Hiding Vulnerabilities in Source Code
Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. It’s really clever, and not the sort of attack one would normally think about.
From Ross Anderson’s blog:
We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic. We’ve verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages.
This potentially devastating attack is tracked as CVE-2021-42574, while a related attack that uses homoglyphs –- visually similar characters –- is tracked as CVE-2021-42694. This work has been under embargo for a 99-day period, giving time for a major coordinated disclosure effort in which many compilers, interpreters, code editors, and repositories have implemented defenses.
Website for the attack. Rust security advisory.
Brian Krebs has a blog post.
EDITED TO ADD (11/12): An older paper on similar issues.
echo • November 1, 2021 11:31 AM
Anyone familiar with COBOL and dot matrix printers when trying to find the source of a ten page error report knows this problem.
Compiler vendors are fundamentally lazy. You see this through entire “compiler like” toolchains. You have designers of languages ignoring rationality and piling in function after gee whiz function while ignoring legal mandates such as equality law governing accessibility. The lack of regulatory oversight and remedy in law perpetuates this.
File under avoidable problem.
Reality is a concrete mattress disguised by avoidant language much as “beef” when people really mean dead cow. Hence “Not normally” – a horrible phrase often used by lawyers along with “that depends” and “with kind regards”. You can add it to the same list as politicians speak such as “endevour” and “pledge”.
See you same time next year for the some problem wearing different clothes.