oss-sec mailing list archives
Re: Trojan Source Attacks
From: Stuart D Gathman <stuart () gathman org>
Date: Tue, 2 Nov 2021 16:52:33 -0400 (EDT)
On Mon, 1 Nov 2021, Nicholas Boucher wrote:
The first and primary technique, which we dub the Trojan Source attack, uses Unicode Bidirectional (Bidi) control characters embedded in comments and string literals to produce visually deceptive source code files. This technique enables an adversary to encode constructs that visually appear to be comments or string literals but execute as code, or vice versa. Complete details, as well as recommended mitigations, can be found in the attachment 001 Trojan Source.pdf. This vulnerability is tracked under CVE-2021-42574.
Syntax coloring thus becomes a critical security tool. And bugs in syntax coloring for an editor/viewer should be consider security flaws and reported on oss-security.
Current thread:
- Re: Trojan Source Attacks, (continued)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Seth Arnold (Nov 02)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Santiago Torres (Nov 01)
- Re: Trojan Source Attacks Josh Bressers (Nov 02)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
- Re: Trojan Source Attacks Michael Orlitzky (Nov 02)
- Re: Trojan Source Attacks Leonid Isaev (ifax) (Nov 04)