Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
The Trojan Source attack exploits subtle differences in character encoding standards like Unicode.
University of Cambridge researchers Nicholas Boucher and Ross Anderson have discovered a new class of vulnerabilities that allow attackers to inject visually deceptive malware in a way that is semantically valid, but modifies the logic defined by the source code, making the code vulnerable to a wide variety of cyber threats. , including those related to supply chains.
The Trojan Source Attack, described by experts, is based on using "elusive differences in character encoding standards like Unicode to create source code whose tokens are not logically encoded in the order in which they are displayed, which leads to vulnerabilities that people reviewing the code. can't see ".
The vulnerabilities identified as CVE-2021-42574 and CVE-2021-42694 affect compilers of all popular programming languages such as C, C ++, C #, JavaScript, Java, Rust, Go, and Python.
The problem is related to the bidirectional Unicode algorithm (Bidi algorithm), which provides support for writing both left-to-right (for example, Russian) and right-to-left (for example, Hebrew). The Bidia algorithm also supports bidirectional redefinition, which allows words to be written from left to right in a sentence in a right-to-left language and vice versa. In other words, the algorithm allows text written from left to right to be perceived as written from right to left.
The compiler output is expected to correctly implement the source code, but inconsistencies when inserting Bidi Unicode override characters in comments and strings allow for syntactically valid source code in which the order in which the characters are displayed represents logic that is at variance with the actual logic.
"That is, we anagram program A into program B. If the changes in logic are subtle enough to bypass detection in subsequent tests, an attacker can create targeted vulnerabilities and not be detected," the researchers explained.
Adversarial programming like this can have a serious impact on the supply chain, researchers warn, when vulnerabilities embedded in open source software are passed on to end products, affecting all users of the software. Even worse, a Trojan Source attack can become more serious if an attacker uses homoglyphs to override pre-existing functions in the original package and call them from the victim program.
University of Cambridge researchers Nicholas Boucher and Ross Anderson have discovered a new class of vulnerabilities that allow attackers to inject visually deceptive malware in a way that is semantically valid, but modifies the logic defined by the source code, making the code vulnerable to a wide variety of cyber threats. , including those related to supply chains.
The Trojan Source Attack, described by experts, is based on using "elusive differences in character encoding standards like Unicode to create source code whose tokens are not logically encoded in the order in which they are displayed, which leads to vulnerabilities that people reviewing the code. can't see ".
The vulnerabilities identified as CVE-2021-42574 and CVE-2021-42694 affect compilers of all popular programming languages such as C, C ++, C #, JavaScript, Java, Rust, Go, and Python.
The problem is related to the bidirectional Unicode algorithm (Bidi algorithm), which provides support for writing both left-to-right (for example, Russian) and right-to-left (for example, Hebrew). The Bidia algorithm also supports bidirectional redefinition, which allows words to be written from left to right in a sentence in a right-to-left language and vice versa. In other words, the algorithm allows text written from left to right to be perceived as written from right to left.
The compiler output is expected to correctly implement the source code, but inconsistencies when inserting Bidi Unicode override characters in comments and strings allow for syntactically valid source code in which the order in which the characters are displayed represents logic that is at variance with the actual logic.
"That is, we anagram program A into program B. If the changes in logic are subtle enough to bypass detection in subsequent tests, an attacker can create targeted vulnerabilities and not be detected," the researchers explained.
Adversarial programming like this can have a serious impact on the supply chain, researchers warn, when vulnerabilities embedded in open source software are passed on to end products, affecting all users of the software. Even worse, a Trojan Source attack can become more serious if an attacker uses homoglyphs to override pre-existing functions in the original package and call them from the victim program.
