utilities, and helper functions to make it easier to use LLVM and MLIR together.

SQLiteWrapper is an easy-to-use, lightweight and concurrency-friendly SQLite wrapper written in C++17.

PASTA is a C++ library that abstracts the Clang compiler toolchain, and provides detailed access to compilation artifacts using APIs that mirror those available in Clang.

VAST is a library for program analysis and instrumentation of C/C++ and related languages. VAST provides a foundation for customizable program representation for a broad spectrum of analyses. Using the MLIR infrastructure, VAST provides a toolset to represent C/C++ program at various stages of the compilation and to transform the representation to the best-fit program abstraction.

constexpr-everything is a libclang based project to automatically rewrite as much code as possible to be evaluated in constexpr contexts.

RaceSanitizer RaceSanitizer (RSan) is dynamic data race detector. It uses a modified version of the DataCollider algorithm insofar as it pauses one thread and tries to "wait out" a data race.


Our cryptography tools focus on advancing cryptographic and privacy-preserving technologies in various programming and computation contexts.

MPC-learning is a Python library for performing multi-party computation on machine learning applications. This library implements the a 3-party computation protocol. For now, a "dealer" is required to distribute shares of inputs, and the protocol can only be run locally.

Indurative lets you easily build authenticated data structures from many Haskell containers. You can delegate custody to a third party using an authenticated data structure, then cryptographically verify all reads and writes performed by that third party. Certificate and binary transparency are example use cases enabled by authenticated data structures that you can build with Indurative. This is new, untested cryptographic code. Standard warnings apply.

ZKDocs provides comprehensive, detailed, and interactive documentation on zero-knowledge proof systems and related primitives.

Sholva is a tool for generating zero knowledge proofs of program execution, composed of mttn: an instruction-resolution program tracer and tiny86: a Verilog and Clash trace verifier circuit.

Circomspect is a static analyzer and linter for the Circom programming language. The codebase borrows heavily from the Rust Circom compiler built by iden3. Circomspect currently implements a number of analysis passes which can identify potential issues in Circom circuits. It is our goal to continue to add new analysis passes to be able to detect more issues in the future.

Experimental Tools

Our experimental tools are research prototypes that explore new ideas and approaches to solving security problems. They are not production-ready, but we hope they will inspire others to build on our work.

Magnifier is an experimental reveree engineering user interface. Magnifier asks, “What if, as an alternative to taking handwritten notes, reverse engineering researchers could interactively reshape a decompiled program to reflect what they would normally record?” With Magnifier, the decompiled C code isn't the end—it's the beginning.

Umberto is a library designed for mutating generic structured data (e.g., JSON, XML, X.509) and a command line application wrapping this functionality. It can apply a variety of mutations, synthesize totally new values, and apply existing mutators (e.g. Radamsa) to structure components. If you're trying to perform grammar-based fuzzing, you might find it very useful.

Honeybee is a very fast Intel Processor Trace capture and decoding suite which enables previously unattainable performance in source and blackbox fuzzing alike by taking advantage of a custom ahead-of-time analysis cache to accelerate decoding multiple traces.

tsc_freq_khz is a driver that exports the Linux kernel's tsc_khz variable via sysfs (in /sys/devices/system/cpu/cpu0/tsc_freq_khz) and enabled profiling and benchmarking tools to work in virtualized environments. It also makes these tools more accurate on systems where the time stamp counter is independent from clock speed, like newer Intel processors. Several open source projects (X-Ray, Abseil) already check for this sysfs file, but until now it was only available in Google's production kernels. This driver enables it for everyone.

Sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. Sinter uses the user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, for a set of security-relevant event types. The current version of Sinter supports allowing/denying process executions; in future versions we intend to support other types of events such as file, socket, and kernel events.

Binrec dynamically lifts binary executables to LLVM IR, where they can be optimized, hardened, or transformed and recompiled back to binaries. It is based on S2E. For a full description of the framework, see the original research paper. This is a version modified by Trail of Bits to support more recent versions of LLVM and to support more kinds of targets.

