[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Trojan Source Attacks
From:       Santiago Torres <torresariass () gmail ! com>
Date:       2021-11-01 21:51:08
Message-ID: YYBhTMCXrf9TPicd () LykOS ! localdomain
[Download RAW message or body]


On Mon, Nov 01, 2021 at 09:51:38PM +0100, Jan Engelhardt wrote:
> 
> On Monday 2021-11-01 18:27, Nicholas Boucher wrote:
> > 
> > We have identified an issue affecting all compilers and interpreters that support \
> > Unicode. [...]
> > The attached paper describes an attack paradigm -- which we believe to be novel \
> > -- discovered by security researchers at the University of Cambridge.
> 
> Not so novel. At one time, this picture made the rounds
> (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely
> older than this 2018 tweet), and anyone who knew that Unicode had zero-width
> characters already made the connection.

Along the same lines, there were a myriad of attacks using bash-style
sequences to obscure parts of patches inside of git show/git log/less/
other pagers not too long ago (circa 2017, maybe?). We even discussed
similar possibilities on this paper[1] (sec 4.3) when mentioning git
commit signing of content displayed on collaborative coding platforms.

Overall there's a plethora of work around "punycode meets tool X" that
I'm surprised this is called novel.

Cheers!
-Santiago

[1] https://ssl.engineering.nyu.edu/papers/afzali_asiaccs_2018.pdf


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]