Comments (4)
Going to close this as well since I just wanted to bring up the alternatives to see if they are of interest. I might later add the Ruby PR as you suggested. In it I can include all the strategies your paper covered as applicable to Ruby as well as maybe some of these variations.
from trojan-source.
Ok
from trojan-source.
@security-curious This is absolutely fantastic!
These are all great points. In the Trojan Source paper, we focused on constructs that we knew to be present across many languages, which ultimately resolved to comments and string literal. Regex literals a clever extension of this in the languages that support them. Although this is not relevant to all major languages, it is relevant to some such as Ruby and (I suspect) JavaScript.
The stretched identifiers description is the most interesting to me, however. I'm shocked that Ruby allows control characters in identifier names...I suspect there's all sorts of adversarial things you can do with this. I like the stretched identifier example above quite a lot, and for those following along here's a visualization of the underlying encoding in @security-curious's example:
I'm entirely open to adding a Ruby/
directory in this repo containing relevant examples. @security-curious please feel free to make a PR with any examples that you would like, ideally following the format used for examples in other languages as closely as possible.
from trojan-source.
If identifiers are what interests you keep in mind that I'm not just taking about variables. Modules, classes, constants, methods, etc. The below is a valid Ruby program:
module A📦
class B🎓
C💎 = 3.14
def 🔴 r
C💎 * r**2
end
end
end
puts A📦::B🎓.new.🔴 8
Constants must start with an uppercase letter. Hence the C
before the 💎
. Classes and modules in Ruby are just constants pointing to an instance of a module or class. So:
class A
end
Is the same as:
A = Class.new
This is the reason I needed to prefix the classes and modules with a uppercase letter but the remaining letters can be any unicode value. Methods and variables don't have that restriction. So while my example was about assigning a variable you might be able to do other trickery with method, class, constant and module names. Really any identifier.
I did reach out to the Ruby team regarding all this and they felt addressing this at the interpreter level was not the right solution. I guess there is a debate regarding "defense in depth" vs maintenance cost of playing wack-a-mole with odd Unicode characters. I can see both sides of the argument.
from trojan-source.
Related Issues (12)
- Python3 returns syntax error: HOT 1
- Does an homoglyphe function concerned by Trojan source? HOT 1
- Could we help developers detect and prevent issues of trojan source in their projects? HOT 8
- invisible-function.c and homoglyph-function.c cant be build with gcc <= 9.1, but successful with gcc 11.2
- The attack is known, not novel HOT 9
- Doubt regarding early-return.py example HOT 4
- Tools to detect possible attacks HOT 1
- ඞ
- That's poor editor attack vector not compiler/code/interpreter HOT 2
- Provide an example of propper use for reference HOT 1
- Early return and comment out in languages without closing comment token? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trojan-source.