Attacks by introducing invisible source code using special Unicode characters

[MSoegtropIMC]

In this paper: (https://www.trojansource.codes/trojan-source.pdf) researchers from the University of Cambridge describe an attack which uses special Unicode characters to inject invisible or modified code. As far as I can tell any compiler taking Unicode input - as ocamlc - is affected by this.

There is an easy remedy, which is rejecting sources which contain such characters.

[nojb]

There is a discussion of this issue over at Discuss https://discuss.ocaml.org/t/is-ocaml-vulnerable-to-https-trojansource-codes/8723

[MSoegtropIMC]

Thanks for the pointer! I don't follow the argument given there that it is mostly an editor issue.

But an interesting question would be what github diffs make out of this, since this is the place where most code reviews happen.

[dbuenzli]

But an interesting question would be what github diffs make out of this, since this is the place where most code reviews happen.

I made a gist with the example I gave in the discuss thread. The first commit has no vulnerability. Then I make the commit that introduces the vulnerability.

The answer to the question is that you get a big warning from github that bidi characters are present in the file. On the diff and on the file itself. See for yourself here:

https://gist.github.com/dbuenzli/e655590faf132d5150f3684a3d7a69a2/revisions

[MSoegtropIMC]

@dbuenzli : thanks for testing this on Github - we see that GitHub works pretty fast on this (as it looks this message was introduced October 31st).

But I don't think one can expect that in every environment code review processes are adjusted to this (and possibly upcoming similar issues), so IMHO the best strategy is to work on both, editors + review process tools and compilers.

Are there strong arguments against introducing a warning for this?

[lthls]

I fail to see any reason to get so excited about this particular issue.
Here is an adaptation of the example in the paper that causes the same issues, but using zero-width space:
https://gist.github.com/lthls/95e029513d6135c21c9fff09bcd4a3e2
(Note that while creating the gist, the Github interface clearly showed me the zero-width space, but it's invisible when rendered, even in the "raw" version).
Unicode is full of these little traps, and I don't think the compiler should try to catch any of them (certainly not all of them).

[Octachron]

Bidirectional formatting characters are a legitimate part of unicode. Emitting warning on those characters will lead to false positive. Moreover, since there is no constraint on the encoding of source code in OCaml, the compiler has no idea on how a string literal will be interpreted by graphical editors: will the graphical editor use utf-16, utf-8, another proprietary encoding?

Which leads to the core of the issue: the vulnerability is not in languages but purely in the potentially misleading graphical display of strings by editors. For instance, the vulnerability simply don't exist at all for screen reader users. For them, any warning on bidirectional formatting characters will have a 100% positive rate. Similarly, it doesn't make sense for build tools to emit such warning when there is no interactive users that could be mislead by potentially faulty string rendering.

But I don't think one can expect that in every environment code review processes are adjusted to this (and possibly upcoming similar issues),

This seems an inconsistent reaction to me: if you consider bidirectional formatting characters a meaningful attack vector, you ought to use editors that are not vulnerable to this attack vector.

I am still looking a sensible way to implement such a warning that doesn't trigger on all use of bidirectional formatting characters, but this still feel like protecting our users from faulty editors more than anything.

[dbuenzli]

Unicode is full of these little traps, and I don't think the compiler should try to catch any of them (certainly not all of them).

This would need a bit more investigation but while Unicode may be full of these traps, they actually may be quite easy to characterize. I suspect they are mostly those characters whose general general category is Cc and Cf.

Bidirectional formatting characters are a legitimate part of unicode. Emitting warning on those characters will lead to false positive.

The idea would be that writing them as escapes does not trigger the warning. Also I don't expect bidi control characters to be often present in string literals, false positives will likely be extremely rare.

But the problem with warnings is that they can also be disabled and from the sources itself. I wonder if in the end these things would not be better checked by some form of external dedicated security linter tool.

[alainfrisch]

But the problem with warnings is that they can also be disabled and from the sources itself. I wonder if in the end these things would not be better checked by some form of external dedicated security linter tool.

