/* ---- Google Analytics Code Below */

Wednesday, November 10, 2021

Trojan Source Code

Technical notes for a new security discovery:

In a long ago employment we needed to do encoding that required us to remove some text from stored data, and we discovered a way to do that using specialized unicode encoding.  Mostly used in compiler transformations.  This preserved the text in a data stream without showing it to human readers of the stream.     It turns out this can be used maliciously, so that people checking the code/data will not see embedded malicious code that might be being fed into a compiler for direct application.   This was discovered recently to be a serious security issue, notes here about it to my self and others.   If you need more,  contact me.  - FAD 

First discovered in 'TwiT Security Now' podcast':  https://twit.tv/shows/security-now/episodes/843?autostart=false

We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler than to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as we call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. We present working examples of Trojan Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. We propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack.  .... 

On October 18, 2021, Trojan Source attacks were issued two CVEs: CVE-2021-42574 for  tracking the Bidi attack, and CVE-2021-42694 for tracking the homoglyph attack. These CVEs were issued by MITRE against the Unicode specification. ....   See Carnegie Mellon https://www.kb.cert.org/vuls/id/999008  vulnerability center for up to date info.

Quoted in https://www.grc.com/sn/SN-843-Notes.pdf   Page 10-16

No comments: