Giters

suikastar / trojan-source

Trojan Source: Invisible Vulnerabilities

Home Page:https://trojansource.codes

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Trojan Source

Trojan Source: Invisible Vulnerabilities

Overview

We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers.

'Trojan Source' attacks, as we call them, pose an immediate threat both to first-party software and supply-chain compromise across the industry. We present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. We propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack.

Additional details can be found in our related paper and at trojansource.codes.

Proofs-of-Concept

This repository is divided into per-language subdirectories. Each subdirectory contains a series of proofs-of-concept implementing various Trojan-Source attacks as well as a README describing the compilers/interpreters with which these attacks were verified.

About

Trojan Source: Invisible Vulnerabilities

https://trojansource.codes

Languages

Language:SCSS 47.2%Language:CSS 44.1%Language:JavaScript 4.6%Language:HTML 2.9%Language:C 0.2%Language:C++ 0.2%Language:Java 0.2%Language:C# 0.2%Language:Python 0.2%Language:Rust 0.1%Language:Go 0.1%