Researchers with the University of Cambridge recently published research about “Trojan Source” vulnerability. It has the potential to affect most computer code compilers and many software development environments.
In previous years, similar tactics were often observed as attackers would use encodings to make filenames and types look harmless, for example, masquerading an executable file as a pdf. The recent research describes possible attacks that take a similar path, putting it into practice in source code to deceive human reviewers
This new vulnerability leverages the bidirectional algorithm in Unicode encoding that normally is used to help display left-to-right and right-to-left languages together in the same documents and files (e.g., Hebrew and English). Using this feature, attackers are able to change the order of words and characters in a way that will look harmless to a human reviewer, but can result in different, and even malicious functionality at runtime.
Cambridge researchers describe three techniques that leverage this vulnerability:
- Early Returns: cause a “return” statement that appears to be in a comment to execute and by that, make a function exit and potentially exclude wanted functionality.
- Commenting-Out: causing a similar outcome as the “Early Returns” technique of preventing code from being executed; doing so by commenting out code snippets that will be ignored at runtime, but look normal for a human reviewer.
- Stretched Strings: can be used to alter string comparison operations by causing portions of string literals to visually appear as code.
The authors of the article also mention an adjacent technique that is tracked as a vulnerability as well. The exploit of this vulnerability will include the use of the known homoglyphs characters as a part of functions’ names. This can mislead a reviewer to think a specific function is called, while in fact, another one is with potentially malicious functionality.
Checkmarx SAST to the Rescue
As previously mentioned, this vulnerability has been around for years, but with the recent increase in popularity, we wanted to make sure our customers are covered. “If our customers are in need of an answer to the growing fear of the Trojan Source vulnerability, we can easily assist them,” says Ori Bendet, Head of Product Management at Checkmarx. “Using our easily extensible query language, CxQL, we added a set of dedicated queries to look for those specific characters in the application source code. It will be added to the relevant presets and every customer can be sure that they are covered for any Trojan Source behavior in their application source code. It was really a no-brainer once we had several discussions around this matter with our customers. It also shows how robust and flexible our SAST solution is and how quickly we can add new scanning capabilities,” summarized Ori.
In addition to our SAST’s full coverage of this issue, Checkmarx supply chain dynamic protection can also detect malicious behavior hidden by these techniques in external open-source packages.
Our customers can be confident that they are covered for similar vulnerabilities like Trojan Source.
Make Sure You’re Updated
For organizations who already have Checkmarx SAST, ensure you are running version 9.2 or above to get the latest coverage for the Trojan Source vulnerability. You can learn more and download the latest version [here].
For organization who are not customers yet, but want to learn more about Checkmarx Application Security solutions, feel free to request a demo [here].