{"id":46790,"date":"2025-02-19T16:36:27","date_gmt":"2025-02-19T21:36:27","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=46790"},"modified":"2025-02-19T16:36:55","modified_gmt":"2025-02-19T21:36:55","slug":"hiding-vulnerabilities-in-source-code","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/02\/19\/hiding-vulnerabilities-in-source-code\/","title":{"rendered":"Hiding Vulnerabilities in Source Code"},"content":{"rendered":"<p><a href=\"https:\/\/www.lightbluetouchpaper.org\/2021\/11\/01\/trojan-source-invisible-vulnerabilities\/\">Ross Anderson<\/a> (via <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2021\/11\/hiding-vulnerabilities-in-source-code.html\">Bruce Schneier<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.lightbluetouchpaper.org\/2021\/11\/01\/trojan-source-invisible-vulnerabilities\/\"><p>Today we are releasing <a href=\"https:\/\/arxiv.org\/abs\/2111.00169\">Trojan Source: Invisible Vulnerabilities<\/a>, a paper describing cool new tricks for crafting targeted vulnerabilities that are invisible to human code reviewers.<\/p><p>Until now, an adversary wanting to smuggle a vulnerability into software could try inserting an <a href=\"https:\/\/lwn.net\/Articles\/57135\/\">unobtrusive bug<\/a> in an obscure piece of code. Critical open-source projects such as operating systems depend on human review of all new code to detect malicious contributions by volunteers. So how might wicked code evade human eyes?<\/p><p>We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic.<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/02\/19\/hiding-data-in-emoji\/\">Hiding Data in Emoji<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/07\/05\/a-vatican-sized-flag-mystery\/\">A Vatican-Sized Flag Mystery<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/11\/19\/unicode-and-copying-and-pasting-code\/\">Unicode and Copying and Pasting Code<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/01\/04\/fingerprinting-swift-code-using-spacecrypt\/\">Fingerprinting Swift Code Using Spacecrypt<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Ross Anderson (via Bruce Schneier): Today we are releasing Trojan Source: Invisible Vulnerabilities, a paper describing cool new tricks for crafting targeted vulnerabilities that are invisible to human code reviewers.Until now, an adversary wanting to smuggle a vulnerability into software could try inserting an unobtrusive bug in an obscure piece of code. Critical open-source projects [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-02-19T21:36:30Z","apple_news_api_id":"b77b490d-c3a2-4ad8-92b4-50118246d95c","apple_news_api_modified_at":"2025-02-19T21:36:57Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/At3tJDcOiStiStFARgkbZXA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[71,48,258],"class_list":["post-46790","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-programming","tag-security","tag-unicode"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=46790"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46790\/revisions"}],"predecessor-version":[{"id":46794,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46790\/revisions\/46794"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=46790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=46790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=46790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}