When you program something like an application, developers write it in what’s called a high-level language, which includes languages like Python, Ruby, Java, and C ++. However, computers cannot read these languages; instead, they often read data through machine language binary digits. For computers to read our codes, a compiler is used to act as a translator from high level code to machine code and vice versa,
However, it seems that these compilers are actually quite easy to hijack. According to a new research paper by doctoral student Nicholas Boucher and Professor Ross Anderson of the University of Cambridge, they have discovered a new type of cybersecurity attack. It turns out that most compilers contain a bug which, once exploited, can be picked up by any bad actor. These hackers can then replace the code entered in the compiler with their own, overwriting the original code.
Boucher and Anderson explain that it works by exploiting the intricacies of text encoding standards like Unicode, and produces source code with tokens logically encoded in a different order in which they were presented. They call this type of hacking the “Trojan Source” attack, and it currently poses a threat to proprietary software and the industry-wide supply chain.
Cambridge researchers offer some form of solution, however, with the simplest defense against Trojan Source being a ban on the use of text direction control characters in language specifications and in compilers implementing the language.
So far, they have contacted a number of companies to share their findings and get them to fix the issues, but not all of them have fixed the flaw yet. They conclude by stating:
“… It is prudent to deploy other controls in the interim when it is quick and inexpensive, or relevant and necessary. We recommend that governments and businesses that rely on critical software identify the position of their suppliers, lobby them to implement adequate defenses and ensure that any gaps are covered by controls elsewhere in their tool chain.
The fact that the Trojan Source vulnerability affects nearly all computer languages makes it a rare opportunity for a system-wide and environmentally sound comparison of responses between platforms and between vendors. – Nicholas Boucher and Ross Anderson
If, and only if, you want to learn more about the Trojan Source exploit to maybe fix your own software or maybe look for ways to fix it, you can consult the Trojan Source Website Where Click here for the full research paper.
[ SOURCE ]