GCC & LLVM Patches Pending To Fend Off Trojan Source Attacks

Written by Michael Larabel in Linux Security on 1 November 2021 at 06:11 PM EDT. 4 Comments
LINUX SECURITY
Making rounds today are the "Trojan Source" attacks by which text displayed to the end-user/developer doesn't match what is actually being executed. The problem stems from Unicode standards and could lead to malicious code being inadvertently introduced into upstream code-bases that could be overlooked during code review processes, etc. GCC and LLVM/Clang are among the early compilers preparing defenses against Trojan Source style attacks.

This class of "invisible" vulnerabilities that could sneak into codebases through Unicode issues is explained in detail at trojansource.codes. Basically it stems from Unciode control characters being maliciously used to reorder tokens in source code at the encoding level that lead to differing behavior between what is displayed versus executed by the compiler or interpreters.

Trojan Source comes from research out of the University of Cambridge. Preventing such attacks requires updates to code compilers and interpreters against possibly misleading Unicode bidirectional characters. Red Hat's Marek Polacek today posted a preliminary patch for helping to fend off Trojan Source. With the -Wbidirectional= proposed switch, GCC could warn developers around possibly misleading Unicode bidirectional characters encountered by the pre-processor.

Similarly, LLVM patches for similar handling are also pending.
4 Comments
Related News
Linux Will Stop Randomizing Per-CPU Entry Area When KASLR Is Not Active
Linux Landing Change To Allow STIBP When Using Legacy IBRS
Linux Inadvertently Has Been Leaving IBRS-Mitigated Systems Without STIBP
Open Source Security Foundation's Criticality Score 2.0 Debuts To Rank Important OSS Projects
Microsoft Pluton TPM CRB Functionality Merged Into Linux 6.3
Proposed Linux Patch Would Allow Disabling CPU Security Mitigations At Build-Time
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OBS Studio Lands AV1 & HEVC RTMP Streaming Support
Valve Officially Announces Counter-Strike 2
Raja Koduri Departing Intel To Start New Software Company
GNOME 44 Released With Many Desktop Enhancements
Linux 6.3-rc3 Released: It's "Fairly Big"
Framework Laptop Launches AMD Ryzen Upgradeable Laptop, Intel Raptor Lake Models Too
Mozilla Announces Mozilla.ai For "Trustworthy AI"
Proxmox VE 7.4 Released With Linux 5.15 LTS + Linux 6.2 Support, New Dark Theme