Security
Determine security ramifications to protect personal data and information
121 Discussions

Intel's response to Trojan Source attacks

IPAS_Security
Employee
‎03-02-2022 09:39 AM
0 0 1,949

Intel is aware of recent reports where malicious actors have attacked software source code files while being compiled from source into binary files. Although the Intel portfolio does not appear impacted, Intel is prescribing additional checks for controls mitigations  to assist users of Intel compilers.

The vulnerability reported by third parties is referred to as “Trojan Source” and has been assigned CVE-2021-42574 and CVE-2021-42694 .  The attack targets C, C++, C#, JavaScript, Java, Rust, Go, and Python, but the Intel Product Security and Incident Response Team (PSIRT) suspects these techniques would work against most other modern languages.  As Intel understands from the reported CVEs, the flaws arise from the way Unicode standards are implemented within the context of integrated development environments (IDEs), which have specialized requirements for rendering text.

The attack technique as described uses bidirectional control characters which have not been recorded before. However, Trojan Source attacks generally are not new and have been cited previously in discussion boards and project mailing lists since at least 2017. Further details can be reviewed in the Sources section below.

Customers concerned about this issue are advised to follow industry standard practices to ensure the quality and ability to trust the code they are ingesting.  Scanning software using tools such as clang-tidy or other third party tools used before compiling can help to mitigate concerns for this issue.

 

Sources

https://trojansource.codes/

https://access.redhat.com/security/vulnerabilities/RHSB-2021-007

https://snyk.io/blog/how-to-detect-mitigate-trojan-source-attacks-javascript-eslint/

https://www.lightbluetouchpaper.org/2021/11/01/trojan-source-invisible-vulnerabilities/

Tags (2)
0 Kudos
About the Author
Intel Product Assurance and Security (IPAS) is designed to serve as a security center of excellence – a sort of mission control – that looks across all of Intel. Beyond addressing the security issues of today, we are looking longer-term at the evolving threat landscape and continuously improving product security in the years ahead.

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.