Detecting Malicious Unicode in Source Code and Pull Requests

nurmagoz · June 8, 2022, 11:09am

Thanks to @maltfield for pointing this.

Patrick · June 8, 2022, 2:05pm

Great, invisible characters that can do malicious stuff. That’s what security computer needs. (sarcasm)

Thanks for the report! Good stuff.

To make future automated checks easier, just now removed all unicode from Whonix…

…except from binary files.

Used the following grep command (based on this answer) to grep all of Kicksecure and Whonix source code:

grep --exclude=changelog.upstream --exclude-dir=.git --binary-files=without-match --recursive --color='auto' -P -n '[^\x00-\x7F]'

--exclude=changelog.upstream
- because this file is auto generated and its contents aren’t processed by compilers or script interpreters.
--exclude-dir=.git
- once in the git history, it stays there and files in that folder shouldn’t be manually edited.
--binary-files=without-match
- Otherwise matches binary files such as images, binary files in monero-gui, gpg keys. Full list: [1]

Useful to append go grep command:

-l
- to show file names only

packages/whonix/anon-ws-disable-stacked-tor/usr/share/anon-ws-disable-stacked-tor/control.authcookie
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-duck.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-newspaper.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-archive.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-support.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-yacy.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-metager.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-doc.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-donate.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/whonix-logo-text.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-qwant.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-forum.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-ecosia.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-peekier.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-telegram.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-ipcheck.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-contribute.png
packages/whonix/kloak/figures/train-normal_test-kloak.png
packages/whonix/kloak/figures/train-kloak_test-kloak.png
packages/whonix/kloak/figures/train-normal_test-normal.png
packages/whonix/kloak/figures/kloak.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/D79A8A9A.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/62AF65BB.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/6C3FA495.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/6C3FA497.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/D79A8A96.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/A04EE252.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_WordPress_Banner.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Banner_600x321.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Profile_Dark.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Profile_Light.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Portal.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Twitter_Cover.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Facebook_Cover.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Banners.ai
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Twitter_Social_Share.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Facebook_Social_Share.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/torbrowser.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/contribute.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/donate.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/mailinglist.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/important.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/nerolinux.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/readme.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/secbrowser.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/whonix.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/timesync.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/importantblog.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/featureblog.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/advancedsettings.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/chat.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/tbupdate.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/whonixlock.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/firewall.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/refresh.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/onion64.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/help.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/stop.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/prev.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/restart.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/silhouette2.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/back_icon.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/tools.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/onion.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/Exit.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/accept_icon.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/silhouette1.png
packages/kicksecure/anon-connection-wizard/usr/share/anon-connection-wizard/advancedsettings.ico
packages/kicksecure/live-config-dist/usr/share/pixmaps/install-host.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/welcome.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/slide1.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/whonix-logo.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-success.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/restart-sdwdate.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/application-exit.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-warning.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/stop-sdwdate.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-log.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-wait.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-stopped.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-ok.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/advancedsettings.ico
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-error.png
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-ancestry
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-usage
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-mark-spent-outputs
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-export
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-import
packages/kicksecure/monero-gui/usr/bin/monero-wallet-gui
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-depth
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-prune
packages/kicksecure/monero-gui/usr/bin/monero-wallet-cli
packages/kicksecure/monero-gui/usr/bin/monerod
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-stats
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-prune-known-spent-data
packages/kicksecure/monero-gui/usr/bin/monero-gen-ssl-cert
packages/kicksecure/monero-gui/usr/bin/monero-wallet-rpc
packages/kicksecure/monero-gui/usr/bin/monero-gen-trusted-multisig
packages/kicksecure/monero-gui/usr/share/doc/monero-gui/monero-gui-wallet-guide.pdf
packages/kicksecure/monero-gui/usr/share/pixmaps/monero.png
packages/kicksecure/gpg-bash-lib/usr/share/gpg-bash-lib/misc/gpg-test-pub-key.d/pubring.gpg

