That's poor editor attack vector not compiler/code/interpreter

[SantjagoCorkez]

That's how IntelliJ PyCharm displays the code. Not even an issue with the right code editor. Vim users should just switch back to CP437 so that codepage does not interfere with the low-speed (300-1200 baud) terminals Vi(m) was developed for and the issue goes away.

[zkrising]

To add to this, things like Gremlins highlight unicode-trickery things like this with red warnings. Some editors even come with this built in. This attack is not particularly novel.

[nickboucher]

There's a reasonable debate to be had about whether this is an issue with compilers/interpreters or an issue with code editors/repository interfaces. Some may also argue that allowing deceptive code such as Trojan Source attacks is not the compiler's responsibility to defend unless it's specified in the relevant language specification, in which case we can add language specs to the list of potential issue owners as well.

Despite which stage in the development pipeline "should" implement defenses, it's possible to defend via visualizations in code editors/repo interfaces, compiler/interpreter errors, and build pipeline code scanners. I'd argue that the best defense is a defense-in-depth strategy where each of these stages have defenses implemented.

In the paper discussing this work, we discuss code editor/repository interfaces in Section VI.J, and syntax highlighting in Section VII.C.