#Hex fiend security risk code#
In effect, we anagram program A into program B.”Īnderson said such an attack could be challenging for a human code reviewer to detect, as the rendered source code looks perfectly acceptable. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. “Bringing all this together, we arrive at a novel supply-chain attack on source code. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.”
“Therefore, by placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. The research paper, which dubbed the vulnerability “ Trojan Source,” notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides. This vulnerability is, as far as I know, the first one to affect almost everything.”
#Hex fiend security risk manual#
“That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. “So you can use them in source code that appears innocuous to a human reviewer can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters. This is bad because most programming languages allow comments within which all text - including control characters - is ignored by compilers and interpreters. Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings.
As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email.
“For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”īidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. “In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa. Specifically, the weakness involves Unicode’s bi-directional or “ Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic - which is read right to left - and English (left to right).īut computer systems need to have a deterministic way of resolving conflicting directionality in text. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis). At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used.
#Hex fiend security risk software#
Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness. Virtually all compilers - programs that transform human-readable source code into computer-executable machine code - are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns.