Nicholas Boucher and Ross Anderson, Cambridge University researchers, have discovered a new class of vulnerabilities that can be used by malicious actors to integrate visually deceptive malware directly into the source code of applications.
The technique, called “Trojan Source,” is a way to inject malware that is virtually invisible to human reviewers. To achieve this, a hacker would need to exploit certain subtleties in text encoding standards like Unicode to exploit target systems.
The researchers warn that this opens the door to tampering with open-source code that’s in use at various organizations around the world. They note “this attack is particularly powerful within the context of software supply chains. If an adversary successfully commits targeted vulnerabilities into open-source code by deceiving human reviewers, downstream software will likely inherit the vulnerability.”
To put it differently, the attack works by anagramming a program into another program, which tricks the compiler/interpreter into processing the code that doesn’t appear to be code to a human reviewer.
If an attacker can successfully embed malicious code in widely-used dependencies and libraries, the power of the attack is exponentially multiplied. The researchers also point out that compilers and interpreters are vulnerable to another technique known as a homoglyph attack where hackers can replace Latin letters with lookalike characters from other Unicode alphabets.