Trojan Source flaw allows hackers to embed malware directly into source code

In brief: Malicious actors usually have to exploit bugs in an application or operating system, but security researchers have found a flaw that allows them to embed malware right into the source code, which allows for devastating supply chain attacks.

Cambridge University researchers Nicholas Boucher and Ross Anderson have discovered a new class of vulnerabilities that can be used by malicious actors to integrate visually deceptive malware directly into the source code of applications.

The new technique, dubbed "Trojan Source," is an effective way to inject malware that is virtually invisible to human reviewers. To achieve this, a hacker would need to exploit certain subtleties in text encoding standards like Unicode, which is a relatively easy thing to do when compared to using chains of zero-day vulnerabilities to exploit target systems.

Since we're talking about Unicode, this flaw affects pretty much all modern programming languages such as Rust, Java, Python, Go, C, C++, C#, and JavaScript. An attacker can apply something called a "bidirectional override" to embed left-to-right words inside a right-to-left sentence and vice versa, and this technique can be used to reorder tokens in source code at the encoding level to essentially fool the compiler or interpreter into seeing a different logic than a human reviewer would see in that source code.

The researchers warn that this opens the door to tampering with open-source code that's in use at various organizations around the world. They note "this attack is particularly powerful within the context of software supply chains. If an adversary successfully commits targeted vulnerabilities into open-source code by deceiving human reviewers, downstream software will likely inherit the vulnerability."

To put it differently, the attack works by anagramming a program into another program, which tricks the compiler/interpreter into processing the code that doesn't appear to be code to a human reviewer. If an attacker can successfully embed malicious code in widely-used dependencies and libraries, the power of the attack is exponentially multiplied. The researchers also point out that compilers and interpreters are vulnerable to another technique known as a homoglyph attack where hackers can replace Latin letters with lookalike characters from other Unicode alphabets.

The Rust Security Response working group is urging developers to upgrade to Rust version 1.56.1, which introduces two ways to detect and reject code that contains malicious codepoints. For an in-depth read into Trojan Source, check out the Cambridge researchers' report. Proof-of-concept code is also available on GitHub.