Don’t let Trojan Source sneak into your code



Protect your organization against Trojan Source exploit with fast and reliable vulnerability detection from Rapid Scan Static.

As everyone in the industry knows, not all software vulnerabilities are created equal – some are trivial, others irrelevant, and some are serious. Obviously, you need to focus your attention on those that are characterized as serious.

The recently released Trojan Source (CVE 2021-42574) vulnerability falls into the severe category, which means you should give it your full attention. It’s rated as severe for several reasons: it’s damaging (the NVD gave it a severity rating of 9.8), it’s ubiquitous, and very hard to find.

About the Trojan Source vulnerability

Researchers at the University of Cambridge recently revealed a Trojan Source vulnerability that can affect any code base, regardless of the programming language. Using Unicode, the rendering of the source code may appear different from the actual parsing structure. This vulnerability allows attackers to easily insert Trojans into any application, creating a weakness to be exploited.

For example, the following code snippet might sound safe, but the hidden Unicode characters it contains force compilers to parse it in an unusual way.

/ * start of sensitive block * / if (properlySanitized (user_input) == true) {
sensitive_api_call (user_input);
/ * end of sensitive block * /}

The above is analyzed in

/ * start of sensitive block * / if (properlySanitized (user_input) == true) {
sensitive_api_call (user_input);
/ * end of sensitive block * /}

Organizations need a solution to this problem because of the ease with which this vulnerability could be injected into code bases. For example, when a developer searches the web for a way to implement an algorithm or use an API, they can copy and paste a snippet from the search results. If the copied extract contains this attack, the Trojan will be successfully implanted. And this kind of vulnerability is hard to spot with manual code review, because most people don’t look for hidden characters when they review code.

This vulnerability can also enter a code base through the supply chain of third-party components. A popular dependency could include malicious code, and it might go undetected during code review because bidi character attacks are invisible to human examiners.

Use Rapid Scan Static to scan all your business code bases

But help is available through Rapid Scan Static, a stand-alone, lightweight executable that uses the Sigma SAST engine (for Linux, Windows, and MacOS). Coverity® customers can download the latest version through the Synopsys community portal. As of version 202.11.1, Rapid Scan Static detects the Unicode bidi Trojan Source vulnerability in all languages ​​including C / C ++, Java, JavaScript, C #, Python, Go, PHP, Swift, Kotlin, etc.

The executable itself is around 50MB and can be run standalone in the command line interface. Deploy it in a Docker container or wherever it suits your organization.

Synopsys plans to roll out additional enhancements in future releases. For now, it should be explicitly enabled as shown in Figure 1 below.

The following output is from running Rapid Scan Static against the Linux kernel codebase – and luckily this important codebase is immune to this vulnerability. Note that the engine identified approximately 70,000 files, and Rapid Scan Static scanned approximately 55,000 source files in 11 seconds.

% git clone

ScreenShot_Stroke_TSK5560.pngFigure 1: Static Output of Linux Kernel Code Base Quick Scan

Next steps

Considering the ease with which this vulnerability can be introduced, and especially the fact that it is now made public, Synopsys encourages CISOs, security professionals and developers to analyze all of their company’s code bases for s ensure that no Trojan Source vulnerabilities currently exist. Running scans at night or during any other scan in the CI / CD pipeline will detect any future introduction of this vulnerability.

If you are already a Coverity customer, you can download the latest version of Rapid Scan Static through the Synopsys community portal.



About Author

Comments are closed.