[Cryptography] Source code that looks like completely different source code
Kevin W. Wall
kevin.w.wall at gmail.com
Mon Dec 13 16:18:50 EST 2021
On Mon, Dec 13, 2021 at 3:56 PM Dan McDonald <danmcd at kebe.com> wrote:
> On Dec 12, 2021, at 8:07 PM, Ray Dillinger <bear at sonic.net> wrote:
> >
> > I don't know whether this is 'steganography' as commonly understood, but
> > the idea of hiding one message in what appears to be another seems to be
> > relevant, as does the threat to digital security.
>
> This broke a few weeks ago.
>
> I know that Rust (recently mentioned here in another thread) added
> compiler support to thwart bidirectional redirects at compile time:
>
>
> https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html#mitigations
>
> AIUI one's editor, or one's editor settings, may make a difference here as
> well. I added this to my .emacs around that time:
>
> (setq bidi-display-reordering nil)
>
> It's a clever attack vector, to be sure.
There is also a semgrep rule for these BIDI attacks in case your compiler
doesn't protect you:
https://semgrep.dev/s/Ev2B
Of course, none of this would be a problem if we just forced people to
write code in EBCDIC using punched cards like we did in the good old days.
-kevin
--
Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
| OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211213/9e9cf0e4/attachment.htm>
More information about the cryptography
mailing list