IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

“Trojan Source” hides flaws in source code from humans

Organizations urged to take action to combat the new threat that could result in SolarWinds-style attacks

Security researchers have revealed a flaw in compilers that could add vulnerabilities to open source projects. Dubbed Trojan Source, the researchers said the attack was potent within the context of software supply chains, such as this year’s SolarWinds attacks.

“If an adversary successfully commits targeted vulnerabilities into open-source code by deceiving human reviewers, downstream software will likely inherit the vulnerability,” said researchers.

Researchers said the attack exploits subtleties in text-encoding standards, such as Unicode, to produce source code with logically encoded tokens that are in a different order from how they are displayed, leading to vulnerabilities.

“These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens,” said researchers. 

They added that compilers and interpreters adhere to the logical ordering of source code, not the visual order.

Hackers can use multiple techniques to exploit the visual reordering of source code tokens, according to researchers. 

The first technique is called “Early Returns.” This causes a function to short circuit by executing a return statement that visually appears to be within a comment.

The second is “Commenting-Out.” This causes a comment to visually appear as code, which in turn is not executed.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Pair of feet in socks with a chair and plant in the backgroundFree download

Lastly, there are “Stretched Strings.” These cause portions of string literals to visually appear as code, which has the same effect as commenting-out and causes string comparisons to fail.

There is also a variant that uses homoglyphs, which are characters that appear nearly identical to letters. 

“An attacker can define such homoglyph functions in an upstream package imported into the global namespace of the target, which they then call from the victim code,” said researchers. 

This attack variant is tracked as CVE-2021-42694.

Researchers said to defend against such attacks, compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters.

“Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals,” they added. “Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings.”

Featured Resources

How to hold more productive meetings

Tips and tricks to get the most out of your meetings

Free Download

Enabling the future of work with embedded real-time communication

A new dimension of human interaction is coming to digital work

Free Download

How to do hybrid work right

Overcoming challenges in the transition to hybrid work

Watch now

HCI 2.0 From HPE: How it can help your business thrive

Why SMBs need to accelerate digital transformation with HCI

Free download

Recommended

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022
What is phishing?
phishing

What is phishing?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022