Security researchers have revealed a flaw in compilers that could add vulnerabilities to open source projects. Dubbed Trojan Source, the researchers said the attack was potent within the context of software supply chains, such as this year’s SolarWinds attacks.
“If an adversary successfully commits targeted vulnerabilities into open-source code by deceiving human reviewers, downstream software will likely inherit the vulnerability,” said researchers.
Researchers said the attack exploits subtleties in text-encoding standards, such as Unicode, to produce source code with logically encoded tokens that are in a different order from how they are displayed, leading to vulnerabilities.
“These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens,” said researchers.
They added that compilers and interpreters adhere to the logical ordering of source code, not the visual order.
Hackers can use multiple techniques to exploit the visual reordering of source code tokens, according to researchers.
The first technique is called “Early Returns.” This causes a function to short circuit by executing a return statement that visually appears to be within a comment.
The second is “Commenting-Out.” This causes a comment to visually appear as code, which in turn is not executed.
RELATED RESOURCE
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
Lastly, there are “Stretched Strings.” These cause portions of string literals to visually appear as code, which has the same effect as commenting-out and causes string comparisons to fail.
There is also a variant that uses homoglyphs, which are characters that appear nearly identical to letters.
“An attacker can define such homoglyph functions in an upstream package imported into the global namespace of the target, which they then call from the victim code,” said researchers.
This attack variant is tracked as CVE-2021-42694.
Researchers said to defend against such attacks, compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters.
“Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals,” they added. “Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings.”
-
Helping customers adopt a multi-cloud infrastructure and accelerate their modernization journeySponsored Content We outline what shifting to a subscription model means for your business
-
UK firms are 'sleepwalking' into smart building cyber threatsNews The convergence of operational technology and IT systems is posing serious risks for property firms.
-
CronRat Magecart malware uses 31st February date to remain undetectedNews The malware allows for server-side payment skimming that bypasses browser security
-
Mekotio trojan continues to spread despite its operators’ arrestsNews Hackers have used it in 100 more attacks since arrests
-
What is Emotet?In-depth A deep dive into one of the most infamous and prolific strains of malware
-
Fake AnyDesk Google ads deliver malwareNews Malware pushed through Google search results
-
Hackers use open source Microsoft dev platform to deliver trojansNews Microsoft's Build Engine is being used to deploy Remcos password-stealing malware
-
Android users told to be on high alert after Cerberus banking Trojan leaks to the dark webNews The source code for the authenticator-breaking malware is available for free on underground forums
-
Qbot malware surges into the top-ten most common business threats
News An evolved form of the banking Trojan was distributed by number one-ranking Emotet in a campaign that hit 5% of businesses globally
-
BlackRock banking Trojan targets Android appsNews Trojan steals login credentials and credit card information and has targeted more than 300 apps
