The attack is known, not novel

[karalabe]

Reported 5 years ago on the Go repository https://github.com/golang/go/issues/20209

[nickboucher]

Thank you for sharing this link!

We will leave this comment here on GitHub for reference to include with the history of this technique.

The attacks proposed in Trojan Source represent a much larger attack surface than string literals in Go, which as of the time of publication are still vulnerable in our tests. The commenting-out and early return techniques described in the paper also represent novel attack vectors.

[karalabe]

I believe the correct thing to do is to rephrase your paper as a variation of the above attack. Given that my attack was published 5 years ago, it seems dishonest of you to claim ownership of the idea.

[karalabe]

FYI, the attack I linked above used string literals as the container for the attack payload, but they modified the structure of the program, the same way that your early return or commenting out idea does. Your described attacks are nothing more than slight variations to program structure modifications that my attack already did.

[bahorn]

Just to add to this, I'm aware of quite a few examples in prior work, but not sure who originated the idea however. Goes back to 2011 at least, but wouldn't be surprised if it went back even further.

"Bug 339146 - [BiDi] Misleading display of bidirectional strings when RLO, LRO or PDF is used" (2011) by im3w1l is the earliest reference I found.

I think the main issue is the paper heavily implies you came up with the idea of using unicode tricks to backdoor code (e.g first sentence of the abstract), but that is clearly not true.

Edit: Seems Eclipse set the bug as private. I'd presume that's because people started commenting / contacting people involved in a decade old issue. Please don't do that, you aren't helping.

[G2G2G2G]

Yea I've heard of this years ago as well lmao

[JohnXLivingston]

I confirm that I heard of similar attacks 10 years ago. There can also be attacks through server logs. With special crafted requests, you can for example generate Apache or Nginx logs where you can hide commands "underneath" the IP. So if an admin tries to copy/paste the IP in a terminal, for example for a whois, you can run commands.

[G2G2G2G]

@JohnXLivingston lmao that's a good one

[djhashh]

I confirm that I heard of similar attacks 10 years ago. There can also be attacks through server logs. With special crafted requests, you can for example generate Apache or Nginx logs where you can hide commands "underneath" the IP. So if an admin tries to copy/paste the IP in a terminal, for example for a whois, you can run commands.

whoa. how?

[JohnXLivingston]

whoa. how?

Same technique: you use unicode special characters to change the write direction (for example in your user agent).