Re: Trojan Source Attacks

[Santiago Torres <torresariass () gmail com>]

On Mon, Nov 01, 2021 at 09:51:38PM +0100, Jan Engelhardt wrote:
> On Monday 2021-11-01 18:27, Nicholas Boucher wrote:
> > We have identified an issue affecting all compilers and interpreters that support Unicode.
> > [...]
> > The attached paper describes an attack paradigm -- which we believe to be novel -- discovered by security 
> > researchers at the
> > University of Cambridge.
>
> Not so novel. At one time, this picture made the rounds
> (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely
> older than this 2018 tweet), and anyone who knew that Unicode had zero-width
> characters already made the connection.

Along the same lines, there were a myriad of attacks using bash-style
sequences to obscure parts of patches inside of git show/git log/less/
other pagers not too long ago (circa 2017, maybe?). We even discussed
similar possibilities on this paper[1] (sec 4.3) when mentioning git
commit signing of content displayed on collaborative coding platforms.

Overall there's a plethora of work around "punycode meets tool X" that
I'm surprised this is called novel.

Cheers!
-Santiago

[1] https://ssl.engineering.nyu.edu/papers/afzali_asiaccs_2018.pdf

Attachment: signature.asc
Description: