oss-sec mailing list archives
Re: Trojan Source Attacks
From: Santiago Torres <torresariass () gmail com>
Date: Mon, 1 Nov 2021 17:51:08 -0400
On Mon, Nov 01, 2021 at 09:51:38PM +0100, Jan Engelhardt wrote:
On Monday 2021-11-01 18:27, Nicholas Boucher wrote:We have identified an issue affecting all compilers and interpreters that support Unicode. [...] The attached paper describes an attack paradigm -- which we believe to be novel -- discovered by security researchers at the University of Cambridge.Not so novel. At one time, this picture made the rounds (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely older than this 2018 tweet), and anyone who knew that Unicode had zero-width characters already made the connection.
Along the same lines, there were a myriad of attacks using bash-style sequences to obscure parts of patches inside of git show/git log/less/ other pagers not too long ago (circa 2017, maybe?). We even discussed similar possibilities on this paper[1] (sec 4.3) when mentioning git commit signing of content displayed on collaborative coding platforms. Overall there's a plethora of work around "punycode meets tool X" that I'm surprised this is called novel. Cheers! -Santiago [1] https://ssl.engineering.nyu.edu/papers/afzali_asiaccs_2018.pdf
Attachment:
signature.asc
Description:
Current thread:
- Trojan Source Attacks Nicholas Boucher (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Seth Arnold (Nov 02)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Santiago Torres (Nov 01)
- Re: Trojan Source Attacks Josh Bressers (Nov 02)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
- Re: Trojan Source Attacks Michael Orlitzky (Nov 02)
- Re: Trojan Source Attacks Leonid Isaev (ifax) (Nov 04)