EXECUTIVE SUMMARY:

Researchers at the University of Cambridge report that cyber attacks capable of injecting invisible backdoors into the source code of well-known programming languages represent a significant threat. Businesses and government groups alike have been asked to take action.

These source code attacks can be distributed by hackers or hostile states to disrupt software supply chains. The attacks place zombie code in libraries and commonly used software repositories. Using this code, backdoors could be added to nearly all computer languages.

The invisible, injectable source code details…

Researchers state that the attack exploits standard control characters to quietly inject malicious code into source code. When reviewed by humans, however, the source code does not appear to contain security risks.

In a published research paper, researchers warn that similar attacks could be launched in relation to any programming language that relies on common software compilers that make use of Unicode, which is considered the international standard for encoding text and scripts.

Across the past three months, the Cambridge researchers have attempted to coordinate a complex disclosure program, which would permit suppliers of software tools, such as compilers, interpreters, code editors and code repositories, to improve cyber security defenses.

Vulnerability disclosures and action

Roughly 50% of the organizations that researchers contacted during the disclosure process are either working on patches or intend to in the near future. However, other organizations haven’t yet taken action. One of the Cambridge researchers warns that bad actors could use this newly discovered technique against compilers that haven’t been patched.

“We recommend that governments and firms that rely on critical software should identify their supplier’s posture, exert pressure on them to implement adequate defenses and ensure that any gaps are covered by controls elsewhere in their toolchain,” stated the researchers. “Any entity whose security relies on the integrity of software supply chains should be concerned.”

Insecure source code

A large number of code developers will gladly copy and paste insecure source code from unofficial online sources. As a result, hackers could easily post malicious code with invisible vulnerabilities on unofficial sites, and web developers may unwittingly insert the code into the software supply chain.

Attacks on open-source software components mean that the malicious code could affect a huge number of organizations. For security specialists, detecting tainted code may be a nearly impossible task. “Trojan Source attacks introduce the possibility of inserting such vulnerabilities into source code invisibly, thus completely circumventing the current principal control against them, namely human source code review,” said researchers.

Supply chain attacks

Predictions around an imminent increase in supply chain attacks have led organizations to start taking more proactive prevention and defense measures. One challenge with software supply chain vulnerabilities is that, even after patches are released, the vulnerabilities are likely to persist in the affected ecosystem.

Bidi control characters

Invisible Trojan Source attacks rely on bi-directional control characters within Unicode. These characters are used to switch between languages that are written left-to-right, such as English, and those naturally written right-to-left, like Arabic or Hebrew.

Cyber attackers can leverage the control characters, called Bidi override characters, to surreptitiously add malicious code that will remain inconspicuous to human reviewers. This type of code can be buried in comments or strings of characters within the program’s source code. Developers who copy code from an unreliable source into a protected code base may unwittingly add an invisible vulnerability.

The researchers state that there is an “immediate” need for organizations to deploy security measures within code repositories and text editors that are used for code development.

For more information about supply chain attacks, see CyberTalk.org’s past coverage. Discover more cutting-edge business and cyber security insights when you sign up for the Cyber Talk newsletter.