{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"發表於 11 月 1 日的最新研究警告說,幾乎所有的編譯器(即把人類可讀源碼轉換成計算機可執行的機器碼的程序)都會受到一種“陰險的攻擊”,在這種攻擊中,黑客可以將目標漏洞引入任何軟件而不被發現。披露這一漏洞的過程是與多個組織協調進行的,其中一些組織目前正在發佈更新來解決這個安全漏洞。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"劍橋大學"},{"type":"text","text":"的研究人員發現了一個 bug,這個 bug 影響了大多數計算機代碼的編譯器和許多軟件開發環境。問題在於數字文本編碼標準 "},{"type":"link","attrs":{"href":"https:\/\/home.unicode.org\/","title":null,"type":null},"content":[{"type":"text","text":"Unicode"}]},{"type":"text","text":" 的一部分,該標準允許計算機之間進行信息交換,無論其使用何種語言。Unicode 目前定義了 154 種不同語言文字的 143000 多個字符(此外,還有許多非文字的字符集,例如表情符號)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"具體來說,這個漏洞涉及 Unicode 的雙向或 "},{"type":"link","attrs":{"href":"https:\/\/www.w3.org\/International\/articles\/inline-bidi-markup\/uba-basics","title":null,"type":null},"content":[{"type":"text","text":"“Bidi”算法"}]},{"type":"text","text":",該算法處理顯示的文本,包括具有不同顯示順序的混合文字,例如阿拉伯語(從右到左讀)和英語(從左到右讀)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是計算機系統需要有一種確定的方法來解決文本中相互衝突的方向性。輸入“Bidi 重寫”(Bidi override),它可以用來使“從左到右”的文本變成“從右到左”閱讀,反之亦然。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“Bidi 算法設定的默認排序在某些情況下可能是不夠的,”劍橋大學的研究人員寫道,“對於這些情況,Bidi 重寫控制字符可以切換字符組的顯示順序。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Bidi 重寫甚至可以使單個腳本字符不同於其邏輯編碼的順序顯示。正如研究人員所指出的,這一事實以前曾被利用來"},{"type":"link","attrs":{"href":"https:\/\/krebsonsecurity.com\/2011\/09\/right-to-left-override-aids-email-attacks\/","title":null,"type":null},"content":[{"type":"text","text":"掩蓋通過電子郵件傳播的惡意軟件的文件擴展名"}]},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這就是問題:大多數編程語言都允許在註釋和字符串中放置這些 Bidi 重寫。這樣做非常糟糕,因爲大多數編程語言允許註釋,而編譯器和解釋器會忽略所有文本(包括"},{"type":"link","attrs":{"href":"https:\/\/en.wikipedia.org\/wiki\/Control_character","title":null,"type":null},"content":[{"type":"text","text":"控制字符"}]},{"type":"text","text":")。另外,這也很糟糕,因爲大多數編程語言都允許"},{"type":"link","attrs":{"href":"https:\/\/www.ibm.com\/docs\/en\/zos\/2.3.0?topic=literals-string","title":null,"type":null},"content":[{"type":"text","text":"字符串"}]},{"type":"text","text":"包含任意字符,包括控制字符。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這份研究的共同作者 "},{"type":"text","marks":[{"type":"strong"}],"text":"Ross Anderson"},{"type":"text","text":",劍橋大學計算機安全教授說:“因此,你可以把它們用在對人類審查者看來無害的源代碼中,而實際上卻能做出令人討厭的事。對於像 Linux 和 Webkit 這樣的項目來說,這是一個壞消息,這些項目接受來自隨機人員的貢獻,對其進行人工審查,然後將其合併到關鍵代碼中。就我所知,這是第一個對任何事物都有影響的漏洞。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這篇研究論文將該漏洞稱爲“"},{"type":"link","attrs":{"href":"https:\/\/www.trojansource.codes\/","title":null,"type":null},"content":[{"type":"text","text":"Trojan Source"}]},{"type":"text","text":"”,指出雖然註釋和字符串都有其開始和結束的特定語法語義,但是 Bidi 重寫並沒有遵循這些限制。以下摘自該論文:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“所以,通過將 Bidi 重寫字符完全放入註釋和字符串中,我們可以用大多數編譯器接受的方式將它們‘偷渡’到源代碼中。我們的主要見解是,我們可以用這樣一種方法來重新排序源代碼字符,而生成的顯示順序也代表了句法上有效的源代碼。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“將所有這一切結合起來,我們得出了一個新的對源代碼的供應鏈攻擊(supply-chain attack)。通過在註釋和字符串中注入 Unicode Bidi 重寫字符,黑客就能在大多數現代語言中產生語法有效的源代碼,而在這些語言中,字符的顯示順序與真實邏輯有很大不同。