We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. 'Trojan Source' attacks, as we call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. We present working examples of Trojan Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, Python, SQL, Bash, Assembly, and Solidity. We propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack. We document an industry-wide coordinated disclosure for these vulnerabilities; as they affect most compilers, editors, and repositories, the exercise teaches how different firms, open-source communities, and other stakeholders respond to vulnerability disclosure.
翻译:我们提出了一种新型攻击方式,其中源代码被恶意编码,使其在编译器和人类眼中呈现不同形态。该攻击利用Unicode等文本编码标准中的细微特性,使源代码的词元在逻辑上的编码顺序与其显示顺序不同,从而产生人类代码审查者无法直接感知的漏洞。我们将其称为"特洛伊之源"攻击,这对第一方软件及整个行业供应链安全构成直接威胁。我们展示了C、C++、C#、JavaScript、Java、Rust、Go、Python、SQL、Bash、Assembly和Solidity语言中特洛伊之源攻击的工作示例。我们提出了决定性的编译器层级防御方案,并描述了在编译器升级阻断此类攻击期间,可在编辑器、代码仓库和构建流水线中部署的其他缓解控制措施。我们记录了针对这些漏洞的全行业协调披露机制——由于它们影响大多数编译器、编辑器和代码仓库,此次实践揭示了不同企业、开源社区及其他利益相关方如何响应漏洞披露。