Expert Reacted On ‘Trojan Source’ Bug Threatens The Security Of All Code

BACKGROUND:

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. The weakness is with digital text encoding standard Unicode, which allows machines to exchange data regardless of the language used.

Experts Comments

November 02, 2021
Tim Erlin
VP of Product Management and Strategy
Tripwire

This is a difficult vulnerability for the average person to understand. Not only is it buried in several layers of technical explanation, it’s also most likely to be exploited through a complex ecosystem of shared code. Most people don’t spend a lot of time understanding how their favourite apps and websites are developed and managed. It’s very rare for an application to be created entirely from scratch. The use of shared libraries of code and open-source tools is common, and part of what

.....Read More

This is a difficult vulnerability for the average person to understand. Not only is it buried in several layers of technical explanation, it’s also most likely to be exploited through a complex ecosystem of shared code. Most people don’t spend a lot of time understanding how their favourite apps and websites are developed and managed. It’s very rare for an application to be created entirely from scratch. The use of shared libraries of code and open-source tools is common, and part of what allows for rapid development. That ecosystem also allows a vulnerability like this one to exist and makes it very difficult to address.

  Read Less
November 02, 2021
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys

We’ve seen a variety of novel attacks on software supply chains in 2021, and this is another example of how the trust placed in development processes can be exploited. Teams intrinsically trust their developers, but developers are human and even the best developers can’t be expected to know all the nuances of how code libraries function. When in doubt, they’ll search the internet for examples. Those examples might just be exactly what’s needed to solve the problem, with a result of the

.....Read More

We’ve seen a variety of novel attacks on software supply chains in 2021, and this is another example of how the trust placed in development processes can be exploited. Teams intrinsically trust their developers, but developers are human and even the best developers can’t be expected to know all the nuances of how code libraries function. When in doubt, they’ll search the internet for examples. Those examples might just be exactly what’s needed to solve the problem, with a result of the found code being copied into the application. While legal teams have been concerned about the potential licensing liability surrounding copied code, an attack using Unicode bidi overrides should concern security teams since that perfect code might only look perfect to the human eye, but instead contain code representing the launch point for an attack that will ultimately be distributed by the application owner.

  Read Less
November 02, 2021
Jonathan Knudsen
Senior Security Strategist
Synopsys

Boucher and Anderson’s paper Trojan Source: Invisible Vulnerabilities explores how Unicode control characters could allow malicious actors to insert vulnerabilities in source code. At the heart of the problem are currently differences between how source code is displayed to developers and how it is interpreted by the compiler. Using Unicode control characters, the researchers were able to construct source code that appears to behave one way but, in fact, behaves differently.

Trojan Source

.....Read More

Boucher and Anderson’s paper Trojan Source: Invisible Vulnerabilities explores how Unicode control characters could allow malicious actors to insert vulnerabilities in source code. At the heart of the problem are currently differences between how source code is displayed to developers and how it is interpreted by the compiler. Using Unicode control characters, the researchers were able to construct source code that appears to behave one way but, in fact, behaves differently.

Trojan Source highlights the fact that nearly all development teams use open source components as a foundation for their applications. An attacker could contribute source code to an open source component that appears innocuous but has a nefarious purpose. This was always a possibility, but Trojan Source makes it easier to disguise the intent of malicious code.

The entire ecosystem is reacting with warnings and mitigations about Unicode control characters found in source code, as detailed in the paper.

Meanwhile, good cyber security during application development is a necessity, just as it always has been. Threat modeling helps flush out design vulnerabilities, while automated testing helps locate vulnerabilities during implementation. Software Composition Analysis (SCA), in particular, helps developers manage the open source components they’ve used and keep on top of evolving known vulnerabilities in those components.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.