GCC & LLVM Patches Pending To Fend Off Trojan Source Attacks

Written by Michael Larabel in Linux Security on 1 November 2021 at 06:11 PM EDT. 4 Comments
LINUX SECURITY
Making rounds today are the "Trojan Source" attacks by which text displayed to the end-user/developer doesn't match what is actually being executed. The problem stems from Unicode standards and could lead to malicious code being inadvertently introduced into upstream code-bases that could be overlooked during code review processes, etc. GCC and LLVM/Clang are among the early compilers preparing defenses against Trojan Source style attacks.

This class of "invisible" vulnerabilities that could sneak into codebases through Unicode issues is explained in detail at trojansource.codes. Basically it stems from Unciode control characters being maliciously used to reorder tokens in source code at the encoding level that lead to differing behavior between what is displayed versus executed by the compiler or interpreters.

Trojan Source comes from research out of the University of Cambridge. Preventing such attacks requires updates to code compilers and interpreters against possibly misleading Unicode bidirectional characters. Red Hat's Marek Polacek today posted a preliminary patch for helping to fend off Trojan Source. With the -Wbidirectional= proposed switch, GCC could warn developers around possibly misleading Unicode bidirectional characters encountered by the pre-processor.

Similarly, LLVM patches for similar handling are also pending.
4 Comments
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
KDE Starts December By Landing A Number Of New Features
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries