Unicode Security Vulnerability Discovered "Trojan Source"

Forum Moderators: open

Message Too Old, No Replies

Unicode Security Vulnerability Discovered "Trojan Source"

engine

9:44 am on Nov 2, 2021 (gmt 0)

Researchers at Cambridge University have discovered a bug that could affect most security code compilers and software development environments. The vulnerability is using the Unicode bi-directional algorithm and the way it works. It's been dubbed "Trojan Source."

The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic.
The previous example, for instance, works by making a comment appear as if it were code.
Adversaries can leverage this deception to commit vulnerabilities into code that will not be seen by human reviewers.
This attack pattern is tracked as CVE-2021-42574.

[trojansource.codes...]

Complete details can be found in the related paper. [trojansource.codes...]

RedBar

10:56 am on Nov 2, 2021 (gmt 0)

Ok, I've read this twice ... Besics please, what the heck does this mean?

engine

11:42 am on Nov 2, 2021 (gmt 0)

Here's another write-up which relates to Rust, but describes how this affects most code. [zdnet.com...]

NickMNS

12:22 pm on Nov 2, 2021 (gmt 0)

From the zdnet link above:

We've verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages

According to this and while not explicitly named in the list, PHP should also be vulnerable.

RedBar

2:47 pm on Nov 2, 2021 (gmt 0)

Thanks engine ... I unofficially give up, subject to me being re-programmed :-)

lucy24

5:44 pm on Nov 2, 2021 (gmt 0)

I think I understand the general principle. Suppose instead of something truly malign, you just wanted to bypass word censors. You might then type

blah blah {rtl} raboof {ltr} blahblah

and then the visible post would read

blah blah foobar blahblah