Security News > 2021 > November > New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code

New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code
2021-11-02 01:28

A novel class of vulnerabilities could be leveraged by threat actors to inject visually deceptive malware in a way that's semantically permissible but alters the logic defined by the source code, effectively opening the door to more first-party and supply chain risks.

Dubbed "Trojan Source attacks," the technique "Exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a newly published paper.

Compilers are programs that translate high-level human-readable source code into their lower-level representations such as assembly language, object code, or machine code that can then be executed by the operating system.

While a compiler's output is expected to correctly implement the source code supplied to it, discrepancies created by inserting Unicode Bidi override characters into comments and strings can enable a scenario that yields syntactically-valid source code in which the display order of characters presents logic that diverges from the actual logic.

Put differently, the attack works by targeting the encoding of source code files to craft targeted vulnerabilities, rather than deliberately introducing logical bugs, so as to visually reorder tokens in source code that, while rendered in a perfectly acceptable manner, tricks the compiler into processing the code in a different way and drastically changing the program flow - e.g., making a comment appear as if it were code.

Even worse, the Trojan Source attacks can become more severe should an attacker use homoglyphs to redefine pre-existing functions in an upstream package and invoke them from a victim program.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/_WKugqXMP7s/new-trojan-source-technique-lets.html

Related news