# "Trojan Source" Bug threatens the Security of all code



## Zvoni (Nov 2, 2021)

Opinions?




__





						‘Trojan Source’ Bug Threatens the Security of All Code – Krebs on Security
					





					krebsonsecurity.com


----------



## eternal_noob (Nov 2, 2021)

20 years ago, some random dude i met insisted that GCC added hidden backdoors to every program it compiles. I liked the idea of evil compilers.


----------



## Geezer (Nov 2, 2021)

This ain't how the Mycenaeans beat the Hittites.

And I don't think it is much of a threat now either.


----------



## SirDice (Nov 2, 2021)

I get a real "Reflections on trusting trust" vibe from this.



			https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf


----------



## jbo (Nov 2, 2021)

eternal_noob said:


> 20 years ago, some random dude i met insisted that GCC added hidden backdoors to every program it compiles. I liked the idea of evil compilers.


Was (s)he able to provide any evidence at all?


----------



## eternal_noob (Nov 2, 2021)

Nope. But the source of GCC is a beast. I doubt there is one person in the world who audited it in a whole.


----------



## mer (Nov 2, 2021)

eternal_noob said:


> Nope. But the source of GCC is a beast. I doubt there is one person in the world who audited it in a whole.


Does OpenBSD still use GCC?  If so, it's possible that the version included in base may have undergone an audit.  Agree that the effort to audit it is non trivial.


----------



## SirDice (Nov 2, 2021)

mer said:


> Does OpenBSD still use GCC?


No, they switched to Clang, just like FreeBSD.




__





						OpenBSD Switches To Clang Compiler For i386/AMD64 - Phoronix
					






					www.phoronix.com


----------



## eternal_noob (Nov 2, 2021)

Found a tool which can insert backdoors in code compiled by GCC by hijacking its temporary files on disk, if anyone is interested. 








						GitHub - hstocks/gcchijack: Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files
					

Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files - GitHub - hstocks/gcchijack: Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files




					github.com


----------



## hardworkingnewbie (Nov 2, 2021)

Zvoni said:


> Opinions?
> 
> 
> 
> ...


Ross Anderson is a well known security researcher. For me the question is not that he found that threat, but how long this might have been in use by the bad guys under the radar.

I mean it's a so obvious idea that he's probably not the first person ever to think about doing this.

The threat vector obviously would be hiding malicious code in well known OSS programs. Hidden in plain sight in the GIT repositories and such alike.


----------



## jbo (Nov 2, 2021)

hardworkingnewbie said:


> The threat vector obviously would be hiding malicious code in well known OSS programs. Hidden in plain sight in the GIT repositories and such alike.


That is what concerns me. One can certainly get some security benefits from compiling sources from yourself instead of relying on binary distributions but if this is a source code level thing then yeah... shit.

I am really sorry (lol not really) for all those fancy hyped high-level languages that are built on top of mechanisms which kinda require this to work.


----------



## astyle (Nov 2, 2021)

eternal_noob said:


> Found a tool which can insert backdoors in code compiled by GCC by hijacking its temporary files on disk, if anyone is interested.
> 
> 
> 
> ...


Making gifs like that is just PERFECT for teaching UNIX in general, not just showing off gcchijack!!!

But for hijacking - one idea that comes to my mind - Computer security is a bit of an arms race. Yeah, you can find a weakness in the design, patch it - but the patching involves so much work that the viability (of even setting up something that requires that patching effort) is called into question. And it becomes a vicious circle.


----------



## bakul (Nov 2, 2021)

> Matthew Green, an associate professor at the *Johns Hopkins Information Security Institute*, said the Cambridge research clearly shows that most compilers can be tricked with Unicode into processing code in a different way than a reader would expect it to be processed.


I thought the claim is that the bidi override can be used to trick the _human_, not the compiler, because the display order may be different from what is actually in the code! In any case, the solution is to a) allow unicode in strings and comments only, ascii elsewhere and b) unicode aware editors and display programs need to be syntax aware and take care to prevent this. If you stick to vi, you'll never have this problem 

But this is different (as far as I can see, after spending < 5 minutes reading the article while being half asleep) than what Ken Thompson describes in the "Reflections on trusting trust" article, which is much more insidious but possibly much more difficult to sneak in. The fact is that you can introduce backdoors at so many levels....


----------



## SKull (Nov 2, 2021)

jbodenmann said:


> Was (s)he able to provide any evidence at all?


Conspiracy idiots are never able to proof anything.


----------



## astyle (Nov 2, 2021)

bakul said:


> The fact is that you can introduce backdoors at so many levels....


Try addressing each and every one of them - now that's "Programming in Hell".


----------



## Crivens (Nov 2, 2021)

Years ago I heard about doing this in file names, like "s<ReverseDirSequence>fig.exe" being displayed as "sexe.gif" in the windows explorer, and you can click it, yes? Its not an executable, after all... So this is most likely old hat.


----------



## zirias@ (Nov 2, 2021)

bakul said:


> a) allow unicode in strings and comments only, ascii elsewhere


You can't be serious, modern code needs unicode!!!


----------



## eternal_noob (Nov 2, 2021)

Emojis are even allowed in domain names nowadays: https://en.wikipedia.org/wiki/Emoji_domain


----------



## astyle (Nov 2, 2021)

eternal_noob said:


> Emojis are even allowed in domain names nowadays: https://en.wikipedia.org/wiki/Emoji_domain


The wikipedia link also points out that support is limited among domain registrars, and ASCII equivalents are already taken up by pornosquatters.


----------



## zirias@ (Nov 2, 2021)

given punycode for "hiding" unicode in DNS records, I wonder how Emojis could _not_ be supported?


----------



## astyle (Nov 2, 2021)

Zirias said:


> given punycode for "hiding" unicode in DNS records, I wonder how Emojis could _not_ be supported?


Security holes?


----------



## zirias@ (Nov 2, 2021)

I mean, technically? Punycode is set for years now, so you can use _any_ unicode character in a domain name.


----------



## Crivens (Nov 2, 2021)

Zirias said:


> I mean, technically? Punycode is set for years now, so you can use _any_ unicode character in a domain name.


Interesting question, what would our german powers-that-be react to a domain name consisting of swastikas?


----------



## astyle (Nov 3, 2021)

Yeah... in many Asian cultures, the swastika is actually a symbol of good luck... and it was that way for CENTURIES until it got mucked up by Europeans and associated with something THAT awful in 1930s... At least we have Wikipedia to refer to and set things straight (even though from get-go it was not intended for that).


----------



## grahamperrin@ (Nov 3, 2021)

Zvoni said:


> Opinions?



Discussions elsewhere include: 

<https://forums.freebsd.org/threads/82752/> | Hiding Vulnerabilities in Source Code - Schneier on Security
<https://old.reddit.com/r/cybersecurity/duplicates/qkahp3/-/>
<https://news.ycombinator.com/item?id=29062982>


----------



## astyle (Nov 3, 2021)

There's also "Vulnerability by design". A quick Google search on the term turns up articles that mostly focus on UI's, but I would think that also applies to compilers. eternal_noob 's post #9 earlier in this thread links to a pretty good example of that. To patch a vulnerability like that, you'd have to either find a differently designed compiler, or redesign GCC from ground up. Good luck finding somebody willing to put in THAT kind of effort to patch things up upon discovery.


----------



## SirDice (Nov 3, 2021)

[_Mod: Removed a couple of posts from the tail end of the thread_]


----------

