<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">On Mon, Dec 13, 2021 at 3:56 PM Dan McDonald <<a href="mailto:danmcd@kebe.com">danmcd@kebe.com</a>> wrote:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Dec 12, 2021, at 8:07 PM, Ray Dillinger <<a href="mailto:bear@sonic.net" target="_blank">bear@sonic.net</a>> wrote:<br>
> <br>
> I don't know whether this is 'steganography' as commonly understood, but<br>
> the idea of hiding one message in what appears to be another seems to be<br>
> relevant, as does the threat to digital security.<br>
<br>
This broke a few weeks ago.<br>
<br>
I know that Rust (recently mentioned here in another thread) added compiler support to thwart bidirectional redirects at compile time:<br>
<br>
<a href="https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html#mitigations" rel="noreferrer" target="_blank">https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html#mitigations</a><br>
<br>
AIUI one's editor, or one's editor settings, may make a difference here as well. I added this to my .emacs around that time:<br>
<br>
(setq bidi-display-reordering nil) <br>
<br>
It's a clever attack vector, to be sure.<span class="gmail_default" style="font-family:monospace,monospace"></span></blockquote><div><br></div><div><div style="font-family:monospace,monospace" class="gmail_default">There is also a semgrep rule for these BIDI attacks in case your compiler doesn't protect you:</div><div style="font-family:monospace,monospace;margin-left:40px" class="gmail_default"><a href="https://semgrep.dev/s/Ev2B">https://semgrep.dev/s/Ev2B</a></div><div style="font-family:monospace,monospace" class="gmail_default"></div><div style="font-family:monospace,monospace" class="gmail_default">Of course, none of this would be a problem if we just forced people to write code in EBCDIC using punched cards like we did in the good old days.</div><div style="font-family:monospace,monospace" class="gmail_default"><br></div><div style="font-family:monospace,monospace" class="gmail_default">-kevin<br></div></div></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Blog: <a href="https://off-the-wall-security.blogspot.com/" target="_blank">https://off-the-wall-security.blogspot.com/</a> | Twitter: @KevinWWall | OWASP ESAPI Project co-lead<br>NSA: All your crypto bit are belong to us.</div></div></div></div>