‘Trojan Source’ Makes Scary Headlines—But it’s Not New
Trojan Source “threatens the security of all code,” screams a widely shared article. Supposedly, this previously unknown attack on compilers allows open source code to hide malicious backdoors—thwarting all attempts to review it for vulnerabilities.
Oh poppycock. There’s nothing new here. And it’s not a compiler problem—it’s a problem in code editors and development environments. It looks like another case of overblown “research” published on a flashy website with an eye-catching name.
But it is worth talking about. In today’s SB Blogwatch, we do exactly that.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Choprolled.
Stick to Horses
What’s the craic? Climb aboard the Brian Krebs cycle of hyperbole—“‘Trojan Source’ Bug Threatens the Security of All Code”:
Exert pressure”
Virtually all compilers … are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected. … At issue is a component of the digital text encoding standard Unicode.
…
Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying … mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right). … The “Bidi override” [is] used to make left-to-right text read right-to-left, and vice versa.
…
The research paper, which dubbed the vulnerability “Trojan Source,” notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides. … Equally concerning is that Bidi override characters persist through the copy-and-paste functions.
…
As for what needs to be done … the researchers urge governments and firms that rely on critical software to:
- identify their suppliers’ posture,
- exert pressure on them to implement adequate defenses, and
- ensure that any gaps are covered by controls elsewhere in their toolchain.
Yeah, but how would this hidden code get into my apps? Ionut Ilascu explains—“Attack method can hide bugs into open-source code”:
First-party software and supply chains”
By using control characters embedded in comments and strings, a threat actor can reorder the source code to change its logic in a way that creates an exploitable vulnerability. … This method is now tracked as CVE-2021-42574.
…
Researchers from the University of Cambridge, United Kingdom, disclosed and demonstrated the “Trojan Source” class of attacks that could compromise first-party software and supply chains.
In other words, beware of insiders adding hidden backdoors and malicious open source pull requests. Well, duh. Ross Anderson is one of the researchers—“Trojan Source: Invisible Vulnerabilities”:
Malicious contributions”
Today we are releasing … a paper describing cool new tricks for crafting targeted vulnerabilities that are invisible to human code reviewers. … We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic.
…
An adversary wanting to smuggle a vulnerability into software could try inserting an unobtrusive bug in an obscure piece of code. Critical open-source projects … depend on human review of all new code to detect malicious contributions.
How to fix it? Missing Semicolon recommends going “old skool”:
So whilst the language should support unicode text, the compiler should really barf on anything but 7-bit ASCII.
Or go further? Get off Steve’s lawn:
Back in the good old days”
You youngsters! There’s a simple solution to this problem: Everyone throws out their monitors.
Replace them with teletypes, like we used back in the good old days. Overprinting will then be obvious.
But seriously? parityshrimp sees the irony:
Perhaps text editors will add some mode that both flags the use of the bidirectional override and gives you an option to see the input text with the bidirectional override characters highlighted. … Also, make sure to check the output binary on an airgapped computer with a disassembler that you wrote yourself, in machine language, on said airgapped computer.
Wait. Pause. Russ Cox is experiencing some serious déjà vu—“On ‘Trojan Source’ Attacks”:
Distracting”
The authors claim this is “a new type of attack” that “cannot be perceived directly by human code reviewers” and “pose[s] an immediate threat”, and they propose that compilers should be “upgraded to block this attack.” None of this is true.
…
The attacks are not new. … It is technically true that the attack cannot be perceived directly by human code reviewers, but only in the sense that no program in a computer can be perceived directly by humans. … If you are letting untrusted people make arbitrary changes to your code, they can probably find far more subtle (and deniable!) ways to hide a malicious change. … Changing compilers is also arguably a false sense of security.
…
The authors of this paper have clearly done a good job promoting it. Kudos to them on that. But I am concerned that the attention … this paper is getting is … distracting from far more useful security efforts.
And dwheeler tut-tuts similarly:
A widely-known problem”
The general problem is already known and there are a number of pre-existing works that discuss it. This is typically called “underhanded code” or sometimes “maliciously misleading code”. I’m surprised that they didn’t use the normal term for the problem, nor cite the previous work on it — maybe they didn’t realize this was a widely-known problem?
Meanwhile, claimed sounds slightly sarcastic:
Clearly not an issue for real developers as its not like they would copy and paste code off stackoverflow, right?
And Finally:
Thousands of people like this—and so do I
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Alex Grant (cc:by)
