Unfortunately, by using this method the vulnerabilities cannot be detected by human reviewers.
To build vulnerable binaries, Trojan Source uses a simple method that does not need to alter the compiler.
Malicious actors can utilize the technology to target supply chains attacks because it works with some of the most frequently used computer languages today.
The “Trojan Source” class of attacks, that might compromise first-party software and supply chains, was revealed and demonstrated by the researchers from the University of Cambridge.
The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.
These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens.
Compilers and interpreters adhere to the logical ordering of source code, not the visual order.
A threat actor can reorganize source code to modify its logic in a way that generates an exploitable vulnerability by employing control characters included in comments and strings.