[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Trojan Source Attacks
From: Santiago Torres <torresariass () gmail ! com>
Date: 2021-11-01 21:51:08
Message-ID: YYBhTMCXrf9TPicd () LykOS ! localdomain
[Download RAW message or body]
On Mon, Nov 01, 2021 at 09:51:38PM +0100, Jan Engelhardt wrote:
>
> On Monday 2021-11-01 18:27, Nicholas Boucher wrote:
> >
> > We have identified an issue affecting all compilers and interpreters that support \
> > Unicode. [...]
> > The attached paper describes an attack paradigm -- which we believe to be novel \
> > -- discovered by security researchers at the University of Cambridge.
>
> Not so novel. At one time, this picture made the rounds
> (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely
> older than this 2018 tweet), and anyone who knew that Unicode had zero-width
> characters already made the connection.
Along the same lines, there were a myriad of attacks using bash-style
sequences to obscure parts of patches inside of git show/git log/less/
other pagers not too long ago (circa 2017, maybe?). We even discussed
similar possibilities on this paper[1] (sec 4.3) when mentioning git
commit signing of content displayed on collaborative coding platforms.
Overall there's a plethora of work around "punycode meets tool X" that
I'm surprised this is called novel.
Cheers!
-Santiago
[1] https://ssl.engineering.nyu.edu/papers/afzali_asiaccs_2018.pdf
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic