Trojan Source: Invisible Vulnerabilities
Jim Cheetham
jim at gonzul.net
Mon Nov 8 19:26:32 GMT 2021
Yeah, an interesting attack
TL;DR it describes how Unicode code points can be abused to visually move
some characters around so the human and the computer end up thinking the
code says different things, e.g.
Human sees :- /* disabled: dangerous_function() */
Compiler sees :- /* disabled: */ dangerous_function()
So if you're reviewing code with an "unsafe" viewer you might have
difficulty - although arguably the unsafe viewer is simply one that's
obeying the rules of Unicode.
Some compilers are addressing this by rejecting the Unicode code sequences
that produce this effect. This probably needs to be addressed in the
parsers for most languages.
Another approach for code that's specifically intended to be reviewed like
ours, would be to make a commitment to avoiding Unicode.
-jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ourshack.com/pipermail/discuss/attachments/20211109/7d933d87/attachment.html>
More information about the Discuss
mailing list