事實上,我們將程序 A 變成了程序 B。”"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anderson 說,"},{"type":"text","marks":[{"type":"strong"}],"text":"對於人類代碼審查人員來說,這種攻擊可能難以檢測到,因爲所呈現的源代碼似乎是完全可以接受的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"他說:“如果邏輯上的改變足夠細微,以至於在後續的測試中都沒有被發現,那麼黑客就能在不被發現的情況下引入有針對性的漏洞。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"還有一點也令人擔心,在大多數現代瀏覽器、編輯器和操作系統上,Bidi 重寫字符通過複製和粘貼功能都持續存在。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anderson 表示:“任何開發者只要從不被信任的來源複製代碼到受保護的代碼庫,都會無意中引入一個無形的漏洞。這種代碼複製是現實世界中安全漏洞的重要來源。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"約翰霍普金斯大學信息安全研究所的副教授 "},{"type":"link","attrs":{"href":"https:\/\/isi.jhu.edu\/~mgreen\/","title":null,"type":null},"content":[{"type":"text","text":"Matthew Green"}]},{"type":"text","text":" 稱,劍橋大學的研究清楚地表明,大多數編譯器都會被 Unicode 欺騙,而不像讀者所期望的那樣處理代碼。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/63\/63d2d5af6c3d181ccc086f62de9f7e1e.jpeg","alt":"image.png","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":10}}],"text":"圖片來源:XKCD.com\/2347\/"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Green 表示:“在閱讀這篇論文之前,Unicode 可能會以某種方式加以利用的想法並不令我喫驚。令我喫驚的是,有多少編譯器很樂意解析 Unicode,而不使用任何防禦措施,它們從右向左的編碼技術在將代碼嵌入代碼庫方面是多麼有效。那是很聰明的方法,我以前都沒想到過。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在 Green 看來,好消息是,研究人員進行了廣泛的漏洞掃描,但未能發現有人利用這一漏洞的證據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不過,Green 也說:“壞消息是,我們對它沒有任何防禦措施,而人們現在知道了,就可能會開始利用它。但願編譯器和代碼編輯器的開發者能儘快修補這個漏洞!但是,因爲有些人沒有定期更新他們的開發工具,所以至少在一段時間內存在一定的風險。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"加州大學伯克利分校"},{"type":"text","text":"計算機科學系講師 "},{"type":"text","marks":[{"type":"strong"}],"text":"Nicholas Weaver"},{"type":"text","text":" 說,劍橋大學的研究提出了“一套非常簡單、優雅的攻擊方式,可能會使供應鏈攻擊變得更多、更糟糕。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“在源代碼中,人們已經很難區分‘this is OK’和‘this is evil’,”Weaver 說,“有了這種攻擊,你就可以利用方向性的轉變來更改註釋和字符串的呈現方式,例如,‘this is okey’就是它的呈現方式,但‘this is’ okey 就是它在代碼中的存在方式。幸運的是,這種特徵非常容易掃描,因此編譯器可以在未來遇到它時(檢測到)。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"劍橋大學那篇論文的後半部分是一項引人入勝的案例研究,介紹了在如此多受影響的編程語言和軟件公司中協調漏洞披露的複雜性。研究人員稱,在首次披露該漏洞後,它們提供了 99 天的時滯期,以允許受影響的產品能夠通過軟件更新得到修復。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"研究人員寫道:“我們遇到了各種各樣的迴應,從補丁承諾和漏洞賞金到快速解僱和提及法律政策。在我們接觸過的 19 家軟件供應商中,有 7 家使用外包平臺接收漏洞披露,6 家有專門的門戶網站接收漏洞披露,4 家通過 PGP 加密的電子郵件接受披露,2 家僅通過非 PGP 電子郵件接受披露。他們都確認收到了我們的披露,最後其中有 9 家承諾發佈補丁。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中 11 家接受者有用於支付披露漏洞的漏洞賞金計劃。但研究人員報告說,其中只有 5 家支付了賞金,平均支付額爲 2246 美元,範圍爲 4475 美元。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/1d\/1db2f00dfeecdc1e6854328cc07ecc35.jpeg","alt":"image.png","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anderson 說,到目前爲止,大約半數所聯繫的維護受影響的計算機編程語言的組織都承諾提供補丁。其他組織則在拖延時間。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“我們將在未來幾天監測他們的部署情況,”Anderson 說。“我們也期望 Github、Gitlab 和 Atlassian 會採取行動,所以他們的工具應該能夠檢測到那些對於缺乏 Bidi 字符過濾語言的代碼的攻擊。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"至於需要對 Trojan Source 做什麼,研究人員敦促依賴於關鍵軟件的政府和公司查明其供應商的態勢,對他們施加壓力,要求他們實施足夠的防禦,並確保任何漏洞都被他們工具鏈中其他地方的控制所覆蓋。