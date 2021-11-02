Researchers at the University of Cambridge have disclosed a vulnerability that affects many modern code compilers. The work, titled Trojan Source, describes an insidious attack in which attackers can hide targeted malicious code in software sources.

The attack relies on how compilers handle Unicode identifiers used to determine the orientation of text (left to right or vice versa). The weak point is the Unicode Bidi algorithm, which allows you to combine words written from right to left and left to right. For example, thanks to this algorithm, you can combine words in Arabic and English. It also allows right-to-left text to be read from left to right and vice versa.

In some cases, the ordering set by the Bidi algorithm is not sufficient to switch the display order of groups of characters, and in such cases special control characters are used. Overriding Bidi makes it possible to display even individual characters in an order different from their logical encoding.

The exploitation of the vulnerability could allow the addition of commands that will be displayed as part of a comment or line when a programmer checks the code. The source notes that earlier attacks of this type were used to mask the file extensions of malware distributed by email during phishing campaigns. This approach allows you to embed vulnerabilities into the source code, and if they do not make significant changes to the logic, then it will not be easy to detect them when checking the code.

The researchers released data on their work to the public a few months after its completion. During this time, several patches were prepared to fix the problem for developers using the Rust language. Additional recommendations for solving this problem for other programming languages ​​will be published at a later date.