Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

Detecting Malicious Unicode in Source Code and Pull Requests

Thanks to @maltfield for pointing this.

3 Likes

Great, invisible characters that can do malicious stuff. That’s what security computer needs. (sarcasm)

Thanks for the report! Good stuff.


To make future automated checks easier, just now removed all unicode from Whonix…

…except from binary files.

Used the following grep command (based on this answer) to grep all of Kicksecure and Whonix source code:

grep --exclude=changelog.upstream --exclude-dir=.git --binary-files=without-match --recursive --color='auto' -P -n '[^\x00-\x7F]'

  • --exclude=changelog.upstream

    • because this file is auto generated and its contents aren’t processed by compilers or script interpreters.
  • --exclude-dir=.git

    • once in the git history, it stays there and files in that folder shouldn’t be manually edited.
  • --binary-files=without-match

    • Otherwise matches binary files such as images, binary files in monero-gui, gpg keys. Full list: [1]

Useful to append go grep command:

  • -l

    • to show file names only

Related:


[1]

packages/whonix/anon-ws-disable-stacked-tor/usr/share/anon-ws-disable-stacked-tor/control.authcookie
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-duck.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-newspaper.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-archive.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-support.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-yacy.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-metager.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-doc.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-donate.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/whonix-logo-text.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-qwant.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-forum.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-ecosia.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-peekier.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-telegram.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-ipcheck.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-contribute.png
packages/whonix/kloak/figures/train-normal_test-kloak.png
packages/whonix/kloak/figures/train-kloak_test-kloak.png
packages/whonix/kloak/figures/train-normal_test-normal.png
packages/whonix/kloak/figures/kloak.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/D79A8A9A.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/62AF65BB.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/6C3FA495.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/6C3FA497.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/D79A8A96.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/A04EE252.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_WordPress_Banner.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Banner_600x321.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Profile_Dark.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Profile_Light.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Portal.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Twitter_Cover.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Facebook_Cover.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Banners.ai
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Twitter_Social_Share.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Facebook_Social_Share.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/torbrowser.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/contribute.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/donate.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/mailinglist.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/important.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/nerolinux.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/readme.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/secbrowser.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/whonix.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/timesync.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/importantblog.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/featureblog.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/advancedsettings.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/chat.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/tbupdate.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/whonixlock.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/firewall.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/refresh.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/onion64.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/help.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/stop.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/prev.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/restart.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/silhouette2.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/back_icon.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/tools.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/onion.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/Exit.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/accept_icon.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/silhouette1.png
packages/kicksecure/anon-connection-wizard/usr/share/anon-connection-wizard/advancedsettings.ico
packages/kicksecure/live-config-dist/usr/share/pixmaps/install-host.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/welcome.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/slide1.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/whonix-logo.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-success.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/restart-sdwdate.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/application-exit.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-warning.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/stop-sdwdate.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-log.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-wait.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-stopped.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-ok.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/advancedsettings.ico
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-error.png
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-ancestry
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-usage
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-mark-spent-outputs
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-export
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-import
packages/kicksecure/monero-gui/usr/bin/monero-wallet-gui
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-depth
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-prune
packages/kicksecure/monero-gui/usr/bin/monero-wallet-cli
packages/kicksecure/monero-gui/usr/bin/monerod
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-stats
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-prune-known-spent-data
packages/kicksecure/monero-gui/usr/bin/monero-gen-ssl-cert
packages/kicksecure/monero-gui/usr/bin/monero-wallet-rpc
packages/kicksecure/monero-gui/usr/bin/monero-gen-trusted-multisig
packages/kicksecure/monero-gui/usr/share/doc/monero-gui/monero-gui-wallet-guide.pdf
packages/kicksecure/monero-gui/usr/share/pixmaps/monero.png
packages/kicksecure/gpg-bash-lib/usr/share/gpg-bash-lib/misc/gpg-test-pub-key.d/pubring.gpg
3 Likes
2 Likes

Debian Bug report:

1 Like

Debian lintian test unicode-trojan:
https://lintian.debian.org/tags/unicode-trojan


1 Like
1 Like

Bug report was rejected.

  • For simplification, all avoidable unicode has been removed from derivative-maker / Kicksecure / Whonix source code.
  • Before building Kicksecure / Whonix packages as well as before building Kicksecure / Non-Qubes-Whonix VM images, the source code of derivative-maker as well as the source code in its /packages sub folder is now scanned for unexpected unicode.

Implementation:

Above is not a full solution / workaround for:

  • or all the other projects on the internet - almost all - that would have to audit their existing source code for malicious unicode and prevent inclusion for future malicious unicode,
  • any of the other issues raised on https://trojansource.codes/ such as fixing compilers or text editors.

Alpinelinux:

NixOS:

1 Like

Thank you. Outreach on this issue is certainly helpful.

Best to include the link to the original attack research:

already mentioned in michael altfield article as a reference.

Patrick via Whonix Forum:

Didn’t try yet, interesting:

1 Like

Gentoo:

https://bugs.gentoo.org/862372

Mint OS:

1 Like

In a LKRG source code file a comment includes a real name which contains this sign: ł
Non-malicious.
This triggers to dm-check-unicode check.
Therefore excluding the files where this happens from the check.
This is clearly a non-ideal solution but fixing this is an issue for whole Free and Open Source community. See also Detecting Malicious Unicode in Source Code and Pull Requests

--exclude=LICENSE
--exclude=lkrg-openrc.sh