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“Trojan Source 漏洞幾乎影響了所有的計算機語言,這也讓此成爲一個難得的機會,可以進行全系統的、生態上有效的跨平臺和跨廠商的響應對比,”該論文總結道,“由於使用這些技術可以很容易地發起強大的供應鏈攻擊,參與軟件供應鏈的組織實施防禦是至關重要的。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Weaver 稱這項研究是 “是非常好的工作,因爲在事情發展成問題之前阻止了它。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“對於修復這些問題來說,協調披露是一項很好的研究,”他說,“這個漏洞確實存在,但是也凸顯了我們現代代碼所依賴的依賴項和軟件包不斷變化的更大漏洞。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Rust 發佈了一份針對此安全漏洞的"},{"type":"link","attrs":{"href":"https:\/\/blog.rust-lang.org\/2021\/11\/01\/cve-2021-42574.html","title":null,"type":null},"content":[{"type":"text","text":"安全公告"}]},{"type":"text","text":",它的追蹤代號是 CVE-2021-42574 和 CVE-2021-42694。其他受影響語言提供的安全建議將在此添加和更新。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Trojan Source 研究論文下載地址:"},{"type":"link","attrs":{"href":"https:\/\/www.trojansource.codes\/trojan-source.pdf","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/www.trojansource.codes\/trojan-source.pdf"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"作者介紹:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Brian Krebs,獨立調查記者。報道網絡犯罪、安全、隱私。《紐約時報》暢銷書《Spam Nation》一書作者。前華盛頓郵報記者(1995 年~2009 年)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/krebsonsecurity.com\/2021\/11\/trojan-source-bug-threatens-the-security-of-all-code\/","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/krebsonsecurity.com\/2021\/11\/trojan-source-bug-threatens-the-security-of-all-code\/"}]}]}]}
“Trojan Source”算法漏洞幾乎影響所有代碼的安全
{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"發表於 11 月 1 日的最新研究警告說,幾乎所有的編譯器(即把人類可讀源碼轉換成計算機可執行的機器碼的程序)都會受到一種“陰險的攻擊”,在這種攻擊中,黑客可以將目標漏洞引入任何軟件而不被發現。披露這一漏洞的過程是與多個組織協調進行的,其中一些組織目前正在發佈更新來解決這個安全漏洞。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"劍橋大學"},{"type":"text","text":"的研究人員發現了一個 bug,這個 bug 影響了大多數計算機代碼的編譯器和許多軟件開發環境。問題在於數字文本編碼標準 "},{"type":"link","attrs":{"href":"https:\/\/home.unicode.org\/","title":null,"type":null},"content":[{"type":"text","text":"Unicode"}]},{"type":"text","text":" 的一部分,該標準允許計算機之間進行信息交換,無論其使用何種語言。Unicode 目前定義了 154 種不同語言文字的 143000 多個字符(此外,還有許多非文字的字符集,例如表情符號)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"具體來說,這個漏洞涉及 Unicode 的雙向或 "},{"type":"link","attrs":{"href":"https:\/\/www.w3.org\/International\/articles\/inline-bidi-markup\/uba-basics","title":null,"type":null},"content":[{"type":"text","text":"“Bidi”算法"}]},{"type":"text","text":",該算法處理顯示的文本,包括具有不同顯示順序的混合文字,例如阿拉伯語(從右到左讀)和英語(從左到右讀)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是計算機系統需要有一種確定的方法來解決文本中相互衝突的方向性。輸入“Bidi 重寫”(Bidi override),它可以用來使“從左到右”的文本變成“從右到左”閱讀,反之亦然。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“Bidi 算法設定的默認排序在某些情況下可能是不夠的,”劍橋大學的研究人員寫道,“對於這些情況,Bidi 重寫控制字符可以切換字符組的顯示順序。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Bidi 重寫甚至可以使單個腳本字符不同於其邏輯編碼的順序顯示。正如研究人員所指出的,這一事實以前曾被利用來"},{"type":"link","attrs":{"href":"https:\/\/krebsonsecurity.com\/2011\/09\/right-to-left-override-aids-email-attacks\/","title":null,"type":null},"content":[{"type":"text","text":"掩蓋通過電子郵件傳播的惡意軟件的文件擴展名"}]},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這就是問題:大多數編程語言都允許在註釋和字符串中放置這些 Bidi 重寫。