Trojan Source: Invisible Vulnerabilities

Add to your list(s) Download to your calendar using vCal

• Nicholas Boucher, University of Cambridge
• Tuesday 08 February 2022, 14:00-15:00
• Webinar & LT2, Computer Laboratory, William Gates Building..

If you have a question about this talk, please contact Kieron Ivy Turk.

We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as we call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. We present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. We propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack.

This talk is part of the Computer Laboratory Security Seminar series.

This talk is included in these lists:

• All Talks (aka the CURE list)
• Cambridge talks
• Computer Laboratory Security Seminar
• Department of Computer Science and Technology talks and seminars
• Interested Talks
• School of Technology
• Security-related talks
• Trust & Technology Initiative - interesting events
• Webinar & LT2, Computer Laboratory, William Gates Building.
• bld31

Note that ex-directory lists are not shown.