GCC 12 Ready To Help Fend Off Trojan Source Attacks
Disclosed a few months back were "Trojan Source" attacks against compilers where specially crafted code could be rogue but not appear so due to exploiting Unicode issues. Unicode control characters could be used to reorder tokens in source code that could alter the behavior when compiled. With the upcoming GCC 12 compiler release there is a new warning to help point out possible Trojan Source attacks.
GCC 12 is adding the -Wbidi-chars warning flag for detecting Trojan Source attacks involving Unicode control characters. There is also a new on-by-default flag for GCC diagnostics to escape non-ASCII characters for helping to indicate the control character issues.
The new -Wbidi-chars option is ready to go for the GCC 12 release that should debut as stable in the form of GCC 12.1 around April. Red Hat's David Malcolm who has been involved in this Trojan Source attacks handling by compilers wrote a Red Hat developer blog post this past week outlining this new prevention warning.
More details on this new class of vulnerabilities disclosed last year via TrojanSource.codes.