這樣做非常糟糕,因爲大多數編程語言允許註釋,而編譯器和解釋器會忽略所有文本(包括"},{"type":"link","attrs":{"href":"https:\/\/en.wikipedia.org\/wiki\/Control_character","title":null,"type":null},"content":[{"type":"text","text":"控制字符"}]},{"type":"text","text":")。另外,這也很糟糕,因爲大多數編程語言都允許"},{"type":"link","attrs":{"href":"https:\/\/www.ibm.com\/docs\/en\/zos\/2.3.0?topic=literals-string","title":null,"type":null},"content":[{"type":"text","text":"字符串"}]},{"type":"text","text":"包含任意字符,包括控制字符。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這份研究的共同作者 "},{"type":"text","marks":[{"type":"strong"}],"text":"Ross Anderson"},{"type":"text","text":",劍橋大學計算機安全教授說:“因此,你可以把它們用在對人類審查者看來無害的源代碼中,而實際上卻能做出令人討厭的事。對於像 Linux 和 Webkit 這樣的項目來說,這是一個壞消息,這些項目接受來自隨機人員的貢獻,對其進行人工審查,然後將其合併到關鍵代碼中。就我所知,這是第一個對任何事物都有影響的漏洞。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這篇研究論文將該漏洞稱爲“"},{"type":"link","attrs":{"href":"https:\/\/www.trojansource.codes\/","title":null,"type":null},"content":[{"type":"text","text":"Trojan Source"}]},{"type":"text","text":"”,指出雖然註釋和字符串都有其開始和結束的特定語法語義,但是 Bidi 重寫並沒有遵循這些限制。以下摘自該論文:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“所以,通過將 Bidi 重寫字符完全放入註釋和字符串中,我們可以用大多數編譯器接受的方式將它們‘偷渡’到源代碼中。我們的主要見解是,我們可以用這樣一種方法來重新排序源代碼字符,而生成的顯示順序也代表了句法上有效的源代碼。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“將所有這一切結合起來,我們得出了一個新的對源代碼的供應鏈攻擊(supply-chain attack)。通過在註釋和字符串中注入 Unicode Bidi 重寫字符,黑客就能在大多數現代語言中產生語法有效的源代碼,而在這些語言中,字符的顯示順序與真實邏輯有很大不同。事實上,我們將程序 A 變成了程序 B。”"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anderson 說,"},{"type":"text","marks":[{"type":"strong"}],"text":"對於人類代碼審查人員來說,這種攻擊可能難以檢測到,因爲所呈現的源代碼似乎是完全可以接受的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"他說:“如果邏輯上的改變足夠細微,以至於在後續的測試中都沒有被發現,那麼黑客就能在不被發現的情況下引入有針對性的漏洞。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"還有一點也令人擔心,在大多數現代瀏覽器、編輯器和操作系統上,Bidi 重寫字符通過複製和粘貼功能都持續存在。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anderson 表示:“任何開發者只要從不被信任的來源複製代碼到受保護的代碼庫,都會無意中引入一個無形的漏洞。這種代碼複製是現實世界中安全漏洞的重要來源。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"約翰霍普金斯大學信息安全研究所的副教授 "},{"type":"link","attrs":{"href":"https:\/\/isi.jhu.edu\/~mgreen\/","title":null,"type":null},"content":[{"type":"text","text":"Matthew Green"}]},{"type":"text","text":" 稱,劍橋大學的研究清楚地表明,大多數編譯器都會被 Unicode 欺騙,而不像讀者所期望的那樣處理代碼。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/63\/63d2d5af6c3d181ccc086f62de9f7e1e.jpeg","alt":"image.png","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":10}}],"text":"圖片來源:XKCD.com\/2347\/"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Green 表示:“在閱讀這篇論文之前,Unicode 可能會以某種方式加以利用的想法並不令我喫驚。令我喫驚的是,有多少編譯器很樂意解析 Unicode,而不使用任何防禦措施,它們從右向左的編碼技術在將代碼嵌入代碼庫方面是多麼有效。那是很聰明的方法,我以前都沒想到過。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在 Green 看來,好消息是,研究人員進行了廣泛的漏洞掃描,但未能發現有人利用這一漏洞的證據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不過,Green 也說:“壞消息是,我們對它沒有任何防禦措施,而人們現在知道了,就可能會開始利用它。但願編譯器和代碼編輯器的開發者能儘快修補這個漏洞!但是,因爲有些人沒有定期更新他們的開發工具,所以至少在一段時間內存在一定的風險。