Security News > 2021 > November > Trojan Source bugs may lead to extensive supply-chain attacks on source code

Cambridge University researchers have detailed a new way targeted vulnerabilities can be introduced into source code while making them invisible to human code reviewers, allowing for extensive supply-chain attacks.

"We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic," professor Ross Anderson explained.

Attackers can use Unicode control characters to reorder tokens in source code at the encoding level, and effectively allow them to craft code that is see one way by compilers and another way by human reviewers.

The researchers dubbed this the Bidi attack, and fear that it could lead to widespread supply-chain attacks on source code.

Erson and Boucher said that after scanning as much of the open source ecosystem as they could for signs of Trojan Source attacks in the wild, they mostly found false positives.

"However, we did find some evidence of techniques similar to Trojan Source attacks being exploited. In one instance, a static code analysis tool for smart contracts, Slither, contained scanning for right-to-left override characters," they noted.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/4_RkM1-km94/