Security News > 2021 > November > ‘Trojan Source’ Hides Invisible Bugs in Source Code

Named "Trojan Source attacks," the method "Exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a paper published on Monday.

The researchers have coordinated disclosure with 19 organizations, many of which are now releasing updates to address the security weakness in code compilers, interpreters, code editors and repositories.

The researchers suggested that if you put it all together, you get the ability to create perfectly valid, perfectly malicious source code that could be used to create a novel supply-chain attack that can be carried out on source code.

Such an attack would be tough for a human code reviewer to detect, given how kosher the rendered source code looks.

It gets worse: the paper cautioned: Bidi override characters persist in copy-and-paste functions on most modern browsers, editors and operating systems, meaning that "Any developer who copies code from an untrusted source into a protected code base may inadvertently introduce an invisible vulnerability."

The Trojan Source attacks that rely on BiDi RLO can become even worse if an attacker switches to using homoglyphs, the researchers noted.

News URL

https://threatpost.com/trojan-source-invisible-bugs-source-code/175891/