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"加州大學伯克利分校"},{"type":"text","text":"計算機科學系講師 "},{"type":"text","marks":[{"type":"strong"}],"text":"Nicholas Weaver"},{"type":"text","text":" 說,劍橋大學的研究提出了“一套非常簡單、優雅的攻擊方式,可能會使供應鏈攻擊變得更多、更糟糕。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“在源代碼中,人們已經很難區分‘this is OK’和‘this is evil’,”Weaver 說,“有了這種攻擊,你就可以利用方向性的轉變來更改註釋和字符串的呈現方式,例如,‘this is okey’就是它的呈現方式,但‘this is’ okey 就是它在代碼中的存在方式。幸運的是,這種特徵非常容易掃描,因此編譯器可以在未來遇到它時(檢測到)。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"劍橋大學那篇論文的後半部分是一項引人入勝的案例研究,介紹了在如此多受影響的編程語言和軟件公司中協調漏洞披露的複雜性。研究人員稱,在首次披露該漏洞後,它們提供了 99 天的時滯期,以允許受影響的產品能夠通過軟件更新得到修復。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"研究人員寫道:“我們遇到了各種各樣的迴應,從補丁承諾和漏洞賞金到快速解僱和提及法律政策。在我們接觸過的 19 家軟件供應商中,有 7 家使用外包平臺接收漏洞披露,6 家有專門的門戶網站接收漏洞披露,4 家通過 PGP 加密的電子郵件接受披露,2 家僅通過非 PGP 電子郵件接受披露。他們都確認收到了我們的披露,最後其中有 9 家承諾發佈補丁。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中 11 家接受者有用於支付披露漏洞的漏洞賞金計劃。但研究人員報告說,其中只有 5 家支付了賞金,平均支付額爲 2246 美元,範圍爲 4475 美元。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/1d\/1db2f00dfeecdc1e6854328cc07ecc35.jpeg","alt":"image.png","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anderson 說,到目前爲止,大約半數所聯繫的維護受影響的計算機編程語言的組織都承諾提供補丁。其他組織則在拖延時間。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“我們將在未來幾天監測他們的部署情況,”Anderson 說。“我們也期望 Github、Gitlab 和 Atlassian 會採取行動,所以他們的工具應該能夠檢測到那些對於缺乏 Bidi 字符過濾語言的代碼的攻擊。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"至於需要對 Trojan Source 做什麼,研究人員敦促依賴於關鍵軟件的政府和公司查明其供應商的態勢,對他們施加壓力,要求他們實施足夠的防禦,並確保任何漏洞都被他們工具鏈中其他地方的控制所覆蓋。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“Trojan Source 漏洞幾乎影響了所有的計算機語言,這也讓此成爲一個難得的機會,可以進行全系統的、生態上有效的跨平臺和跨廠商的響應對比,”該論文總結道,“由於使用這些技術可以很容易地發起強大的供應鏈攻擊,參與軟件供應鏈的組織實施防禦是至關重要的。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Weaver 稱這項研究是 “是非常好的工作,因爲在事情發展成問題之前阻止了它。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“對於修復這些問題來說,協調披露是一項很好的研究,”他說,“這個漏洞確實存在,但是也凸顯了我們現代代碼所依賴的依賴項和軟件包不斷變化的更大漏洞。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Rust 發佈了一份針對此安全漏洞的"},{"type":"link","attrs":{"href":"https:\/\/blog.rust-lang.org\/2021\/11\/01\/cve-2021-42574.html","title":null,"type":null},"content":[{"type":"text","text":"安全公告"}]},{"type":"text","text":",它的追蹤代號是 CVE-2021-42574 和 CVE-2021-42694。其他受影響語言提供的安全建議將在此添加和更新。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Trojan Source 研究論文下載地址:"},{"type":"link","attrs":{"href":"https:\/\/www.trojansource.codes\/trojan-source.pdf","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/www.trojansource.codes\/trojan-source.pdf"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"作者介紹:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Brian Krebs,獨立調查記者。報道網絡犯罪、安全、隱私。《紐約時報》暢銷書《Spam Nation》一書作者。前華盛頓郵報記者(1995 年~2009 年)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/krebsonsecurity.com\/2021\/11\/trojan-source-bug-threatens-the-security-of-all-code\/","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/krebsonsecurity.com\/2021\/11\/trojan-source-bug-threatens-the-security-of-all-code\/"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章