Security News > 2021 > November > Trojan Source bugs may lead to extensive supply-chain attacks on source code
Cambridge University researchers have detailed a new way targeted vulnerabilities can be introduced into source code while making them invisible to human code reviewers, allowing for extensive supply-chain attacks.
"We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic," professor Ross Anderson explained.
Attackers can use Unicode control characters to reorder tokens in source code at the encoding level, and effectively allow them to craft code that is see one way by compilers and another way by human reviewers.
The researchers dubbed this the Bidi attack, and fear that it could lead to widespread supply-chain attacks on source code.
Erson and Boucher said that after scanning as much of the open source ecosystem as they could for signs of Trojan Source attacks in the wild, they mostly found false positives.
"However, we did find some evidence of techniques similar to Trojan Source attacks being exploited. In one instance, a static code analysis tool for smart contracts, Slither, contained scanning for right-to-left override characters," they noted.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/4_RkM1-km94/
Related news
- It's only a matter of time before LLMs jump start supply-chain attacks (source)
- PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack (source)
- IPany VPN breached in supply-chain attack to push custom malware (source)
- Supply chain attack hits Chrome extensions, could expose millions (source)
- Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' (source)
- North Korea targets crypto developers via NPM supply chain attack (source)