"Trojan Source" Bug threatens the Security of all code

This ain't how the Mycenaeans beat the Hittites.

And I don't think it is much of a threat now either.
 
eternal_noob said:
Nope. But the source of GCC is a beast. I doubt there is one person in the world who audited it in a whole.
Click to expand...
Does OpenBSD still use GCC? If so, it's possible that the version included in base may have undergone an audit. Agree that the effort to audit it is non trivial.
 
Found a tool which can insert backdoors in code compiled by GCC by hijacking its temporary files on disk, if anyone is interested. ;)
github.com

GitHub - hstocks/gcchijack: Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files

Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files - GitHub - hstocks/gcchijack: Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files
github.com github.com

demo.gif
 
Zvoni said:
Opinions?
Click to expand...
Ross Anderson is a well known security researcher. For me the question is not that he found that threat, but how long this might have been in use by the bad guys under the radar.

I mean it's a so obvious idea that he's probably not the first person ever to think about doing this.

The threat vector obviously would be hiding malicious code in well known OSS programs. Hidden in plain sight in the GIT repositories and such alike.
 
hardworkingnewbie said:
The threat vector obviously would be hiding malicious code in well known OSS programs. Hidden in plain sight in the GIT repositories and such alike.
Click to expand...
That is what concerns me. One can certainly get some security benefits from compiling sources from yourself instead of relying on binary distributions but if this is a source code level thing then yeah... shit.

I am really sorry (lol not really) for all those fancy hyped high-level languages that are built on top of mechanisms which kinda require this to work.
 
eternal_noob said:
Found a tool which can insert backdoors in code compiled by GCC by hijacking its temporary files on disk, if anyone is interested. ;)
github.com

GitHub - hstocks/gcchijack: Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files

Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files - GitHub - hstocks/gcchijack: Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files
github.com github.com

View attachment 11877
Click to expand...
Making gifs like that is just PERFECT for teaching UNIX in general, not just showing off gcchijack!!!

But for hijacking - one idea that comes to my mind - Computer security is a bit of an arms race. Yeah, you can find a weakness in the design, patch it - but the patching involves so much work that the viability (of even setting up something that requires that patching effort) is called into question. And it becomes a vicious circle.
 
Matthew Green, an associate professor at the Johns Hopkins Information Security Institute, said the Cambridge research clearly shows that most compilers can be tricked with Unicode into processing code in a different way than a reader would expect it to be processed.
Click to expand...
I thought the claim is that the bidi override can be used to trick the human, not the compiler, because the display order may be different from what is actually in the code! In any case, the solution is to a) allow unicode in strings and comments only, ascii elsewhere and b) unicode aware editors and display programs need to be syntax aware and take care to prevent this. If you stick to vi, you'll never have this problem :)

But this is different (as far as I can see, after spending < 5 minutes reading the article while being half asleep) than what Ken Thompson describes in the "Reflections on trusting trust" article, which is much more insidious but possibly much more difficult to sneak in. The fact is that you can introduce backdoors at so many levels....
 
Years ago I heard about doing this in file names, like "s<ReverseDirSequence>fig.exe" being displayed as "sexe.gif" in the windows explorer, and you can click it, yes? Its not an executable, after all... So this is most likely old hat.
 
I mean, technically? Punycode is set for years now, so you can use any unicode character in a domain name.
 
Zirias said:
I mean, technically? Punycode is set for years now, so you can use any unicode character in a domain name.
Click to expand...
Interesting question, what would our german powers-that-be react to a domain name consisting of swastikas?
 
You must log in or register to reply here.
Back
Top