| pdf | 
| pdf |
Updated Monday 29th November, 2021
Suppose that you are a spy, tasked with embedding a malicious backdoor into enemy source code. After being hired onto the team, you find that every line of code is subject to manual code reviews. One of the best ways to hide a Trojan is in plain sight: directly in the source code that’s being reviewed.
One of my favorite types of attacks is the homoglyph attack.[2] Developers can embed a function so deeply into code with the apparent same name as a benign-looking version of the function. Consider the homoglyphs used in Boucher and Anderson’s example in Figure 1.[1] By using a Cyrillic Н and hiding the malicious sayНello() deep into the code, the developers could be tricked into thinking that a different function is being called.
But my favorite type of injection involves the use of bidirectional (BIDI) unicode symbols. Using these symbols, the order of display can be changed from the order of compiler evaluation. Consider the function in Figure 2. While functions or a return value may appear to be commented out on a web browser or development IDE, they are actually part of the code and become a sneaky way to inject logic that appears commented out to a reviewer.
Nicholas Boucher and Ross Anderson. “Trojan Source: Invisible Vulnerabilities”. In: Preprint (2021). arXiv: 2111.00169 [cs.CR]. url: https://arxiv.org/abs/2111.00169.
Jon Hood. “Homoglyphs and Homographic Attacks”. In: SwATips.com (2021). url: https://www.swatips.com/articles/20210510.html.
Jon Hood, ed. SwATips. https://www.SwATips.com/.