This almost undetectable attack can damage the source code of any application
Be careful, the source code you read is not necessarily the code to be executed. Security researchers at the University of Cambridge have just discovered an attack called a “Source Trojan” that allows malicious code to be embedded into source code that, to the naked eye, looks completely normal, regardless of or the underlying language.
Also to discover in video:
How is it possible? The source of the Trojan is based on the fact that you can refer to different directions in the same ciphertext in the Unicode standard. This allows, for example, to correctly display the quote in Arabic or Hebrew within a French text. These changes of direction are made using invisible characters called “Bidi”. The letters “LRI” and “RLI” respectively indicate that the following words should be displayed from left to right, or from right to left.
However, the Unicode standard is also used in computer encoding. Nothing therefore prevents a hacker from using these invisible characters to manipulate the source code. In other words, it can cause a function to return unexpectedly or convert part of a comment to executable code. The strings can also have a different value than the one indicated in the displayed code. In short, the possibilities for manipulation are enormous and difficult to determine at the present time.
Indeed, the use of bidirectional characters does not cause any particular alert in the compilers and development tools. They go completely under the radar.
Obviously, this technology was not used by hackers. Researchers scanned over 7,000 software repositories Open source And they didn’t find anything malicious, other than using it to scramble the code.
The ball is now in the court of the editors of compilation and development tools. The good news is that it is very easy to correct the representation, as it is sufficient to exclude the use of bidirectional characters, except for specific uses. Unfortunately, the ecosystem is not very responsive.
The researchers alerted nineteen organizations, giving them 99 days to deliver the patch. Only half of them did, and the rest are dragging their feet. Therefore, developers are interested in the correct analysis of the third-party code they embed. For example, using the “vim” editor which clearly displays bidirectional characters without changing the direction of the text.
Source : source of trojan
“A shameless pop culture pioneer. independent troublemaker. Food guru. Alcohol addict. Player. Explorer. Thinker.”