GCC & LLVM Patches Pending To Fend Off Trojan Source Attacks

Written by Michael Larabel in Linux Security on 1 November 2021 at 06:11 PM EDT. 4 Comments
Making rounds today are the "Trojan Source" attacks by which text displayed to the end-user/developer doesn't match what is actually being executed. The problem stems from Unicode standards and could lead to malicious code being inadvertently introduced into upstream code-bases that could be overlooked during code review processes, etc. GCC and LLVM/Clang are among the early compilers preparing defenses against Trojan Source style attacks.

This class of "invisible" vulnerabilities that could sneak into codebases through Unicode issues is explained in detail at trojansource.codes. Basically it stems from Unciode control characters being maliciously used to reorder tokens in source code at the encoding level that lead to differing behavior between what is displayed versus executed by the compiler or interpreters.

Trojan Source comes from research out of the University of Cambridge. Preventing such attacks requires updates to code compilers and interpreters against possibly misleading Unicode bidirectional characters. Red Hat's Marek Polacek today posted a preliminary patch for helping to fend off Trojan Source. With the -Wbidirectional= proposed switch, GCC could warn developers around possibly misleading Unicode bidirectional characters encountered by the pre-processor.

Similarly, LLVM patches for similar handling are also pending.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week