Microx is a single-instruction "micro execution" framework. Microx enables a program to safely execute an arbitrary x86 or x86-64 instruction. Microx does not take over or require a process context in order to execute an instruction. It is easily embedded within other programs, as exampled by the Python bindings.

Anselm lets you to describe and detect patterns of bad behavior in function calls. Its primary advantage over static analysis is that it can operate on any programming language that compiles to LLVM intermediate representation (IR), or any compiled code that can be lifted back to LLVM's intermediate representation.

essence aims to generate stand-alone executables for functions residing in LLVM bitcode modules. Functions can be specified by name and convenient JSON input templates will be generated in which their arguments (including globals) can be specified. The project is sub-divided into two components: essence is the python tool which is meant for users and handles all of the end-to-end functionality, and handsanitizer is the C++ component that interacts directly with the LLVM bitcode modules.


These tools focus on network security and management.

onesixtyone takes a different approach to SNMP scanning. It takes advantage of the fact that SNMP is a connectionless protocol and sends all SNMP requests as fast as it can. Then the scanner waits for responses to come back and logs them, in a fashion similar to Nmap ping sweeps.

eatmynetwork is a small script for running programs with (minimal) network sandboxing.


The tools presented are designed to enhance the security and reliability of software through various advanced fuzzing techniques. They range from snapshot fuzzers and binary translators for specific emulation tasks, to frameworks and platforms that make fuzzing more accessible to developers, tools for fault injections in kernels, and differential fuzzers for discovering discrepancies in decoders.

zfuzz is an emulation-based snapshot fuzzer. It can load arbitrary memory dumps and start fuzzing. zfuzz inclues both a mutational and a generational grammar based mutators.

Grr is an x86 to amd64 binary translator that was created specifically to emulate and fuzz DECREE challenge binaries.

CEO (Central Exploit Organizer) collects, analyzes and builds predictive models to guide Cyber Reasoning Systems (CRS) toward the discovery of vulnerabilities in binary programs. CEO collects data to predict which is the best action that a CRS can perform. Currently, given a binary + input, CEO can use one of the following techniques: (1) symbolic execution with Manticore, (2) smart fuzzing with American Fuzzy Lop, or (3) blind fuzzing with Grr.

Sienna Locomotive is a fuzzing and crash triage platform that aims to make fuzzing accessible to developers with limited security expertise. Its user-oriented features make it easy to configure, easy to run, and easy to interpret the results. For more information, see our blog post.

KRF is a KRF is a Kernelspace Randomized Faulter that currently supports the Linux and FreeBSD kernels. KRF can be used to implement fault injections, a software testing technique that involves inducing failures ("faults") in the functions called by a program. If the callee has failed to perform proper error checking and handling, these faults can result in unreliable application behavior or exploitable vulnerabilities.

DeepState is a framework that provides C and C++ developers with a common interface to various symbolic execution and fuzzing engines. Users can write one test harness using a Google Test-like API, then execute it using multiple backends without having to learn the complexities of the underlying engines. It supports writing unit tests and API sequence tests, as well as automatic test generation. Read more about the goals and design of DeepState in our paper.

ProtoFuzz ProtoFuzz is a generic fuzzer for Google’s Protocol Buffers format. Instead of defining a new fuzzer generator for custom binary formats, protofuzz automatically creates a fuzzer based on the same format definition that programs use.

mishegos is a A differential fuzzer for x86 decoders. You can use it to discover discrepancies in your own decoders and analysis tools! Please see the accompanying blog post and paper for more information.

Challenges & Data Sets

Different challenges and data sets that can be used to evaluate and test various security tools and techniques.

DARPA CGC Challenge Binaries ported to run on Linux, MacOS, and Windows. The Challenge Binaries were originally developed for DECREE -- a custom Linux-derived operating system that has no signals, no shared memory, no threads, no standard libc runtime, and only seven system calls -- making them incompatible with most existing analysis tools. We modified the challenges to work by replacing the build system and re-implementing CGC system calls via standard libc functionality and native operating system semantics.

