Invisible Supply Chain Attacks Based on Trojan Source
A new class of vulnerabilities, called trojan source, has been recently discovered by Boucher and Anderson. They allow attackers to inject specific Unicode control characters in the source code of a software project, such that what text editors visualize differs from what compilers interpret. In the absence of specific protections, trojan source vulnerabilities can be exploited to launch effective supply chain attacks that appear invisible to developers.
This work describes the state of the art of known trojan source attacks, illustrates two new attack variants involving configuration files and Java code, and describes practical preventive measures. The first variant affects Java platforms and may enable the execution of instructions injected within comments. Whereas the second variant exploits BiDi and homoglyph Unicode symbols within source code and configuration files. We also give several proofs of concept for many popular development platforms and provide a detection tool that can be easily integrated into the build process.
Email Address of Submitting Authoremanuele.firstname.lastname@example.org
ORCID of Submitting Author0000-0002-2786-5931
Submitting Author's InstitutionDepartment of Engineering University of Perugia
Submitting Author's Country