GCC & LLVM Patches Pending To Fend Off Trojan Source Attacks

Written by Michael Larabel in Linux Security on 1 November 2021 at 06:11 PM EDT. 4 Comments
LINUX SECURITY
Making rounds today are the "Trojan Source" attacks by which text displayed to the end-user/developer doesn't match what is actually being executed. The problem stems from Unicode standards and could lead to malicious code being inadvertently introduced into upstream code-bases that could be overlooked during code review processes, etc. GCC and LLVM/Clang are among the early compilers preparing defenses against Trojan Source style attacks.

This class of "invisible" vulnerabilities that could sneak into codebases through Unicode issues is explained in detail at trojansource.codes. Basically it stems from Unciode control characters being maliciously used to reorder tokens in source code at the encoding level that lead to differing behavior between what is displayed versus executed by the compiler or interpreters.

Trojan Source comes from research out of the University of Cambridge. Preventing such attacks requires updates to code compilers and interpreters against possibly misleading Unicode bidirectional characters. Red Hat's Marek Polacek today posted a preliminary patch for helping to fend off Trojan Source. With the -Wbidirectional= proposed switch, GCC could warn developers around possibly misleading Unicode bidirectional characters encountered by the pre-processor.

Similarly, LLVM patches for similar handling are also pending.
4 Comments
Related News
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
GhostRace Detailed - Speculative Race Conditions Affecting All Major CPUs / ISAs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.10 To Merge NTSYNC Driver For Emulating Windows NT Synchronization Primitives
Ubuntu Maker Canonical Announces New Collaboration With Qualcomm
Fedora 41 Looks To "-O3" Optimizations For Its Python Build
APT 2.9 Released: Debian's APT 3.0 To Have A New UI With Colors, Columnar Display & More
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
KDE's KWin Merges Wayland Explicit Sync Support
Gentoo Linux Now An SPI Project