Announcement

Collapse
No announcement yet.

GCC & LLVM Patches Pending To Fend Off Trojan Source Attacks

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    GCC & LLVM Patches Pending To Fend Off Trojan Source Attacks

    Phoronix: GCC & LLVM Patches Pending To Fend Off Trojan Source Attacks

    Making rounds today are the "Trojan Source" attacks by which text displayed to the end-user/developer doesn't match what is actually being executed. The problem stems from Unicode standards and could lead to malicious code being inadvertently introduced into upstream code-bases that could be overlooked during code review processes, etc. GCC and LLVM/Clang are among the early compilers preparing defenses against Trojan Source style attacks...

    GCC & LLVM Patches Pending To Fend Off Trojan Source Attacks - Phoronix
    https://www.phoronix.com/scan.php?page=news_item&px=GCC-LLVM-Trojan-Source
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    I would think compiler should warn BY DEFAULT that something's fishy, and just offer an opt-out switch.
    This affects source code only, not external data.
    As I understand it, no regular RTL strings in source should be affected, only BiDi marks, overrides, etc.
    • Likes 3

    Comment

    • #3
      On a side note, Rust already fixed this and published an update yesterday, the same day the CVE was published.

      Comment

      • #4
        this has been used at the solidity underhanded contest. Solidity is the programming language used to make "smart contracts" in ethereum.
        The goal of the contest is to submit code that looks innocent and could pass a code review but contains malicious code.
        Here is the repository:
        https://github.com/ethereum/solidity...obertMCForster
        and here is the malicious line of code:
        https://github.com/ethereum/solidity...pgrade.sol#L65

        Comment

        • #5
          Originally posted by Lianna View Post
          I would think compiler should warn BY DEFAULT that something's fishy, and just offer an opt-out switch.
          This affects source code only, not external data.
          As I understand it, no regular RTL strings in source should be affected, only BiDi marks, overrides, etc.
          I would suggest something even stronger - default to compilation error when seeing unescaped bidi override characters in source code. Reduce it to warning after opt-out switch.

          Comment

          Previous template Next
          Working...
          X