Determine security ramifications to protect personal data and information
111 Discussions

Intel's response to Trojan Source attacks

0 0 1,411

Intel is aware of recent reports where malicious actors have attacked software source code files while being compiled from source into binary files. Although the Intel portfolio does not appear impacted, Intel is prescribing additional checks for controls mitigations  to assist users of Intel compilers.

The vulnerability reported by third parties is referred to as “Trojan Source” and has been assigned CVE-2021-42574 and CVE-2021-42694 .  The attack targets C, C++, C#, JavaScript, Java, Rust, Go, and Python, but the Intel Product Security and Incident Response Team (PSIRT) suspects these techniques would work against most other modern languages.  As Intel understands from the reported CVEs, the flaws arise from the way Unicode standards are implemented within the context of integrated development environments (IDEs), which have specialized requirements for rendering text.

The attack technique as described uses bidirectional control characters which have not been recorded before. However, Trojan Source attacks generally are not new and have been cited previously in discussion boards and project mailing lists since at least 2017. Further details can be reviewed in the Sources section below.

Customers concerned about this issue are advised to follow industry standard practices to ensure the quality and ability to trust the code they are ingesting.  Scanning software using tools such as clang-tidy or other third party tools used before compiling can help to mitigate concerns for this issue.



Tags (2)
About the Author
Intel Product Assurance and Security (IPAS) is designed to serve as a security center of excellence – a sort of mission control – that looks across all of Intel. Beyond addressing the security issues of today, we are looking longer-term at the evolving threat landscape and continuously improving product security in the years ahead.