Trojan Source (cyber attack)

Main article: Cyber attacks

2021: Attack Demonstration

On November 1, 2021, scientists University of Cambridge from published details of the attack, which can be used to insert malicious code into legitimate programs through the comment fields. We are talking ON about infection at the stage of source code.

The attack, called Trojan Source, is based on the use of bidirectional control characters in source code comments. Also known as BiDi, these are Unicode control characters, a character coding standard that is used inside a line of text to signal a transition from left to right and right to left or vice versa. In practice, these characters are intended exclusively for software applications and are invisible to the human eye, since they are used only for inserting text with a different reading direction inside large blocks of text, for example, inserting Arabic or Hebrew lines inside large blocks of Latin text.

Hackers began to infect software at the source stage

The Cambridge-based research team said it found that most code compilers and code editors do not have protocols to process BiDi characters or signal their presence inside source code comments. According to the researchers, attackers can insert BiDi control characters into comments that do not see people checking the code and which, when compiled, move text from the comment field to the executable code. It is also possible to move the code to a commented section, opening applications for attacks, nullifying various security checks.

We tested that this attack works against C, C++, C#, JavaScript, Java, Rust, Go and Python, and suspect that it will work against most other modern languages, "explained Ross Anderson, one of the two researchers behind the Trojan Source technique.

In addition to code compilers, Anderson and his colleague Nicholas Boucher reported that several code editors and source code hosting services were also vulnerable. In addition to the BiDi-related attack, the researchers found that source-code compilers are also vulnerable to a second problem known as a homogeneous attack, which is when classical Latin letters are replaced by similar characters from other sets of the Unicode family. The researchers said this second attack could be used to create two different functions that look the same in the eyes of a code validation specialist, but actually differ from each other. Anderson and Boucher claim that an attacker can use a dependency or a plugin to determine the homoglyph function, outside the main code base of the application, and he also has the opportunity to add malicious code to the project without the knowledge of the accompanying.

Since most modern coding processes depend on the contribution of a team of several developers, or even teams. Cambridge researchers argue that it is important that code compilers and code editors detect BiDi and homogeneous characters and signal to people checking the code that non-standard Unicode glyphs are used in the source code, they are usually written in the Latin character set. According to two researchers, they granted all affected parties a 99-day embargo to fix two attacks in their tools before publishing details about the Trojan Source attack.

The development team of the official compiler Rust released a security update to fix both attacks CVE-2021-42574 (attack BiDi) and CVE-2021-42694 (attack homoglyph), and other fixes are expected until the end of November 2021.^[1]

Notes