The Trail of Bits fork of AnghaBench is a repository of 1 million C programs. It differs from the original in that it includes scripts to build the benchmarks and a means to download pre-compiled programs.

pegoat is a collection of Windows binary builds containing different (and sometimes ineffective) security mitigations. These files are primarily intended to test winchecksec and other security tools that work on PE files.

ctf-challenges is a collection of CTF challenges and associated explanations.

Parsers and LangSec

Tools that are designed to enhance understanding and manipulation of complex data formats and program behaviors.

Graphtage is a command-line utility and underlying library for semantically comparing and merging tree-like structures, such as JSON, XML, HTML, YAML, plist, and CSS files. Its name is a portmanteau of “graph” and “graftage”—the latter being the horticultural practice of joining two trees together such that they grow as one.

Polyfile is a utility to identify and map the semantic structure of files, including polyglots, chimeras, and schizophrenic files. It can be used in conjunction with its sister tool PolyTracker for Automated Lexical Annotation and Navigation of Parsers, a backronym devised solely for the purpose of collectively referring to the tools as The ALAN Parsers Project.

Polytracker PolyTracker is a general purpose tool for efficiently performing data-flow and control-flow analysis of programs. PolyTracker is an LLVM pass that instruments programs to track which bytes of an input file are operated on by which functions. It outputs a database containing the data-flow information, as well as a runtime trace. PolyTracker also provides a Python library for interacting with and analyzing its output, as well as an interactive Python REPL.


Tools for working with circuits, many developed for the SIEVE project.

SV_Circuit is a circuit compositor for the DARPA SIEVE project.

Clash silicon tapeout is a (very small) synthesized cpu written in clash.

verilog_tools is a set of wrappers around yosys providing two circuit compilation utilities: sv-netlist to synthesize a netlist from Verilog file(s) and sv-stat to gather synthesis gate statistics from Verilog file(s).

mcircuit is a Rust library of types for working with A library of types for working with boolean & arithmetic circuits.

Guides and Tutorials

These guides and tutorials provide a wide range of educational resources for various aspects of cybersecurity and software development.

The CTF Field Guide is a guide to help you win your next CTF competition. It contains: walkthroughs and details on past CTF challenges, guidance to help you design and create your own toolkits, and case studies of attacker behavior -- both in the real world and in past CTF competitions.

Not Slithering Anywhere is the Python version of our Not Go-ing Anywhere vulnerable application. It is meant to demonstrate a number of security issues commonly found in Python applications, and to serve as the basis for static & dynamic tool testing grounds.

The LLVM sanitizer tutorial explains how to build an LLVM sanitizer (e.g., ASAN). Please see the accompanying blog post for more details.

Not Go-ing Anywhere is a set of vulnerable Golang programs meant to show common vulnerabilities and provide a test bed for users to find, fix, and remediate Golang vulnerabilities.

Building secure contracts offers guidelines and best practices for developing secure smart contracts.

ZKDocs provides comprehensive, detailed, and interactive documentation on zero-knowledge proof systems and related primitives.

Awesome Ethereum Security is a curated list of awesome Ethereum security references, guidance, tools, and more.

Windows Utilities

Trail of Bits tools and utilities that focus on Windows-specific security and analysis.

uthenticode (stylized as μthenticode) is a small cross-platform library for partially verifying Authenticode digital signatures.

winchecksec performs static detection of common Windows security features in PE files, such as Code Integrity, DEP, ASLR, CFI, etc.

pe-parse is a principled, lightweight parser of Windows Portable Executable (PE) files. It was created to assist in compiled program analysis, potentially of programs of unknown origins. This means that it should be resistant to malformed or maliciously crafted PE files, and it should support questions that analysis software would ask of an executable program container. For example, listing relocations, describing imports and exports, and supporting byte reads from virtual addresses and file offsets.

RPC Investigator provides an advanced discovery and analysis interface to Windows RPC endpoints. The tool provides the capabilities for: enumerating all active ALPC RPC servers, parsing RPC servers from any PE file, parsing RPC servers from processes and their loaded modules, pulling symbol information from a Symbol Server, and exporting RPC server definitions as serialized .NET objects. Please see the associated blog post for more details.

windows-ctl is a set of Rust libraries and tools for interacting with Windows Certificate Trust Lists.

windows-acl is a Rust library to simplify Windows ACL operations.

