'Trojan Source' bug

ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

'Trojan Source' bug

(1/2) > >>

wraith808:
From Krebs on Security (https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/)

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis).

Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).

But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa.

“In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”

Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email.

Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.”

The research paper, which dubbed the vulnerability “Trojan Source,” notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides.
--- End quote ---

Emphasis mine. More at link.

Has anyone heard of it? It's been many years since I've worked with anything at this low a level, so I can't really comment on how serious it is.

mouser:
Interesting.. but hard to know how serious it really is.. It seems to be suggesting that the main risk would be malicious comments in an open source repository.. But it seems like it should be pretty easy to detect and block going forward..

Stoic Joker:
Interesting.. but hard to know how serious it really is.. It seems to be suggesting that the main risk would be malicious comments in an open source repository.. But it seems like it should be pretty easy to detect and block going forward..
-mouser (November 02, 2021, 02:10 PM)
--- End quote ---

If the reviewers know about it, and how to look for it, yes-ish … But depending on how sparsely the hostile characters can be spread throughout the string, strings, or string array...it could be very difficult to find/identify. Especially if it was buried in a "robust" error checking routine that was (by appearances) just page after page of 'error code xxx = undercooked potato warning 7' type stuff.

It wouldn't even need to be a full blown exploit (as most are chained/blended these days) it just needs to be a toenail on the windowsill that a foot can follow type of thing to be effective-ly dangerous as hell.

mouser:
the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).
--- End quote ---

It seems like one fix might be just detect when a file mixes different display orders and block this.. but maybe im missing the fact that sometimes this has a real use case..

wraith808:
The fact that it's on Krebs made me take a look even though I didn't totally understand how it would be implemented. He's not one to cry the sky is falling without reason.

Navigation

[0] Message Index

[#] Next page

Go to full version