Comments (2)
zkldi
commented on August 13, 2024
To add to this, things like Gremlins highlight unicode-trickery things like this with red warnings. Some editors even come with this built in. This attack is not particularly novel.
from trojan-source.
nickboucher
commented on August 13, 2024
There's a reasonable debate to be had about whether this is an issue with compilers/interpreters or an issue with code editors/repository interfaces. Some may also argue that allowing deceptive code such as Trojan Source attacks is not the compiler's responsibility to defend unless it's specified in the relevant language specification, in which case we can add language specs to the list of potential issue owners as well.
Despite which stage in the development pipeline "should" implement defenses, it's possible to defend via visualizations in code editors/repo interfaces, compiler/interpreter errors, and build pipeline code scanners. I'd argue that the best defense is a defense-in-depth strategy where each of these stages have defenses implemented.
In the paper discussing this work, we discuss code editor/repository interfaces in Section VI.J, and syntax highlighting in Section VII.C.
from trojan-source.
Related Issues (12)
- Python3 returns syntax error: HOT 1
- Does an homoglyphe function concerned by Trojan source? HOT 1
- Could we help developers detect and prevent issues of trojan source in their projects? HOT 8
- invisible-function.c and homoglyph-function.c cant be build with gcc <= 9.1, but successful with gcc 11.2
- The attack is known, not novel HOT 9
- Doubt regarding early-return.py example HOT 4
- Tools to detect possible attacks HOT 1
- āļ
- Provide an example of propper use for reference HOT 1
- Early return and comment out in languages without closing comment token? HOT 2
- Variations on Stretched String HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
đ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. đđđ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â¤ī¸ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trojan-source.