Search This Blog

Powered by Blogger.

Blog Archive

Labels

Hacker Can Conceal Flaws in Source Code by Applying Trojan Source Technique

Malicious actors might use a new category of flaws to introduce visually misleading malware.

 

Threat actors might use a new class of vulnerabilities to implant aesthetically misleading malware in a fashion that is semantically lawful but modifies the logic described by the source code, essentially opening the door to even more first-party and supply chain dangers. 

CVE-2021-42574 and CVE-2021-42694 impact compilers for all common programming languages, including C, C++, C#, JavaScript, Java, Rust, Go, and Python. 

Compilers are programs that convert high-level human-readable source code into lower-level forms like assembly language, object code, or machine code, which may subsequently be performed by the OS. 

The technique "exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a newly published paper. 

The matter revolves around Unicode's bidirectional (or Bidi) algorithm, which also supports both left-to-right (e.g., English) and right-to-left (e.g., Arabic or Hebrew) languages, and also includes what is known as bidirectional overrides, that also permits writing left-to-right words inside a right-to-left sentence, or vice versa, allowing the text of a different reading path to be embedded inside massive blocks of text. 

While a compiler's outcome is anticipated to correctly implement the source code provided to it, discrepancies introduced by implanting Unicode Bidi override characters into comments and strings could indeed facilitate a situation in which the display sequence of characters tries to present reasoning that differs from the logical reasoning. 

To look at it another way, the attack specifically targets the encoding of source code files to construct targeted security flaws, instead of deliberately introducing logical bugs, so that it can visually rearrange tokens in source code which, while resolved in a completely appropriate sense, deceives the compiler into uniquely processing the code and changing drastically the program flow — for example, trying to remark appear as though it were code. 

"In effect, we anagram program A into program B," the researchers surmised. "If the change in logic is subtle enough to go undetected in subsequent testing, an adversary could introduce targeted vulnerabilities without being detected." 

"The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses," the researchers noted. "As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses."
Share it:

Source Code

Threat actors

Trojan Source Technique

Vulnerabilities and Exploits