Stream: Miscellaneous

Topic: Attacks by using Unicode to inject invisible source code


view this post on Zulip Michael Soegtrop (Nov 04 2021 at 08:51):

I found this paper interesting: (https://www.trojansource.codes/trojan-source.pdf) - it describes how to inject invisible (skipping reviews) source code using unicode tricks - any compiler accepting full Unicode input should be vulnerable to this (I created issues for coqc, ocaml and CompCert to have this checked).

view this post on Zulip Karl Palmskog (Nov 04 2021 at 09:08):

see also discussion here which mentioned the authors' info page for this paper: https://coq.zulipchat.com/#narrow/stream/237977-Coq-users/topic/Finding.20an.20old.20Coq-club.20post.20on.20Pollack.20inconsistency.3F

view this post on Zulip Michael Soegtrop (Nov 04 2021 at 12:34):

Thanks - I didn't know the term "Pollack inconsistency" and didn't associate it with this.


Last updated: Aug 19 2022 at 21:02 UTC