[Cryptography] Source code that looks like completely different source code

Kevin W. Wall kevin.w.wall at gmail.com
Mon Dec 13 16:18:50 EST 2021

On Mon, Dec 13, 2021 at 3:56 PM Dan McDonald <danmcd at kebe.com> wrote:

> On Dec 12, 2021, at 8:07 PM, Ray Dillinger <bear at sonic.net> wrote:
> >
> > I don't know whether this is 'steganography' as commonly understood, but
> > the idea of hiding one message in what appears to be another seems to be
> > relevant, as does the threat to digital security.
> This broke a few weeks ago.
> I know that Rust (recently mentioned here in another thread) added
> compiler support to thwart bidirectional redirects at compile time:
> https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html#mitigations
> AIUI one's editor, or one's editor settings, may make a difference here as
> well. I added this to my .emacs around that time:
>         (setq bidi-display-reordering nil)
> It's a clever attack vector, to be sure.

There is also a semgrep rule for these BIDI attacks in case your compiler
doesn't protect you:
Of course, none of this would be a problem if we just forced people to
write code in EBCDIC using punched cards like we did in the good old days.

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
| OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20211213/9e9cf0e4/attachment.htm>

More information about the cryptography mailing list