The attack is known, not novel #2
Comments
|
Thank you for sharing this link! We will leave this comment here on GitHub for reference to include with the history of this technique. The attacks proposed in Trojan Source represent a much larger attack surface than string literals in Go, which as of the time of publication are still vulnerable in our tests. The |
|
I believe the correct thing to do is to rephrase your paper as a variation of the above attack. Given that my attack was published 5 years ago, it seems dishonest of you to claim ownership of the idea. |
|
FYI, the attack I linked above used string literals as the container for the attack payload, but they modified the structure of the program, the same way that your |
|
Just to add to this, I'm aware of quite a few examples in prior work, but not sure who originated the idea however. Goes back to 2011 at least, but wouldn't be surprised if it went back even further. "Bug 339146 - [BiDi] Misleading display of bidirectional strings when RLO, LRO or PDF is used" (2011) by im3w1l is the earliest reference I found. I think the main issue is the paper heavily implies you came up with the idea of using unicode tricks to backdoor code (e.g first sentence of the abstract), but that is clearly not true. Edit: Seems Eclipse set the bug as private. I'd presume that's because people started commenting / contacting people involved in a decade old issue. Please don't do that, you aren't helping. |
|
Yea I've heard of this years ago as well lmao |
|
I confirm that I heard of similar attacks 10 years ago. |
|
@JohnXLivingston lmao that's a good one |
whoa. how? |
Same technique: you use unicode special characters to change the write direction (for example in your user agent). |
Reported 5 years ago on the Go repository golang/go#20209
The text was updated successfully, but these errors were encountered: