TechRxiv
accepted paper MC3190801.pdf (512.74 kB)
Download file

Invisible Supply Chain Attacks Based on Trojan Source

Download (512.74 kB)
preprint
posted on 2022-11-02, 04:54 authored by Emanuele BuchicchioEmanuele Buchicchio, Luca Grilli, Diego Antonini, Eros Capobianco, Salvatore Cipriano

A new class of vulnerabilities, called trojan source, has been recently discovered by Boucher and Anderson. They allow attackers to inject specific Unicode control characters in the source code of a software project, such that what text editors visualize differs from what compilers interpret. In the absence of specific protections, trojan source vulnerabilities can be exploited to launch effective supply chain attacks that appear invisible to developers.

This work describes the state of the art of known trojan source attacks, illustrates two new attack variants involving configuration files and Java code, and describes practical preventive measures. The first variant affects Java platforms and may enable the execution of instructions injected within comments. Whereas the second variant exploits BiDi and homoglyph Unicode symbols within source code and configuration files. We also give several proofs of concept for many popular development platforms and provide a detection tool that can be easily integrated into the build process. 

History

Email Address of Submitting Author

emanuele.buchicchio@studenti.unipg.it

ORCID of Submitting Author

0000-0002-2786-5931

Submitting Author's Institution

Department of Engineering University of Perugia

Submitting Author's Country

  • Italy

Usage metrics

    Licence

    Exports