EEVblog Electronics Community Forum
Products => Computers => Programming => Topic started by: madires on November 01, 2021, 01:44:42 pm
-
Unicode can hide a trojan in plain sight in your source code:
- CVE-2021-42574 and CVE-2021-42694
- info and whitepaper: https://trojansource.codes/
- examples: https://github.com/nickboucher/trojan-source
-
This should come as no surprise to anyone with a soupçon of imagination. Shades of "Reflections on Trusting Trust" but without the true cunning that that exploit involved.
-
I'm thinking it is not that bad. All this stuff falls apart pretty fast with variety of editors and review tools. In the browser I noticed no issues at all. In my editor only examples for which GitHub complained about bidirectional Unicode text did something. And all they did was move some text to the right, which is pretty obvious and quite jarring. Some of those things broke syntax highlighting in obvious ways.
When taking non-trivial amounts of code from other places, there may be a trojan in plain ASCII.
-
We live in the age of vulnerabilities with their own brands and domains!
While interesting, worth knowing and certainly something to address, be aware the problem is not new. That class of issues has been known for years. “TrojanSource” advances the technique a bit, making the attack slightly easier to conduct. But it shouldn’t be perceived as some completely new thing or the end of the world.
A simple example in the attachment. Replacing characters in variables with look-alikes or making different variable names undistinguishable to human reader is another common way of performing such an attack.
-
And compilers will address this - https://www.phoronix.com/scan.php?page=news_item&px=GCC-LLVM-Trojan-Source (https://www.phoronix.com/scan.php?page=news_item&px=GCC-LLVM-Trojan-Source)