November 3, 2021 report

'Trojan Source' bug a novel way to attack program encodings

by Bob Yirka , Tech Xplore

hacked data
Credit: CC0 Public Domain

A pair of security experts at TrojanSource have found a novel way to attack computer source code—one that fools a compiler (and human reviewer) into thinking code is safe. Nicholas Boucher and Ross Anderson, both with the University of Cambridge, have posted a paper on the TrojanSource web page detailing the vulnerability and ways that it might be fixed.

As Boucher and Anderson describe it, the vulnerability involves being committed by nefarious types using Unicode control characters to reorder characters in source that appears to programmers to be legitimate. More specifically, the vulnerability involves the use of a 'Bidi' algorithm, in Unicode (an international encoding standard that can be used in ) where characters can be placed both left to right and right to left—because some languages, such as Hebrew and Arabic are written and read right to left.

The vulnerability exists because the algorithms that process such code do not take into consideration that some of the characters that are being read left to right, can have a different meaning or purpose if they are read right to left. Because virtually all of the most popular programming languages in use today—C, C+, Java, Python, Go, Rust and JavaScript—allow Unicode, that means that virtually all programs are potentially at risk.

As an example, Boucher and Anderson show that a line of code such as:

/* begin admins only */ if (isAdmin) {

Could be changed to:

/* if (isAdmin) { begin admins only */

The first line is a harmless comment inserted by a programmer, the second is code that could be used to conduct a desired outcome by a hacker. The researchers suggest the vulnerability represents a serious threat to software supply chains—if such vulnerabilities were exploited, they could impact downstream software by allowing them to inherit the same vulnerability.

Because the exists for such a wide variety of programming languages, its disclosure was first coordinated with officials charged with maintaining the rules for such languages giving them time to add changes to compilers and interpreters to account for and mitigate such a threat.

More information: Report: www.trojansource.codes/trojan-source.pdf

TrojanSource: www.trojansource.codes/

© 2021 Science X Network

Citation: 'Trojan Source' bug a novel way to attack program encodings (2021, November 3) retrieved 18 April 2024 from https://techxplore.com/news/2021-11-trojan-source-bug-encodings.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Vulnerability found in Kindle e-reader
110 shares

Feedback to editors
Team develops a way to teach a computer to type like a human

3 hours ago
Universal 'cocktail electrolyte' developed for 4.6 V ultra-stable fast charging of commercial lithium-ion batteries

4 hours ago
Garbage could replace a quarter of petroleum-based jet fuel every year

5 hours ago
For more open and equitable public discussions on social media, try 'meronymity'

7 hours ago
Mess is best: Disordered structure of battery-like devices improves performance

7 hours ago
Meta's newest AI model beats some peers. But its amped-up AI agents are confusing Facebook users

7 hours ago
An ink for 3D-printing flexible devices without mechanical joints

7 hours ago
Floating solar's potential to support sustainable development

8 hours ago
Harvesting vibrational energy from 'colored noise'

9 hours ago
New understanding of energy losses in emerging light source

9 hours ago
Load comments (0)