From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Skip Montanaro <skip.montanaro@gmail.com>
Newsgroups: gmane.emacs.help
Subject: Trojan Source detection/highlight in Emacs?
Date: Mon, 1 Nov 2021 17:19:16 -0500
Message-ID: <CANc-5Uy_au4VV2AGWO1pYHZHVTfHFqCmig06GdN5CfHfrBu1tA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="17954"; mail-complaints-to="usenet@ciao.gmane.io"
To: Help GNU Emacs <help-gnu-emacs@gnu.org>
Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Mon Nov 01 23:37:29 2021
Return-path: <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1mhfvj-0004Lx-Dq
	for geh-help-gnu-emacs@m.gmane-mx.org; Mon, 01 Nov 2021 23:37:27 +0100
Original-Received: from localhost ([::1]:38452 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1mhfvi-0008Rr-AR
	for geh-help-gnu-emacs@m.gmane-mx.org; Mon, 01 Nov 2021 18:37:26 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:56704)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <skip.montanaro@gmail.com>)
 id 1mhfei-00055x-TZ
 for help-gnu-emacs@gnu.org; Mon, 01 Nov 2021 18:19:54 -0400
Original-Received: from mail-yb1-xb35.google.com ([2607:f8b0:4864:20::b35]:37490)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <skip.montanaro@gmail.com>)
 id 1mhfee-0002wE-0e
 for help-gnu-emacs@gnu.org; Mon, 01 Nov 2021 18:19:50 -0400
Original-Received: by mail-yb1-xb35.google.com with SMTP id d204so48217216ybb.4
 for <help-gnu-emacs@gnu.org>; Mon, 01 Nov 2021 15:19:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:from:date:message-id:subject:to;
 bh=5eVarzgLrNKe5GlQ7c/HJ0buQ0P4OqdhTAsg2q2X0F8=;
 b=dKy/okaEGHwrEsvi76xDZhjXCkIUfQwjb7vhbsZq7Aq4vCGESKJqoPybo/EkO5lnyf
 4TZ+ZX3wa7IWKAa0axt/EXUgGvyZwVpSfMZkb+m/5iGIA4xSDcqiAvM5b52j7VDwznua
 coeyyvvGMn7GwwBethKmEi9p5aXqPhQp9VUQdWU0ZvQ36dPxLpXE8sNlLCDBuEV2MgEM
 LuiNSGwp4Fk57fN8rO+zF4SCpmrLm2muhYdFj9JDicPDEYToO55YvYVrddEjeUAo0/86
 bnOM6GsjpfaviEsh9LVAN1/XXamFKfohk0NcoiRi+wwUJnbHgUsNUNW3v8nWRRXqXkYW
 J1yA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=5eVarzgLrNKe5GlQ7c/HJ0buQ0P4OqdhTAsg2q2X0F8=;
 b=R0FJhQLPlysGHqvk2166A4s570ZDfiAfJvc2jdWESuIXLkuykDvMKmL6NYx3gplzFw
 O5Ua+9+1wkxAqJfd9UCcSf/18EZBG+cPhQqyAE5hdXvbRd+fz89mYbaJ22PvFr+XuMhi
 +px04gjDxgt+c+zs13SQ5WQl3FEyJoHbMRkbyz3shdn4Jf8/ywOwYPd9bMWzDjr9Zys1
 4PaTLzKnbVRS5LBvP1DL1TxTlxEWoVjosJQ8Pwo0w3RgmE9cgl2S8eQWUwOKFvvxkBEk
 1vomelR9Bv9yz0wA6wtR0FPUikCrCWb8HG3g/t3Jx+HYr89kt5Zj6hdVkCV4TeaQa2eq
 BwgQ==
X-Gm-Message-State: AOAM533BMMOE2M1ZhHOo1TCxPpAZ09B5oBN3GKFFBK9VYWMLwxdkTAYO
 Atour09a482wp+ABgO3QTYJat0f5EOl5WDLznKhNP/lGe5a5JVM=
X-Google-Smtp-Source: ABdhPJx4nIPliS0rSrvTCZqToXxsc9+8Ih7lApqY+E+yuWOmQuZ0ixXDVP1fF/rBul0x/bGVgUDXfN07z5UN0/bNZ1Y=
X-Received: by 2002:a25:8146:: with SMTP id j6mr32645166ybm.471.1635805182430; 
 Mon, 01 Nov 2021 15:19:42 -0700 (PDT)
Received-SPF: pass client-ip=2607:f8b0:4864:20::b35;
 envelope-from=skip.montanaro@gmail.com; helo=mail-yb1-xb35.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: help-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Users list for the GNU Emacs text editor <help-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-gnu-emacs>
List-Post: <mailto:help-gnu-emacs@gnu.org>
List-Help: <mailto:help-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "help-gnu-emacs"
 <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.help:134302
Archived-At: <http://permalink.gmane.org/gmane.emacs.help/134302>

The recent Trojan Source vulnerability crossed my newsfeed a day or two
ago. Here's an article from Krebs on Security:

https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-securit=
y-of-all-code/

Here's the rub:

Most programming languages let you put these Bidi overrides in comments and
strings. This is bad because most programming languages allow comments
within which all text =E2=80=94 including control characters =E2=80=94 is i=
gnored by
compilers and interpreters. Also, it=E2=80=99s bad because most programming
languages allow string literals that may contain arbitrary characters,
including control characters.

...

The research paper, which dubbed the vulnerability =E2=80=9CTrojan Source,=
=E2=80=9D notes
that while both comments and strings will have syntax-specific semantics
indicating their start and end, *these bounds are not respected by Bidi
overrides*.


Krebs didn't give a concrete code example, but did reference a Rust Lang
blog post which does:

https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

As an example, the following snippet (with {U+NNNN} replaced with the
Unicode codepoint NNNN):


if access_level !=3D "user{U+202E} {U+2066}// Check if admin{U+2069}
{U+2066}" {


...would be rendered by bidirectional-aware tools as:


if access_level !=3D "user" { // Check if admin


This would give the reader the mistaken impression that the program is
comparing admin_level with the value "user".

There is also a C example on the Trojan Source website (scroll down):

https://trojansource.codes/

You can also get to the PDF of the paper describing the problem.

Rust is adding detection to its lint tool. It seems that may be the
approach taken by the maintainers of other languages.

The Python community is working on a PEP for this (doesn't even yet have a
number), but you can view the nascent PEP and discussion here:

https://mail.python.org/archives/list/python-dev@python.org/thread/6DBJJRQH=
A2SP5Q27MOMDSTCOXMW7ITNR/#6DBJJRQHA2SP5Q27MOMDSTCOXMW7ITNR

IDEs, editors, and lint tools are probably where the bulk of the action
will be. Has this been discussed within the Emacs developer community?
Maybe a bidi minor mode would be a good place to implement some
colorization, with the minor mode enabled by default in most programming
language major modes (with easy disabling by the user).

Let's be careful out there...

Skip Montanaro