Threat actors might use a new class of flaws to inject aesthetically misleading malware that is semantically lawful but changes the logic described by the source code, effectively exposing more first-party and supply chain risks.
The technique is nicknamed “Trojan Source attacks.” It leverages inconsistencies in text-encoding standards like Unicode to generate source code with tokens logically encoded in a different sequence than they are presented, resulting in vulnerabilities invisible to human code reviewers.
CVE-2021-42574 and CVE-2021-42694 are the tracked vulnerabilities that impact compilers for all major programming languages, including C, C++, C#, JavaScript, Java, Rust, Go, and Python.
While a compiler’s output is required to appropriately implement the source code provided, inconsistencies caused by Unicode Bidi override characters included in comments and strings might result in syntactically acceptable source code with logic that differs from the actual reasoning.
To put it another way, rather than purposely introducing logical errors, the attack targets the encoding of source code files to construct specific vulnerabilities, such as to visually reorganize tokens in source code that, although displayed legally, fools the compiler into interpreting the text differently and radically affecting the program flow — for example, making a remark look like code.
In effect, the researchers argued, we transform program A into program B. An adversary might introduce specific vulnerabilities without noticing if the logic change is small enough to go undetected in future testing.
When undetectable software vulnerabilities introduced into open-source software find their way downstream, potentially impacting all program users. Such aggressive encodings can have a significant impact on the supply chain, the researchers warn.
Far worse, if an attacker uses homoglyphs to redefine pre-existing functions in an upstream package and execute them from a victim application, Trojan Source operations can become even more severe.
Because the Trojan Source flaw affects practically all computer languages, the researchers say it’s a unique chance for a system-wide and ecologically valid cross-platform and cross-vendor comparison of remedies.
Since these tactics may be used to launch significant supply-chain attacks, it is critical for enterprises involved in the software supply chain to establish countermeasures.
