‘Trojan Source’ Bug Threatens the Security of All Code — Invisible Source Code Vulnerabilities

guest · Nov 1, 2021

‘Trojan Source’ Bug Threatens the Security of All Code
November 1, 2021
https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis).

Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).
Click to expand...

But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa.

“In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”
Click to expand...

Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters.

“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research.
“That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.”
Click to expand...

The research paper, which dubbed the vulnerability “Trojan Source,” notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides.

“Bringing all this together, we arrive at a novel supply-chain attack on source code. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B.”
Click to expand...

Trojan Source

Some Vulnerabilities are Invisible
Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities.

These adversarial encodings produce no visual artifacts.
Click to expand...

Trojan Source: Invisible Vulnerabilities
(PDF): https://www.trojansource.codes/trojan-source.pdf

This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers.

We present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. We propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack.
Click to expand...

Floyd 57 · Nov 1, 2021

Gaaaaah why is every pdf paper 2789147189274982174918271982 pages long, i wanna read it but i aint got time to pick up the important bits and by the time u do uve already read half of it anyway, maybe some other time

I remember studying integrals and it was SO complicatedly written, dozens upon dozens of pages for smth i can describe in like half a page after i learnt how it's done SO dumb some people just cannot stop rambling nonsense that could be written in 1/100 of the words

guest · Nov 5, 2021

Industry Reactions to New 'Trojan Source' Attack: Feedback Friday
November 5, 2021
https://www.securityweek.com/industry-reactions-new-trojan-source-attack-feedback-friday

Dubbed Trojan Source, the attack impacts many of the compilers, interpreters, code editors, and code repository frontend services used by software developers. Malicious actors could leverage the method to create code that would be displayed one way in code editors, but be interpreted differently by the compiler.

While there is no evidence of Trojan Source attacks in the wild, the researchers did see similar techniques being exploited, although many were not necessarily malicious.
Industry professionals have commented on the potential impact of Trojan Source and provided recommendations for organizations and developers on improving application security.
Click to expand...

Vince Arneja, Chief Product Officer, GrammaTech:

“The kind of exploits identified in the recent Trojan Source research report can fool compilers because these usually don’t inspect comments or Unicode for problems.
Gary Robinson, CSO, Uleska:

The compiler vendors will be issuing updates soon, and security tools that examine code can check for these specific characters. Even sites like StackOverflow and GitHub could prevent these characters from appearing on their websites. [...]
Pedro Fortuna, CTO, Jscrambler:

“Unfortunately, this is just one of hundreds of ways through which attackers can launch low-effort, high-gain supply chain attacks. It's also a great example of why we can't rely on using a single line of defense. [...]
Jon Gaines, Senior Application Security Consultant, nVisium:

“This 'Trojan Source' bug certainly presents an interesting attack surface. As it sits, the research by the University of Cambridge is novel, but their proof-of-concepts are not actually malicious. However, in the hands of a sophisticated attacker or group who can actually weaponize it, we would definitely have a dangerous situation on our hands. [...]
Click to expand...

guest · Nov 8, 2021

3 Ways to Deal With the Trojan Source Attack
November 8, 2021
https://www.darkreading.com/dr-tech/3-ways-to-deal-with-the-trojan-source-attack

There are several short-term methods that can mitigate the Trojan Source attack that abuses Unicode to inject malicious backdoors in source, according to experts.

The new attack method, identified by University of Cambridge researchers, tricks compilers into reading hidden Unicode characters and generating binaries with extra instructions and backdoors that the developer or security analyst do not know about. Because the special characters are not visible by default, the malicious code is unlikely to be discovered during code review.
Click to expand...

Make Unicode Visible
Developers can detect the potentially malicious Unicode characters by enabling the IDE or text editors they are working with to display Unicode, or using a command-line hex editor such as HexEd.It and search for specific Unicode characters in the file, Gaines says.
Filter Out the Characters
The Trojan Source methods will have “minimal security impact in the real world,” because regular source code typically does not contain the special Unicode characters outlined by the researchers (Bidi and Homoglyphs), says Menashe. They are “easy to detect, alert on and perhaps even filter out automatically,” he says.
Check the Tools
Install the updates for the compilers as they become available to block the attack method. But the commands to automatically detect and sanitize the files would mitigate the issues until the updates are applied.
Click to expand...

guest · Nov 9, 2021

Compilers permit Unicode control and homoglyph characters
Vulnerability Note VU#999008
November 9, 2021
https://kb.cert.org/vuls/id/999008

Overview
Attacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers in this report leverage text encoding that may cause source code to be interpreted differently by a compiler than it appears visually to a human reviewer. Source code compilers, interpreters, and other development tools may permit Unicode control and homoglyph characters, changing the visually apparent meaning of source code.
Description
Internationalized text encodings require support for both left-to-right languages and also right-to-left languages. Unicode has built-in functions to allow for encoding of characters to account for bi-directional, or Bidi ordering. Included in these functions are characters that represent non-visual functions. These characters, as well as characters from other human language sets (i.e., English vs. Cyrillic) can also introduce ambiguities into the code base if improperly used.

This type of attack could potentially be used to compromise a code base by capitalizing on a gap in visually rendered source code as a human reviewer would see and the raw code that the compiler would evaluate.
Click to expand...

Impact
The use of attacks that incorporate maliciously encoded source code may go undetected by human developers and by many automated coding tools. These attacks also work against many of the compilers currently in use. An attacker with the ability to influence source code could introduce undetected ambiguity into source code using this type of attack.
Click to expand...

Log in or Sign up

‘Trojan Source’ Bug Threatens the Security of All Code — Invisible Source Code Vulnerabilities

guest Guest

Floyd 57 Registered Member

guest Guest

guest Guest

guest Guest

Log in or Sign up

‘Trojan Source’ Bug Threatens the Security of All Code — Invisible Source Code Vulnerabilities

guest Guest

Floyd 57 Registered Member

guest Guest

guest Guest

guest Guest

Useful Searches