[ovs-dev] [PATCH v1] checkpatch: Detect "trojan source" attack

Gaëtan Rivet grive at u256.net
Wed Nov 10 10:08:28 UTC 2021


On Tue, Nov 2, 2021, at 19:43, Mike Pattrick wrote:
> Recently there has been a lot of press about the "trojan source" attack,
> where Unicode characters are used to obfuscate the true functionality of
> code. This attack didn't effect OVS, but adding the check here will help
> guard against it sneaking in later.
>
> Signed-off-by: Mike Pattrick <mkp at redhat.com>

Hi,

What did you base the selection of characters to blacklist on?

Reading issues open on other languages, I haven't found a good comprehensive
set of characters that would need to be blacklisted. I'm not sure it is a sufficient
approach: getting creative and circumventing this kind of blacklist would be a sport.

Instead, shouldn't we take the reverse approach and whitelist single-byte chars?
(warn on multi-byte unicode sequence). It would be sufficient for the vast majority
of C sources (and scripts).

If there are exceptions, at least checkpatch would still show a warning about
the introduced characters and they could be reviewed on a case-by-case basis.
The idea is only to make invisible chars visible to reviewers.

WDYT?

-- 
Gaetan Rivet


More information about the dev mailing list