On Mon, Nov 15, 2021 at 03:20:26PM +0400, Abdur-Rahmaan Janhangeer wrote: > Well, it's not so obvious. From Ross Anderson and Nicholas Boucher > src: https://trojansource.codes/trojan-source.pdf
Thanks for the link. But it discusses a whole range of Unicode attacks, and the specific attack you mentioned (Invisible Character Attacks) is described in section D page 7 as "unlikely to work in practice". As they say, compilers and interpreters in general already display errors, or at least a warning, for invisible characters in code. In addition, there is the difficulty that its not just enough to use invisible characters to call a different function, you have to smuggle in the hostile function that you actually want to call. It does seem that the Trojan-Source attack listed in the paper is new, but others (such as the homoglyph attacks that get most people's attention) are neither new nor especially easy to actually exploit. Unicode has been warning about it for many years. We discussed it in PEP 3131. This is not new, and not easy to exploit. Perhaps that's why there are no, or very few, actual exploits of this in the wild. Homoglyph attacks against user-names and URLs, absolutely, but homoglyph attacks against source code are a different story. Yes, you can cunningly have two classes like Α and A and the Python interpreter will treat them as distinct, but you still have to smuggle in your hostile code in Α (greek Alpha) without anyone noticing, and you have to avoid anyone asking why you have two classes with the same name. And that's the hard part. We don't need Unicode for homoglyph attacks. func0 and funcO may look identical, or nearly identical, but you still have to smuggle in your hostile code into funcO without anyone noticing, and that's why there are so few real-world homoglyph attacks. Whereas the Trojan Source attacks using BIDI controls does seem to be genuinely exploitable. -- Steve _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/FSHGS4AOAGTWKSWAADZWH5L2GGBWHHXE/ Code of Conduct: http://python.org/psf/codeofconduct/