Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. The weakness is with digital text encoding standard Unicode, which allows machines to exchange data regardless of the language used.
<p>This is a difficult vulnerability for the average person to understand. Not only is it buried in several layers of technical explanation, it’s also most likely to be exploited through a complex ecosystem of shared code. Most people don’t spend a lot of time understanding how their favourite apps and websites are developed and managed. It’s very rare for an application to be created entirely from scratch. The use of shared libraries of code and open-source tools is common, and part of what allows for rapid development. That ecosystem also allows a vulnerability like this one to exist and makes it very difficult to address.</p>
Last edited 2 years ago by Tim Erlin
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
November 2, 2021 12:05 pm
<p>We’ve seen a variety of novel attacks on software supply chains in 2021, and this is another example of how the trust placed in development processes can be exploited. Teams intrinsically trust their developers, but developers are human and even the best developers can’t be expected to know all the nuances of how code libraries function. When in doubt, they’ll search the internet for examples. Those examples might just be exactly what’s needed to solve the problem, with a result of the found code being copied into the application. While legal teams have been concerned about the potential licensing liability surrounding copied code, an attack using Unicode bidi overrides should concern security teams since that perfect code might only look perfect to the human eye, but instead contain code representing the launch point for an attack that will ultimately be distributed by the application owner.</p>
<p>Boucher and Anderson’s paper <em>Trojan Source: Invisible Vulnerabilities</em> explores how Unicode control characters could allow malicious actors to insert vulnerabilities in source code. At the heart of the problem are currently differences between how source code is displayed to developers and how it is interpreted by the compiler. Using Unicode control characters, the researchers were able to construct source code that appears to behave one way but, in fact, behaves differently.</p>
<p>Trojan Source highlights the fact that nearly all development teams use open source components as a foundation for their applications. An attacker could contribute source code to an open source component that appears innocuous but has a nefarious purpose. This was always a possibility, but Trojan Source makes it easier to disguise the intent of malicious code.</p>
<p>The entire ecosystem is reacting with warnings and mitigations about Unicode control characters found in source code, as detailed in the paper.</p>
<p>Meanwhile, good cyber security during application development is a necessity, just as it always has been. Threat modeling helps flush out design vulnerabilities, while automated testing helps locate vulnerabilities during implementation. Software Composition Analysis (SCA), in particular, helps developers manage the open source components they’ve used and keep on top of evolving known vulnerabilities in those components.</p>
<p>This is a difficult vulnerability for the average person to understand. Not only is it buried in several layers of technical explanation, it’s also most likely to be exploited through a complex ecosystem of shared code. Most people don’t spend a lot of time understanding how their favourite apps and websites are developed and managed. It’s very rare for an application to be created entirely from scratch. The use of shared libraries of code and open-source tools is common, and part of what allows for rapid development. That ecosystem also allows a vulnerability like this one to exist and makes it very difficult to address.</p>
<p>We’ve seen a variety of novel attacks on software supply chains in 2021, and this is another example of how the trust placed in development processes can be exploited. Teams intrinsically trust their developers, but developers are human and even the best developers can’t be expected to know all the nuances of how code libraries function. When in doubt, they’ll search the internet for examples. Those examples might just be exactly what’s needed to solve the problem, with a result of the found code being copied into the application. While legal teams have been concerned about the potential licensing liability surrounding copied code, an attack using Unicode bidi overrides should concern security teams since that perfect code might only look perfect to the human eye, but instead contain code representing the launch point for an attack that will ultimately be distributed by the application owner.</p>
<p>Boucher and Anderson’s paper <em>Trojan Source: Invisible Vulnerabilities</em> explores how Unicode control characters could allow malicious actors to insert vulnerabilities in source code. At the heart of the problem are currently differences between how source code is displayed to developers and how it is interpreted by the compiler. Using Unicode control characters, the researchers were able to construct source code that appears to behave one way but, in fact, behaves differently.</p>
<p>Trojan Source highlights the fact that nearly all development teams use open source components as a foundation for their applications. An attacker could contribute source code to an open source component that appears innocuous but has a nefarious purpose. This was always a possibility, but Trojan Source makes it easier to disguise the intent of malicious code.</p>
<p>The entire ecosystem is reacting with warnings and mitigations about Unicode control characters found in source code, as detailed in the paper.</p>
<p>Meanwhile, good cyber security during application development is a necessity, just as it always has been. Threat modeling helps flush out design vulnerabilities, while automated testing helps locate vulnerabilities during implementation. Software Composition Analysis (SCA), in particular, helps developers manage the open source components they’ve used and keep on top of evolving known vulnerabilities in those components.</p>