oss-sec mailing list archives
Re: Trojan Source Attacks
From: Jan Engelhardt <jengelh () inai de>
Date: Mon, 1 Nov 2021 21:51:38 +0100 (CET)
On Monday 2021-11-01 18:27, Nicholas Boucher wrote:
We have identified an issue affecting all compilers and interpreters that support Unicode. [...] The attached paper describes an attack paradigm -- which we believe to be novel -- discovered by security researchers at the University of Cambridge.
Not so novel. At one time, this picture made the rounds (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely older than this 2018 tweet), and anyone who knew that Unicode had zero-width characters already made the connection. And I can imagine an attacker would rather try to inject Evil Unicode-Based Code through a preprocessor of sorts (e.g. a bison .y file), because the output of such generators is something few people would ever want to read in detail. Even without Unicode, people had been using somehwat-invisible control characters for codegolfing; one instance that I recall is the "RC4 in two lines of Perl-with-no-modules", anno 2003, which uses a variable name simply named <U+0024><U+0003> aka $^C aka ${"\x03"}. U+0003 would not be rendered by most X11 terminals outside an editor that knew to recognize the classic control chars.
Current thread:
- Trojan Source Attacks Nicholas Boucher (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Seth Arnold (Nov 02)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Santiago Torres (Nov 01)
- Re: Trojan Source Attacks Josh Bressers (Nov 02)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
- Re: Trojan Source Attacks Michael Orlitzky (Nov 02)