We still remember the SolarWinds supply chain attack, where cybercriminals managed to insert malicious code in one of their products, providing them access via backdoors in every system running the software. 🚪
Recently two researchers of the University of Cambridge have Proof of Concept of Trojan Source techniques to introduce malicious code that will display as a good one to the eyes of source code auditors by taking profit of the rendering mechanisms used by Unicode. 🐎
They discuss three primary exploit techniques:
📍 Early Returns
📍 Commenting-Out
📍 Stretched Strings
And several types of attacks for anyone of them. As an example, they explain how a Homoglyph attack works. ⚙️
It's as easy as defining a function with the same name as a genuine one, only replacing one of the characters by a character of a different Alphabet (for example, Cyrillic) which displays precisely the same or so close to the original one that is impossible to distinguish by the human eye. 👁
For example,
this "H" is Latin,
while this other "Н" is Cyrillic. (Unicode 041D)
For your eyes, my eyes, and the ones of a code reviewer, they look the same, but for the eyes of the compiler, it will call a completely different function, which contains the malicious code. 💣
The research provides some manual tactics to detect the Trojan source vulnerabilities discussed in the paper, which is helpful until the Compilers implement defenses to detect these attacks. 🛡
I am sure you are interested to know more about these vulnerabilities, so find here the link to the paper and the link to the article on this topic published by 'The hackers news' ⬇️
Which techniques and tools do you use to audit source code for cybersecurity? 🤔