A research paper has detailed a new technique that can be exploited to inject malware into source code without being detected.

Dubbed “Trojan Source” by researchers at Cambridge University today, the method involves manipulating the encoding of source files so that human viewers and compilers see different logic. In targeting text-encoding standards such as Unicode to produce source code, the researchers could logically encode malicious tokens in a different order from the one in which they are displayed.

The method was demonstrated across multiple coding languages including C, C++, JavaScript, Java, Rust, Go and Python. That said, the researchers note that the methodology could be deployed to almost any programming language that uses common software compilers that use Unicode.

Although going public with what could be an explosive new way for hackers to target victims, the researchers spent months coordinating a disclosure program to allow suppliers of compilers, interpreters, code editors and code repositories to make changes to defend against potential attacks. Half of those contacted are in the process of working on patches or have deployed patches, while others have not been quick to respond.

One of the first to protect against the potential attack vector is Rust, who announced a new version with protection today. Rust 1.56.1 includes two new deny-by-default lints that detect the affected codepoints and prevent them from being compiled. Rust also gives a date range for the disclosure period: It was first contacted on July 25 and then told Sept. 14 that the details would be published on Nov. 1.

“This ‘Trojan Source’ bug certainly presents an interesting attack surface,” Jon Gaines, senior application security Consultant at application security provider nVisium LLC, told SiliconANGLE. “As it sits, the research by the University of Cambridge is novel, but their proofs-of-concept are not actually malicious. However, in the hands of a sophisticated attacker or group who can actually weaponize it, we would definitely have a dangerous situation on our hands.”

John Bambenek, principal threat hunter at security operations company Netenrich Inc., noted that in order for this to work, code (or more accurate comments in code) would have to be injected into the source code for this to work. “What makes this scary is the sheer amount of copying and pasting from stack overflow, GitHub and others that serves as ‘software engineering’ means this could be a real possibility for an attack vector,” he said.

The good news is that it would be a fairly difficult attack flow to maintain any real discretion about,” Bambenek added. “Software engineering companies should, however, update their compilers as soon as possible because the groups that engage in supply chain compromise are the exact groups who both have the sophistication to manage this attack flow and the desire to use such techniques.”

Photo: Tevfik Teker/Wikimedia Commons