A new study shows that pretty much all of the world’s computer code is vulnerable to a sneaky kind of exploit, the likes of which could (in the worst-case scenario) result in large-scale supply chain attacks.
The flaw in question was uncovered by researchers at the University of Cambridge in England, who have taken to calling it the “Trojan Source” vulnerability. Specifically, “Trojan” affects what are known as coding compilers—key pieces of software that help human-written source code execute on the machines on which it runs.
When software is developed, programmers write it in a human-readable language—called “high-level” code. This includes stuff like Java, C++, Python, and so on. However, for the script’s instructions to actually be internalized and executed by a computer, it has to be translated into a machine-readable format consisting purely of binary bits—often called “machine code.” This is where compilers come in. They effectively act as intermediaries between human and machine, translating one language into another.
Unfortunately, as the new study shows, they can also be hijacked fairly easily. According to researchers’ findings, pretty much all compilers have a bug in them that, when properly exploited, allows them to be invisibly commandeered for malicious purposes. With the exploit, a bad actor could hypothetically feed machines code that was different than what was originally intended—effectively overriding the instructions in a program.
As such, “Trojan” could hypothetically be used to instigate large-scale supply chain attacks. Such attacks—like the recent SolarWinds campaign—involve the silent deployment of malicious programming into software products as a vector for compromising specific targets’ systems and networks. In theory, hackers could use this exploit to encode vulnerabilities into entire software ecosystems, thus allowing them to be used for more targeted hacking. As such, the vulnerability poses “an immediate threat,” researchers write—and could threaten “supply-chain compromise across the industry.”
The paper suggest implementing various new protections specifically aimed at defending compilers as a means of heading off this big new problem. Cybersecurity reporter Brian Krebs has reported that, as a result of the paper, some organizations have already promised to issue patches related to “Trojan.” However, others are reportedly “dragging their feet.”
“The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses,” the paper states. “As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses.”