Nicholas Boucher and Ross Anderson, Cambridge University researchers, have discovered a new class of vulnerabilities that can be used by malicious actors to integrate visually deceptive malware directly into the source code of applications.
The technique, called “Trojan Source,” is a way to inject malware that is virtually invisible to human reviewers. To achieve this, a hacker would need to exploit certain subtleties in text encoding standards like Unicode to exploit target systems.
This flaw affects pretty much all modern programming languages such as Rust, Java, Python, Go, C, C++, C#, and JavaScript. An attacker can apply something called a “bidirectional override” to embed left-to-right words inside a right-to-left sentence and vice versa, and this technique can be used to reorder tokens in source code at the encoding level to essentially fool the compiler or interpreter into seeing a different logic than a human reviewer would see in that source code.
The researchers warn that this opens the door to tampering with open-source code that’s in use at various organizations around the world. They note “this attack is particularly powerful within the context of software supply chains. If an adversary successfully commits targeted vulnerabilities into open-source code by deceiving human reviewers, downstream software will likely inherit the vulnerability.”
To put it differently, the attack works by anagramming a program into another program, which tricks the compiler/interpreter into processing the code that doesn’t appear to be code to a human reviewer.
If an attacker can successfully embed malicious code in widely-used dependencies and libraries, the power of the attack is exponentially multiplied. The researchers also point out that compilers and interpreters are vulnerable to another technique known as a homoglyph attack where hackers can replace Latin letters with lookalike characters from other Unicode alphabets. More info:
