Research On “Trojan Source” Attacks [with paper]

There is a paper making the rounds, with a slick accompanying web site, in which the authors describe a software supply chain attack they call “Trojan Source: Invisible Vulnerabilities”. In short, if you use comments containing Unicode LTR and RTL code points, which control whether text is rendered left-to-right or right-to-left, you can make code look different in a standard Unicode rendering than it does to a program ignoring the comments.

The authors claim this is “a new type of attack” that “cannot be perceived directly by human code reviewers” and “pose[s] an immediate threat”, and they propose that compilers should be “upgraded to block this attack.” None of this is true.

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

From Zero to Domain Admin

Linux Red Team Exploitation Techniques – Exploiting WordPress & MySQL