Well, if you assume people who submit code for inclusion in your project can be hostile, you need to be super careful about code review anyway. The problem is code being hidden in a way which makes it hard to even see what the code actually is. Turning warnings off should be easy enough to spot...

I suspect they are mostly those characters whose general general category is Cc and Cf.

If we have a clear criterion and an easy way of implementing it, I'm personally in favor of a new warning (enabled by default). With the current feature freeze and the possibly delay in adopting 5.00, this won't be available before months in practice, though, unless we backport it to older versions.

[MSoegtropIMC]

But I don't think one can expect that in every environment code review processes are adjusted to this (and possibly upcoming similar issues),

This seems an inconsistent reaction to me: if you consider bidirectional formatting characters a meaningful attack vector, you ought to use editors that are not vulnerable to this attack vector.

In companies with a few 10.000 engineers one can't easily change the tools used in review processes from one day to another and one also cannot always harden them against such issues from one day to another. But one can quickly change compiler versions - they are anyway kept up to date for security reasons. It is new (to me) that one has to keep editors and review tools up to date for security reasons.

https://gist.github.com/lthls/95e029513d6135c21c9fff09bcd4a3e2

Interesting here is that unlike in the gist from @dbuenzli this doesn't show a warning from Github. Also interestingly on macOS I have a hard time to find an editor or other tool which shows the code in a different way - only hexdump and good old vi did the job:

let access_level = "user"
let main () =
  if access_level <> "user<200b>" then (* Check if admin *)
    Printf.printf "You are an admin.\n"

let () = main ()

[dbuenzli]

If we have a clear criterion and an easy way of implementing it, I'm personally in favor of a new warning (enabled by default).

I'm not against that either but by default the encoding of OCaml sources remains latin1. UTF-8 works "by chance".

So before having a default warning that checks things related to Unicode in the sources that's the first thing that would need to change in some way, long discussion here (if you ask me I would break compat. mandate and check UTF-8 validity and retain latin1 behind a flag for the people who still have code with accented identifier, but that's not a trivial amount of work). Otherwise the compiler view on source encodings becomes a bit non sensical.

Also the problem is likely a bit more involved than just check the literals, since you can do funky stuff with the comments. The problem with comments is that they are also used to generate documentation and you could then find legitimate uses of these characters which at the moment you cannot escape like in string literals.

[xavierleroy]

It is new (to me) that one has to keep editors and review tools up to date for security reasons.

All software on all your computers should be kept up to date for security reasons. A bug in a text editor can create havoc too.

There are many ways to use Unicode for obfuscating a code change, beyond the use of bidirectional markers documented in the "Trojan source" paper. We need a more comprehensive analysis before we can discuss countermeasures in the compiler or elsewhere.

[xavierleroy]

I agree with @dbuenzli that we also need to make OCaml "UTF-8 clean" before considering additional safety checks on input files. I'm optimistic we can find a way forward that still accepts more than US-ASCII inside identifiers, but it's not going to happen overnight either.

[Octachron]

Python has an analysis of unicode-related security issues which seems interesting: https://www.python.org/dev/peps/pep-0672 .
I am particularly fond of :

s = "א" * 100 #    "א" is assigned

[xavierleroy]

Ironically, your URL contains mysterious invisible characters :-) https://www.python.org/dev/peps/pep-0672/

[dbuenzli]

@xavierleroy note that UTF-8 cleanness doesn't have to be tied with allowing Unicode identifiers.

Also I'm personally totally unaware of what happens to these latin1 identifiers in linkers etc. I was just wondering whether the following could be an alternate way forward (rather than what I suggested in my previous message). Since latin1 is fully injected into Unicode (the precise map can be found here, spoiler: it's the identity function). We could:

1. Mandate sources to be UTF-8 encoded.
2. Comments and literals accept any Unicode character.
3. Identifiers can be US-ASCII or Unicode latin1 characters (we can then even store them as latin1 if the compiler pipeline relies on this).

This still breaks compat. but rather than introducing a new flag the measure is now simply for people to reencode their files from latin1 to UTF-8 and your sources with accented characters will still work.

The problem of allowing more Unicode characters can be left for later and this way is likely much simpler implementation wise than trying to have two lexing modes.