oss-sec mailing list archives

Re: Trojan Source Attacks

From: Josh Bressers <josh () bress net>
Date: Tue, 2 Nov 2021 11:23:50 -0500

On Tue, Nov 2, 2021 at 10:56 AM David A. Wheeler <dwheeler () dwheeler com>
wrote:


However, I think it’s important to realize this is a special case of
“underhanded code” aka “underhanded source code” aka “maliciously
misleading code”. Underhanded code is source code crafted so that the
source code looks like it does one thing to human reviewers, but it
actually does something else. Homoglyphs are a common mechanism of attack
(e.g., 1/l or O/0), as are misleading indentation, etc.

The first reference I can find to underhanded code is the 2004 Obfuscated
V Contest (http://graphics.stanford.edu/~danielh/vote/vote.html) created
by Daniel Horn.

You could argue the obfuscated C contest is related, that goes back to 1984.
https://www.ioccc.org/years.html#1984

-- 
     Josh

Current thread:

Trojan Source Attacks Nicholas Boucher (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
  - Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
    - Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
    - Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
    - Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
    - Re: Trojan Source Attacks Seth Arnold (Nov 02)
  - Re: Trojan Source Attacks Santiago Torres (Nov 01)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
  - Re: Trojan Source Attacks Josh Bressers (Nov 02)
    - Re: Trojan Source Attacks David A. Wheeler (Nov 02)
    - Re: Trojan Source Attacks Michael Orlitzky (Nov 02)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Georgi Guninski (Nov 04)
  - Re: Trojan Source Attacks Leonid Isaev (ifax) (Nov 04)