Most programming languages vulnerable to Trojan Source attack

Researchers have discovered an oblique way to maliciously modify source code to create exploits, without raising code reviewers' suspicion.

Named Trojan Source [pdf] by University of Cambridge researcher Nicholas Boucher and well-known infosec luminary Ross Anderson, the vulnerability allows attackers to maliciously  encode source code so that it compiles differently to how it appears to the human eye.

This, the researchers said, leads to vulnerabilities that can't be perceived by human code reviewers.

By using the control characters for the Unicode formatting Bidirectional Algorithm, or Bidi, which is used to support both left-to-right and right-to-left languages, attackers can overide text ordering in source code to produce malicious outcomes that aren't immediately visible to developers.

Trojan Source could be used to attack first-party software as well as in supply attacks, Boucher and Anderson said.

The researchers were able to demonstrate Bidi vulnerabilities in several popular programming languages, include C, C++, Javascript, Java, Rust, Go, Python and C#.

Boucher and Anderson contacted compiler vendors with vulnerability reports, but the response has so far been patchy.

"About half of the compiler maintainers we contacted during the disclosure period are working on patches or have committed to do so," the researchers said.

"As the others are dragging their feet, it is prudent to deploy other controls in the meantime where this is quick and cheap, or relevant and useful."

To mitigate against Trojan Source, Boucher and Anderson said the simplest way is to ban the use of text directionality control characters both in language specifications and in compilers implementing them.