In summary, you may use Hex Fiend in any project as long as you include the copyright notice somewhere in the documentation. Hex Fiend is only available on Mac OS X, and supported on Mountain Lion and later. The Hex Fiend source code is available at and on GitHub at Hex fiend security risk mac os# Hex Fiend comes with some sample code ("HexFiendling"), distributed as part of the project. Virtually all compilers - programs that transform human-readable source code into computer-executable machine code - are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns.And of course the Hex Fiend application itself is open source, acting as a more sophisticated sample code. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness. Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis). Specifically, the weakness involves Unicode’s bi-directional or “ Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic - which is read right to left - and English (left to right).īut computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa. “In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”īidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings.Īs the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email. This is bad because most programming languages allow comments within which all text - including control characters - is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters. “So you can use them in source code that appears innocuous to a human reviewer can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.” #Hex fiend security risk manual# The research paper, which dubbed the vulnerability “ Trojan Source,” notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides. “Therefore, by placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.” “Bringing all this together, we arrive at a novel supply-chain attack on source code. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B.”Īnderson said such an attack could be challenging for a human code reviewer to detect, as the rendered source code looks perfectly acceptable.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |