‘Trojan Source’ Hides Invisible Bugs in Source Code

The old RLO trick of exploiting how Unicode handles script ordering and a related homoglyph attack can imperceptibly switch the real name of malware.

Researchers have found a new way to encode potentially evil source code, such that human reviewers see a harmless version and compilers see the invisible, wicked version.

Named “Trojan Source attacks,” the method “exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers,” Cambridge University researchers Nicholas Boucher and Ross Anderson said in a paper (PDF) published on Monday.

Boucher and Anderson said that the attacks jeopardize all source code, posing “an immediate threat both to first-party software and of supply-chain compromise across the industry.” They’ve published working proofs of concept (PoCs) of attacks in the C, C++, C#, JavaScript, Java, Rust, Go and Python programming languages, though the researchers note that they suspect that the attack will also work against “most other modern languages.”

Coordinated Disclosure for Two CVEs

The researchers have coordinated disclosure with 19 organizations, many of which

Read More: https://threatpost.com/trojan-source-invisible-bugs-source-code/175891/