‘Trojan Source’ Is a Threat to All Source Code, Languages

eSecurityPlanet’s Jeff Bart reports that researchers have outlined a method that could be used by bad actors to push vulnerabilities into source code that are invisible to human code reviewers.

In a paper released this week, two researchers at the University of Cambridge in the UK wrote that the method – which they dub “Trojan Source” – essentially can be leveraged against almost every programming language in use today and could be effective in supply-chain attacks similar to the one launched against SolarWinds last year.

“As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses,” Nicholas Boucher and Ross Anderson wrote in their paper. “We have discussed countermeasures that can be used at a variety of levels in the software development toolchain: the language specification, the compiler, the text editor, the code repository, and the build pipeline.”

On a website, they wrote that “if an adversary successfully commits targeted vulnerabilities into open source code by deceiving human reviews, downstream software will likely inherit the vulnerability.”

Long-term solutions will come from compilers, most of which already defend against a related attack, they wrote.