topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 1:03 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: 'Trojan Source' bug  (Read 4601 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
'Trojan Source' bug
« on: November 02, 2021, 10:52 AM »
From Krebs on Security (https://krebsonsecur...ecurity-of-all-code/)

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis).

Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).

But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa.

“In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”

Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email.

Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.

The research paper, which dubbed the vulnerability “Trojan Source,” notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides.

Emphasis mine. More at link.

Has anyone heard of it? It's been many years since I've worked with anything at this low a level, so I can't really comment on how serious it is.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: 'Trojan Source' bug
« Reply #1 on: November 02, 2021, 02:10 PM »
Interesting.. but hard to know how serious it really is.. It seems to be suggesting that the main risk would be malicious comments in an open source repository.. But it seems like it should be pretty easy to detect and block going forward..

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: 'Trojan Source' bug
« Reply #2 on: November 03, 2021, 07:31 AM »
Interesting.. but hard to know how serious it really is.. It seems to be suggesting that the main risk would be malicious comments in an open source repository.. But it seems like it should be pretty easy to detect and block going forward..

If the reviewers know about it, and how to look for it, yes-ish … But depending on how sparsely the hostile characters can be spread throughout the string, strings, or string array...it could be very difficult to find/identify. Especially if it was buried in a "robust" error checking routine that was (by appearances) just page after page of 'error code xxx = undercooked potato warning 7' type stuff.

It wouldn't even need to be a full blown exploit (as most are chained/blended these days) it just needs to be a toenail on the windowsill that a foot can follow type of thing to be effective-ly dangerous as hell.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: 'Trojan Source' bug
« Reply #3 on: November 03, 2021, 07:46 AM »
the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).

It seems like one fix might be just detect when a file mixes different display orders and block this.. but maybe im missing the fact that sometimes this has a real use case..

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: 'Trojan Source' bug
« Reply #4 on: November 03, 2021, 09:05 AM »
The fact that it's on Krebs made me take a look even though I didn't totally understand how it would be implemented. He's not one to cry the sky is falling without reason.

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,612
    • View Profile
    • Donate to Member
Re: 'Trojan Source' bug
« Reply #5 on: November 04, 2021, 04:34 PM »
A couple of days in and VSCode 1.62 has a 'fix' for the issue, by default showing those UTF directional attributes as just that, without interpreting them. And that can be turned off, if desired :up:.