When you’re programming something like an app, developers write it in something called high-level language, which includes languages like Python, Ruby, Java and C++. Computers though can’t read these languages; instead, they often read data via the binary digits in machine language. In order for computers to read our codes then, a compiler is used to act as a translator from high-level code to machine code and vice versa,
However, it appears as though these compilers are actually pretty easy to hijack. According to a new research paper by PhD student Nicholas Boucher and Professor Ross Anderson of the University of Cambridge, they have found a new type of cybersecurity attack. As it turns out, most compilers out there have a bug in it that, once exploited can be taken over by any bad actors. These hackers can then replace the code being fed into the compiler with their own, overriding the original code.
Boucher and Anderson explain that it works by exploiting the subtleties in the text-encoding standards like Unicode, and produce source code with tokens logically encoded in a different order in which they were presented. They call this type of hack the ‘Trojan Source’ attack, and it currently poses a threat to both first party software and supply-chain compromise throughout the industry.
The Cambridge researchers do provide some form of solution though, with the simplest defense against Trojan Source being the banning of the use of text directionality control characters in the language specifications and in the compilers implementing the language.
So far, they’ve contacted a number of companies to share their findings and get them to patch the issues, but not all have carried out patched out the loop hole just yet. They conclude by stating:
“…It is prudent to deploy other controls in the meantime where this is quick and cheap, or relevant and needful. We recommend that governments and firms that rely on critical software should identify their their suppliers’ posture, exert pressure on them to implement adequate defences, and ensure that any gaps are covered by controls elsewhere in their toolchain.
The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and crossvendor comparison of responses.” – Nicholas Boucher and Ross Anderson
If, and only if, you’re interested in learning more about the Trojan Source exploit to perhaps patch your own software or maybe look at ways of solving it, you can check out the Trojan Source website or click here for the complete research paper.
[ SOURCE ]
