[TheRecord] New Trojan Source attack impacts compilers for most programming languages

Academics from the University of Cambridge in the United Kingdom have published details today about a theoretical attack that can be used to insert malicious code inside legitimate apps via their comment fields.

The attack, nicknamed Trojan Source, relies on the usage of bidirectional control characters inside source code comments.

Also known as BiDi characters, these are Unicode control characters that are used inside a line of text to signal the shift from an LTR (left-to-right) mode to RTL (right-to-left) or vice versa.

In practice, these characters are meant solely for software applications and are invisible to the human eye, as they are only used to embed text of a different reading direction inside large blocks of text (such as inserting Arabic or Hebrew strings inside large blocks of Latin text).

The Cambridge research team said it discovered that most code compilers and code editors don’t have protocols to handle BiDi characters or signal their presence inside source code comments.

Researchers said that attackers could insert BiDi control characters inside comments that human reviewers won’t be able to see, and which, when compiled, will move text from the comment field into executable code or move (security-related) code into a commented section, opening applications to attacks or negating security checks.

“We’ve verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages,” Ross Anderson, one of the two researchers behind the Trojan Source technique, explained in a blog post published earlier today.

In addition to code compilers, Anderson and his colleague Nicholas Boucher said that several code editors and source code hosting services were also found to be vulnerable [see table below].

Besides the BiDi-related attack, the two researchers also discovered that source code compilers were also vulnerable to a second issue, known as a homoglyph attack — where classic Latin letters are replaced with lookalike characters from other Unicode family sets (alphabets).

Researchers said this second attack could be used to create two different functions that look the same in the eyes of a code reviewer but are actually different from one another.

Anderson and Boucher argued that an attacker could use a dependency or a plugin to define the homoglyph function outside the app’s main codebase and add malicious code to a project without the maintainer’s knowledge.

Since much of today’s coding processes rely on contributions from a team of multiple developers, the Cambridge researchers argued that it was important for code compilers and code editors to detect BiDi and homoglyph characters and signal to human code reviewers that non-standard Unicode glyphs are being used in source code — typically written in the Latin character set.

The two researchers said they gave all the affected parties a 99-day embargo to fix the two attacks in their tools before they published details about Trojan Source attack earlier today.

At the time of writing, the team behind the official Rust compiler has released a security update to fix both attacks — tracked as CVE-2021-42574 (the BiDi attack) and CVE-2021-42694 (the homoglyph attack). Other fixes are expected in the coming days.

Additional details about the Trojan Source attacks are available on a dedicated website. Proof-of-concept code is available on GitHub.

The post New Trojan Source attack impacts compilers for most programming languages appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-11-11

Play Store identified as main distribution vector for most Android malware www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study considered the largest one of its kind carried out to date. Lisäksi: arxiv.org/pdf/2010.10088.pdf Facebook link preview feature used as a […]

Read More

[ThreatPost] 5 Tips for Achieving Better Cybersecurity Risk Management

All posts, ThreatPost

Casey Ellis, founder, CTO and chairman of Bugcrowd, discusses a roadmap for lowering risk from cyberattacks most effectively. Source: Read More (Threatpost)

Read More

Daily NCSC-FI news followup 2019-08-22

TechCrunch: T-Mobile hit by hours-long nationwide outage techcrunch.com/2019/08/21/t-mobile-outage/ Viranomaissivustot toimivat taas, iltapäivän palvelunestohyökkäys ohi “Palvelunestohyökkääjä löytänyt aivan uudenlaisen tavan päästä läpi” yle.fi/uutiset/3-10934147 Palvelunestohyökkäys kohdistui muun muassa poliisin ja hätäkeskuksen verkkopalveluihin. Fonectalla laaja tietovuoto: Tavallisella käyttäjä­tunnuksella on päässyt käsiksi ainakin 150 000 ihmisen arka­luontoisiin henkilö­tietoihin www.hs.fi/kotimaa/art-2000006212884.html Yrityksille ja järjestöille tarkoitetussa asiakasrekisteripalvelussa yksi tavallisen käyttäjätunnuksen omistaja on […]

Read More