9

The "Trojan Source" vulnerability

 2 years ago
source link: https://lwn.net/Articles/874546/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

The "Trojan Source" vulnerability

[Posted November 1, 2021 by corbet]
The latest branded and trademarked vulnerability type is called "Trojan Source". By playing tricks with Unicode bidirectional support, an attacker can create malicious code that appears to be benign to reviewers. "The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic." Various releases, including Rust 1.56.1, are being made to address this problem.
(Log in to post comments)

The "Trojan Source" vulnerability

Posted Nov 1, 2021 15:22 UTC (Mon) by mattdm (subscriber, #18) [Link]

We have scanned Fedora dist-git (spec files and patches, not expanded source) and did not find anything. We're going to add some mitigations to protect against possible future attacks, too.

The "Trojan Source" vulnerability

Posted Nov 1, 2021 16:00 UTC (Mon) by dskoll (subscriber, #1630) [Link]

I opened the C examples in emacs. For the commenting-out.c, early-return.c, and invisible-function.c examples, the Emacs C syntax highlighter gave obviously-odd highlighting results. The homoglyph-function.c and stretched-string.c examples evaded the syntax highlighter.

The "Trojan Source" vulnerability

Posted Nov 1, 2021 16:41 UTC (Mon) by siddhesh (subscriber, #64914) [Link]

I opened the C examples in emacs. For the commenting-out.c, early-return.c, and invisible-function.c examples, the Emacs C syntax highlighter gave obviously-odd highlighting results. The homoglyph-function.c and stretched-string.c examples evaded the syntax highlighter.

Homoglyphs are hard to track, but for BIDI almost all editors I looked at gave it away in some way or another. At the very least the control characters affected syntax highlighting. In emacs one sees underscores at points where direction changes and even the cursor jumps around as you scroll. Vim does not render RLO/LRO and shows them as <202e>, etc.

The "Trojan Source" vulnerability

Posted Nov 1, 2021 16:00 UTC (Mon) by mchehab (subscriber, #41156) [Link]

I wrote a tool to check UTF-8 chars sometime ago.

Just checked at the Kernel (next-20211101). Nothing wrong there, but I guess it is time to send another series of patches in order to avoid UTF-8 symbols that are too close to ASCII chars (like MINUS SIGN, and dash symbols). Perhaps I should consider adding it to scripts/.

The "Trojan Source" vulnerability

Posted Nov 1, 2021 16:12 UTC (Mon) by linuxrocks123 (guest, #34648) [Link]

Isn't this just Section 2.6 of TR-36, written in 2014?

https://unicode.org/reports/tr36/

The "Trojan Source" vulnerability

Posted Nov 1, 2021 16:49 UTC (Mon) by siddhesh (subscriber, #64914) [Link]

Homoglyphs, yes (more like confusables in general) but not BIDI control characters based text reversing, especially across code comments and literals. The bit about comments is important because compilers tend to ignore comments altogether and if they had to add diagnostics to warn on unmatched BIDI controls, they'd now have to parse code as a user sees it, which means parsing comments too. That's a performance overhead some parsers may not want.

The "Trojan Source" vulnerability

Posted Nov 1, 2021 16:43 UTC (Mon) by flussence (subscriber, #85566) [Link]

This has been used forever online as a source of subtle trolling and the world hasn't ended thus far. I suspect this sudden panic now is because the spreading blight of Chromium-based text editors built by people who don't know how to build text editors has hit critical mass.

The "Trojan Source" vulnerability

Posted Nov 1, 2021 16:48 UTC (Mon) by bkw1a (subscriber, #4101) [Link]

Maybe this is a dumb question (character sets confuse me!), but is there a way to get emacs or other editors to highlight non-7-bit-ASCII characters?

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK