Don’t let Trojan Source sneak into your code

Protect your organization from the Trojan Source exploit with fast and trusted vulnerability detection from Rapid Scan Static.

Trojan Source vulnerability | Synopsys

As everyone in the industry knows, all software vulnerabilities are not equal—some are trivial, some are irrelevant, and some are severe. Obviously, you should focus your attention on those that are characterized as severe.

The recently published Trojan Source (CVE 2021-42574) vulnerability falls into the severe category—meaning you should give it full attention. It’s classified as severe for multiple reasons: It’s damaging (the NVD has given it a 9.8 severity ranking), it’s pervasive, and it’s very hard to find.

About the Trojan Source vulnerability

Researchers at the University of Cambridge recently revealed a Trojan Source vulnerability that can affect any codebase regardless of the programming language. Thanks to Unicode, the rendering of source code can appear different from the actual parse structure. This vulnerability allows attackers to easily insert trojans into any application, creating a weakness to exploit.

For example, the following code snippet might appear to be safe, but the hidden Unicode characters in it cause compilers to parse it in an unusual way.

/* begin sensitive block */ if (properlySanitized(user_input)==true) {
sensitive_api_call(user_input);
/* end sensitive block */}

The above gets parsed into

/* begin sensitive block */ if (properlySanitized(user_input)==true) {
sensitive_api_call(user_input);
/* end sensitive block */ }

Organizations need a solution to this problem because of how easily this vulnerability could be injected into codebases. For example, when a developer searches the web for a way to implement an algorithm or use an API, they might copy and paste a code snippet from the search results. If the copied snippet contains this attack, the trojan will be successfully planted. And this kind of vulnerability is difficult to catch with manual code review because most people aren’t looking for hidden characters when they review code.

This vulnerability can also enter a codebase via the supply chain of third-party components. A popular dependency could include the malicious code, and it might not be caught during code review because bidi character attacks are invisible to human reviewers.

Use Rapid Scan Static to scan all codebases in your enterprise

But help is available via Rapid Scan Static, a self-contained and lightweight executable which uses the Sigma SAST engine (for Linux, Windows, and MacOS). Coverity® customers can download the latest version via the Synopsys community portal. Starting in version 2021.11.1, Rapid Scan Static detects the Unicode bidi Trojan Source vulnerability across all languages, including C/C++, Java, JavaScript, C#, Python, Go, PHP, Swift, Kotlin, and more.

The executable itself is about 50 MB and can be run standalone in the command line interface. Deploy it within a Docker container or wherever it suits your organization.

Synopsys plans to roll out additional improvements over upcoming releases. For now, it has to be explicitly enabled as shown in Figure 1 below.

The following output is from running Rapid Scan Static against the Linux kernel codebase—and thankfully this important codebase is safe from this vulnerability. Notice that the engine identified about 70,000 files, and Rapid Scan Static scanned roughly 55,000 source files in 11 seconds.

% git clone https://github.com/torvalds/linux.git

% sigma analyze --enable trojan_source_bidi_char_anywhere linux
Copyright (c) 2021 Synopsys, Inc.
For documentation and support, visit https://community.synopsys.com


Identified

│    File Type     │Occurrences│
├──────────────────┼───────────┤
│C                 │      30678│
│C Header          │      22254│
│Device Tree       │       4008│
│ReStructuredText  │       2982│
│Makefile          │       2671│
│Plain Text        │       2452│
│YAML              │       2174│
│GNU Style Assembly│       1201│
│Shell             │        679│
│JSON              │        412│
│Python            │        140│
│SVG               │         59│
│Perl              │         55│
│BASH              │         52│
│Properties        │         33│
│ASN.1             │         17│
│...               │        ...│


No issues found after 11 seconds
%

Figure 1: Rapid Scan Static output of the Linux kernel codebase

Next steps

Given how easily this vulnerability can be introduced, and especially with it being made public now, Synopsys encourages CISOs, security professionals, and developers to scan all codebases across their company to ensure that no Trojan Source vulnerabilities currently exist. Performing scans nightly or during any other scans in the CI/CD pipeline will catch any future introductions of this vulnerability.

If you are an existing Coverity customer, you can download the latest Rapid Scan Static version via the Synopsys community portal.

 
Rapid Scan Static Team

Posted by

Rapid Scan Static Team


More from Open source and software supply chain risks