An error in the Trojan’s source code allows hackers to embed malware directly into the source code.

In short: Attackers usually have to exploit bugs in the application or operating system, but security researchers have discovered a flaw that allows them to embed malware directly into the source code, allowing destructive attacks on the supply chain.

Cambridge University researchers Nicholas Boucher and Ross Anderson have discovered a new class of vulnerabilities that can be used by attackers to integrate visually tricked malware directly into the application source code.

The new technique, dubbed the Trojan Source, is an effective way to inject malware that is virtually invisible to observers. To achieve this, a hacker will need to use certain subtleties in text encoding standards such as Unicode, which is relatively easy to do compared to using strings. zero-day vulnerabilities use target systems.

Since we are talking about Unicode, this flaw affects almost all modern programming languages ​​such as Rust, Java, Python, Go, C, C ++, C # and JavaScript. An attacker can use so-called “bidirectional override” to embed left-to-right words in a right-to-left sentence and vice versa, and this technique can be used to reverse the order of tokens in the source code at the coding level in order to significantly trick the compiler or interpreter to see the logic. different from what a human reviewer would see in the source code.

The researchers warn that this opens the door to open source hacking that is used in various organizations around the world. They note that “this attack is particularly effective in the context of software supply chains. If an attacker successfully injects targeted vulnerabilities into open source by tricking reviewers, subsequent software is likely to inherit the vulnerability. ”

In other words, the attack works by anagramming a program into another program, which tricks the compiler / interpreter into processing code that doesn’t look like code to a human reviewer. If an attacker can successfully inject malicious code into widely used dependencies and libraries, the attack power will increase exponentially. The researchers also note that compilers and interpreters are vulnerable to another method known as homoglyph attack where hackers can replace Latin letters with similar characters from other Unicode alphabets.

The Rust Security Response Working Group encourages developers to upgrade to Rust version 1.56.1, which introduces two ways to detect and reject code containing malicious codepoints. For a more detailed overview of the Trojan’s source code, check out Cambridge Researchers Report… The verification code is also available at Github

Source link

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button