Trojan horse called Trojan Source: undetectable malicious code could target supply chains

Published 11/10/21, 9:00am

The significant dangers associated with hidden code became dramatically apparent this week with the announcement by academic researchers from the University of Cambridge in the United Kingdom that a new attack method—which they dubbed Trojan Source—could result in undetectable threats and attacks. In the paper published by the researchers, they point out that the Trojan Source attack method could introduce powerful vulnerabilities into the open-source software supply chain which could persist in the affected ecosystem. 

According to the researchers, the Trojan Source method defines a new class of vulnerabilities that uses “maliciously encoded but semantically permissible source code modifications to introduce invisible software vulnerabilities.” They explain that the attack method “… exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers.” The technique has been demonstrated to work with numerous code types—the examples provided by the researchers included sample code written in C, C++, C#, JavaScript, Java, Rust, Go, and Python.

In one example—known as the Bidi attack (tracked as CVE-2021-42574 and CVSS rated as critical at 9.8), by using a Bidirectional (Bidi) Override, threat actors could visually reorder coding characters through control sequences to craft source code that renders logic that is different from the logical ordering of tokens examined by compilers and interpreters. If threat actors were to leverage this technique for compilers that accept Unicode, malicious code and vulnerabilities could be introduced that were invisible to human reviewers.

In another Trojan Source attack type—known as a homoglyph attack (tracked as CVE-2021-42694 and also rated at 9.8 or ‘critical’), attackers use ‘homoglyphs’ (characters that resemble each other, such as the letter O and zero ‘0’) to obfuscate code to the human eye. Researchers used the Latin letter “H” and the Cyrillic letter “H”  in their demonstration and advised that they were able to successfully implement homoglyph attacks in every coding language they researched. 

Researchers withheld the disclosure of this new attack class for 99 days in order to alert multiple impacted software product sources of the issue. Despite the researchers reaching out and informing nineteen impacted suppliers, only nine committed to releasing a patch. Sadly, the researchers who announced these significant vulnerabilities said they were met with “quick dismissals and references to legal policies” by a number of the impacted software suppliers.

Next Steps

According to the researchers, it is possible to defend against Trojan Source by banning the use of “text directionality control characters both in language specifications and in compilers implementing these languages.”  They add that the additional banning of “unterminated Bidi override characters within string literals and comments” can improve defenses.