Python Libraries and Utilities

Our collection of Python libraries and utilities.

CVEdb is yet another Python CVE database library and utility. Most existing libraries rely on a third party API like, which can and do throttle usage, require registration, and/or demand an internet connection. CVEdb can be used either as a library or a command line utility, it has a simple API, and it downloads directly from the National Vulnerability Database. CVEdb does not require many dependencies, does not have a web server, and does not require Internet connectivity other than to download new CVEs.

Mimid is an implementation of the Mimid algorithm. It has been modified by Trail of Bits to be a standalone Python library rather than a set of scripts. The original, upstream version is avilable here.

abit3audit scans Python extensions for abi3 violations and inconsistencies. It can scan individual (unpackaged) shared objects, packaged wheels, or entire package version histories. See our blog post about ABI compabitility in Python for more details.

Fickling is a decompiler, static analyzer, and bytecode rewriter for Python pickle object serializations. Pickled Python objects are in fact bytecode that is interpreted by a stack-based virtual machine built into Python called the "Pickle Machine". Fickling can take pickled data streams and decompile them into human-readable Python code that, when executed, will deserialize to the original serialized object. Learn more about it in our blog post and DEF CON 2021 talk.

Ethereum Security

Our collection of Ethereum security tools and utilities.

Slither is a Solidity & Vyper static analysis framework written in Python3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

Medusa is a cross-platform go-ethereum-based smart contract fuzzer inspired by Echidna. It provides parallelized fuzz testing of smart contracts through CLI, or its Go API that allows custom user-extended testing methodology.

solc-select is a tool to quickly switch between Solidity compiler versions.

Etheno Etheno is the Ethereum testing Swiss Army knife. It’s a JSON RPC multiplexer, analysis tool wrapper, and test integration tool. It eliminates the complexity of setting up analysis tools like Echidna on large, multi-contract projects. If you are a smart contract developer, you should use Etheno to test your contracts. If you are an Ethereum client developer, you should use Etheno to perform differential testing on your implementation.

Echidna is a Haskell program designed for fuzzing/property-based testing of Ethereum smart contracts. It uses sophisticated grammar-based fuzzing campaigns based on a contract ABI to falsify user-defined predicates or Solidity assertions. We designed Echidna with modularity in mind, so it can be easily extended to include new mutations or test specific contracts in specific cases.

The Ethereum Security Toolbox contains scripts to create a Docker container preinstalled and preconfigured with all of Trail of Bits' Ethereum security tools, including: Echidna (property-based fuzz tester), Etheno (integration tool and differential tester), Manticore (symbolic analyzer and formal contract verifier), Slither (static analysis tool) and our Not So Smart Contracts repository.

Ethersplay is a Binary Ninja plugin which enables an EVM disassembler and related analysis tools.

ida-evm is an IDA Processor Module for the Ethereum Virtual Machine (EVM).0

evm-opcodes is a reference that consolidates EVM opcode information from the yellow paper, stack exchange, Solidity source code, parity source and Manticore.

Rattle Rattle is an EVM binary static analysis framework designed to work on deployed smart contracts. Rattle takes EVM byte strings, uses a flow-sensitive analysis to recover the original control flow graph, lifts the control flow graph into an SSA/infinite register form, and optimizes the SSA -- removing DUPs, SWAPs, PUSHs, and POPs. The conversion from a stack machine to SSA form removes 60%+ of all EVM instructions and presents a much friendlier interface to those who wish to read the smart contracts they're interacting with.

pyevmasm is an assembler and disassembler library for the Ethereum Virtual Machine (EVM). It includes a commandline utility and a Python API.

evm-cfg-builder is used to extract a control flow graph (CFG) from EVM bytecode. It is used by Ethersplay, Manticore, and other tools from Trail of Bits. It is a reliable foundation to build program analysis tools for EVM.

Trail of Bits Truffle Security Toolbox comes with everything you need to start implementing secure Solidity code using Trail of Bits' tools.

