Trojan Source bugs enable 'invisible' source code poisoning – TechTarget

Getty Images/iStockphoto
Two vulnerabilities present in nearly every high-level programming language could potentially enable a bad actor to slip malicious code into a project without being detected.
Formally known as CVE-2021-42574 and CVE-2021-42694, the two bugs are collectively referred to by the name Trojan Source. Researchers Nicholas Boucher and Ross Anderson of the University of Cambridge in the U.K. are credited with the discovery.
According to Boucher and Anderson’s paper on Trojan Source, the vulnerabilities exist in the way the languages handle Unicode characters within source code. Specifically, the research team found that by manipulating the way Unicode handles instructions on right-left languages (such as English or Russian) and left-right languages (such as Arabic and Hebrew), malicious instructions could be slipped in and encoded.
“This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed,” the researchers wrote, “leading to vulnerabilities that cannot be perceived directly by human code reviewers.”
The key to the attacks, the researchers said, is the ability to alternate between right- and left-aligned text in such a way that the actual instruction can be scrambled but will still execute after the code is compiled.
“Embedding multiple layers of LRI and RLI within each other enables the near-arbitrary reordering of strings,” Boucher and Anderson wrote. “This gives an adversary fine-grained control, so they can manipulate the display order of text into an anagram of its logically-encoded order.”
In other words, it’s possible to create code that appears to be one instruction when read by a human, but something completely different when executed by the machine.
“We’ve verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages,” Anderson wrote in a separate blog post.
The most obvious method of exploit for these flaws would be open source software projects. By sneaking attack code into otherwise benevolent changes to source code, criminals could target projects on code-sharing sites such as GitHub and embed legitimate software with malicious components that could steal credentials, spy on users or do any other manner of bad activities.
There is also the potential for a supply chain attack. Should an attacker get access to developer machines at a commercial software provider, they could potentially sneak their attack instructions into the source code of commercial software and, in turn, get a foothold on the networks of that company’s customers.
Threat actors have already used similar techniques in action with the 2020 attack on IT services provider SolarWinds.
While Boucher and Anderson were awarded a pair of CVE designations for their Trojan Source research, there is some controversy around the paper. Critics of the duo’s research charge that much of the findings have already been covered in previous research and that the technique of hiding code has been known for years.
Despite the controversy, the vulnerabilities merit attention, as several software suppliers have developed updates to address the Trojan Source bugs. Boucher and Anderson said they believe the best long-term solution for the threat will be deployed in compilers. However, the duo urged organizations to adopt additional mitigations since some compiler fixes might not be available any time soon. 
“About half of the compiler maintainers we contacted during the disclosure period are working on patches or have committed to do so,” the researchers wrote. “As the others are dragging their feet, it is prudent to deploy other controls in the meantime where this is quick and cheap, or relevant and needful.”
Security and privacy remain a stumbling block for cloud computing, according to information experts at the Trust in the Digital …
Amazon Web Services has added multifactor authentication to its WorkSpaces cloud desktop service, the first step in a larger …
At Black Hat 2014, a researcher showed how AWS cloud security flaws and misconfigurations can have devastating consequences for …
System and service management are vital to ensure customer satisfaction and service delivery. These systemctl commands can help …
SD-WAN is the most common form of WAN virtualization. But virtual WAN strategies are evolving to include software-defined …
COVID-related lockdowns around China prevented Cisco from getting critical components, leading to a projected decline in revenue.
While the metaverse is set to be an impactful technology trend over the next decade, business leaders are also keeping an eye on …
Enterprises must prepare for cyber-adversity, think beyond protection, establish lines of communication — and learn to take a …
The career path to becoming a CIO has evolved as the role has become increasingly critical to business success. Find out how to …
Organizations that support both Windows and Mac desktops must approach them differently, but there is plenty of overlap with the …
Organizations that need desktop management software should survey a variety of platform types. UEM can often provide the most …
Organizations with both Mac and Windows devices can use some of their Windows-focused AD setup to address macOS management tasks.
Terraform benefits include scalability, repeatable infrastructure and cost efficiency. Follow this step-by-step tutorial to learn…
Experts at the MIT Sloan CIO Symposium described the advantages that justify the high cost of moving to the cloud while …
At Dell Technologies World, multi-cloud was a popular topic, especially how it can happen by accident. However, it seems to be …
As Estonia finalises the initial version of its government services digital assistant for launch, the man heading the project …
The software-defined storage supplier is making hardware appliances in Australia to improve supply chain resilience and address …
The Public Accounts Committee has shared the findings of its report into the after-effects of the IR35 reforms coming into force …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source

Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…

Leave a Reply

Next Post

Liverpool internet cafe attack: Man and two boys arrested - BBC

Thu May 26 , 2022
A man and two boys have been arrested on suspicion of murdering a teenager who died after being attacked in an internet cafe. Michael Toohey, 18, was assaulted on London Road in Liverpool city centre shortly before 18:00 BST on 16 April.Merseyside Police said a post-mortem examination confirmed he had […]
%d bloggers like this: