Re: Trojan Source Attacks

[Jan Engelhardt <jengelh () inai de>]

On Monday 2021-11-01 18:27, Nicholas Boucher wrote:
> We have identified an issue affecting all compilers and interpreters that support Unicode.
> [...]
> The attached paper describes an attack paradigm -- which we believe to be novel -- discovered by security researchers 
> at the
> University of Cambridge.

Not so novel. At one time, this picture made the rounds
(https://twitter.com/acronis/status/1019152990022787072 - the pic is likely
older than this 2018 tweet), and anyone who knew that Unicode had zero-width
characters already made the connection.

And I can imagine an attacker would rather try to inject Evil Unicode-Based
Code through a preprocessor of sorts (e.g. a bison .y file), because the output
of such generators is something few people would ever want to read in detail.

Even without Unicode, people had been using somehwat-invisible control
characters for codegolfing; one instance that I recall is the "RC4 in two lines
of Perl-with-no-modules", anno 2003, which uses a variable name simply named
<U+0024><U+0003> aka $^C aka ${"\x03"}. U+0003 would not be rendered by most
X11 terminals outside an editor that knew to recognize the classic control chars.