Crytic-compile Library to help smart contract compilation. It includes support for: Direct solc compilation Foundry, Hardhat, Brownie, Buidler, Dapp, Embark, Etherlime, Etherscan (including several alt-chain explorers and testnets), Truffle, and Waffle.

Slither-vscode offers Visual Studio Code integration for Slither, a Solidity static analysis framework written in Python 3. With Slither for Visual Studio Code, users can run a suite of vulnerability detectors on their Solidity smart contracts to annotate potentially dangerous code and receive suggested fixes.

Building secure contracts offers guidelines and best practices for developing secure smart contracts.

Fluxture is a lightweight crawler for peer-to-peer networks like Blockchains. It currently supports the latest version of the Bitcoin protocol: 70015. It implements the minimum amount of the Bitcoin protocol necessary to collect geographic and topological information.

Tealer is a static analyzer for Teal code. It parses the Teal program, and builds its CFG. The analyzer comes with a set of vulnerabilities detectors and printers allowing to quickly review the contracts.

Echidna Parade is an experimental Python tool that uses configuration variance and a common corpus to try to throughly test smart contracts with the Echidna smart-contract fuzzer.

Amarna is a static-analyzer and linter for the Cairo programming language.

Awesome Ethereum Security is a curated list of awesome Ethereum security references, guidance, tools, and more.


Miscellaneous tools that do not neatly fit into a category; includes Algo VPN, web security tools, screencasting software, and Linux kernel drivers.

Algo VPN is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN. It uses the most secure defaults available and works with common cloud providers. See our release announcement for more information.

cast2gif is a pure Python ANSI terminal emulator that can render AsciiCast terminal recordings to an animated GIF or screenshot. Cast2Gif can also generate recordings directly, without requiring asciinema to be installed.

nginx-json-kss is a JSON logger for nginx.

Sixtyfour was an experiment to see how quickly computer hardware could brute-force a simple problem involving a 64-bit integer.

twa is the (t)iny (w)eb (a)uidtor with strong opinions.

wasm-tob is a python module capable of decoding and disassembling WebAssembly modules and bytecode, according to the MVP specification of the WASM binary format. This is a fork of the original project that the author was no longer able to maintain.

It-Depends is a tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories. You can use it to enumerate all third party dependencies for a software package, map those dependencies to known security vulnerabilities, as well as compare the similarity between two packages based on their dependencies.

AI/ML Tools

Tools related to either artificial intelligence and machine learning security or applying AI/ML to security problems.

PrivacyRaven is a privacy testing library for deep learning systems. You can use it to determine the susceptibility of a model to different privacy attacks; evaluate privacy preserving machine learning techniques; develop novel privacy metrics and attacks; and repurpose attacks for data provenance and other use cases.

Codex Decompiler Codex Decompiler is a Ghidra plugin that utilizes OpenAI's models to improve the decompilation and reverse engineering experience. It currently has the ability to take the disassembly from Ghidra and then feed it to OpenAI's models to decompile the code. The plugin also offers several other features to perform on the decompiled code such as finding vulnerabilities using OpenAI, generating a description using OpenAI, or decompiling the Ghidra pseudocode.


Tools for enhancing the functionality and debugging capabilities of Osquery.

osquery-logger is a listener/server for debugging the main Osquery process, osqueryd. It listens for messages from osquery nodes, logs received data to the console, and replies with {"node_invalid": false}.

The osquery-extensions repository is a collection of osquery extensions developed and maintained by Trail of Bits. If you would like to sponsor the development of an extension, please contact us.

Semgrep / CodeQL

This colletion of Semgrep / CodeQL related tools and queries is aimed at enhancing the analysis and security of C++ codebases and compiled binaries.

Itergator is a CodeQL library for detecting and analyzing iterator invalidation in C++ codebases.

Divergent representations occur when a compiler represents a single source variable with different machine-level implementations. This repository contains queries to identify when this occurs: a 'bottom-up' search over compiled binaries with Binary Ninja and a 'top-down' search using CodeQL over source code.

This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects.

This repository contains CodeQL queries developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects.

See our GitHub for a full list of our open source projects. Visit our Lifting Bits organization for our binary translation projects and our Crytic organization for our blockchain projects.