Patrick · June 10, 2022, 11:41am

github.com/QubesOS/qubes-issues

audit and protect from Qubes source code for malicious unicode - CVE-2021-42574

opened 11:41AM - 10 Jun 22 UTC

adrelanos

T: enhancement P: major security C: infrastructure

Quote https://trojansource.codes/ > The trick is to use Unicode control chara…cters to reorder tokens in source code at the encoding level. > These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens. > Compilers and interpreters adhere to the logical ordering of source code, not the visual order. tasks: - [ ] **check if potential existing compromises:** scan all Qubes source code for existing unicode - [ ] **educate existing and future Qubes source code reviewers:** add a Qubes source code reviewer policy to a github repository or on the Qubes website which existing and future reviewers need to acknowledge that I understand the issue. More of a reminder, a conversation starter. - [ ] **remove as much unicode from Qubes source code as possible**: by reducing the amount of unicode in Qubes source code, audits for malicious unicode with automated tools gets simpler. If possible, if unicode is considered essential, instead of writing `®` when required it should be encoded as `®`. - [ ] **local check by reviewer:** document tools that Qubes source code reviewers could/should use to scan future contributions for malicious unicode - [ ] **remote cursory check:** add a github pull request hook that notifies when unicode is included in a pull request (This is just an additional, handy layer of protection. Since infrastructure should be distrusted this alone is not a full solution.) - [ ] **build scripts / CI scripts:** should check if there is unicode in any files except in opt-in expected files. If there is unexpected unicode, the build should error out. - [ ] **scan upstream projects source code**: check if these are compromised by malicious unicode - [ ] **notify upstream projects**: these might not be aware of this issue and already compromised by malicious unicode. references: * https://tech.michaelaltfield.net/2021/11/22/bidi-unicode-github-defense/ * https://forums.whonix.org/t/detecting-malicious-unicode-in-github-prs/13754 how to check example: ``` grep_args="--exclude=changelog.upstream --exclude-dir=.git --binary-files=without-match --recursive --color=auto -P -n" ``` ``` LC_ALL=C grep $grep_args '[^\x00-\x7F]' ``` ``` LC_ALL=C grep $grep_args "[^[:ascii:]]" ``` A few other tools might be desirable.

Patrick · June 28, 2022, 10:05pm

Debian Bug report:

invisible malicious unicode in source code - detection and prevention
was automatically mirrored to the debian-development mailing list: Bug#1014029: invisible malicious unicode in source code - detection and prevention

Patrick · June 29, 2022, 6:13am

Debian lintian test unicode-trojan:
https://lintian.debian.org/tags/unicode-trojan

Patrick · June 29, 2022, 6:24am

github.com

Kicksecure/helper-scripts/blob/master/usr/bin/grep-find-unicode-wrapper

#!/bin/bash

## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

grep_args="\
   --exclude=changelog.upstream \
   --exclude-dir=.git
   --binary-files=without-match \
   -l \
   -P \
   -n"

one=$(LC_ALL=C grep $grep_args '[^\x00-\x7F]' "$@")

two=$(LC_ALL=C grep $grep_args "[^[:ascii:]]" "$@")

## https://access.redhat.com/security/vulnerabilities/RHSB-2021-007
## https://lintian.debian.org/tags/unicode-trojan
three=$(LC_ALL=C grep $grep_args $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069]' "$@")

This file has been truncated. show original

Patrick · June 30, 2022, 3:36pm

Bug report was rejected.

Patrick · July 7, 2022, 8:43pm

Patrick · July 7, 2022, 8:45pm

For simplification, all avoidable unicode has been removed from derivative-maker / Kicksecure / Whonix source code.
Before building Kicksecure / Whonix packages as well as before building Kicksecure / Non-Qubes-Whonix VM images, the source code of derivative-maker as well as the source code in its /packages sub folder is now scanned for unexpected unicode.

Implementation:

Patrick · July 7, 2022, 8:49pm

Above is not a full solution / workaround for:

Qubes bug report: audit and protect from Qubes source code for malicious unicode - CVE-2021-42574

Debian bug report: invisible malicious unicode in source code - detection and prevention

or all the other projects on the internet - almost all - that would have to audit their existing source code for malicious unicode and prevent inclusion for future malicious unicode,
any of the other issues raised on https://trojansource.codes/ such as fixing compilers or text editors.

Patrick · July 19, 2022, 5:11pm

nurmagoz · July 25, 2022, 11:32pm

Alpinelinux:

NixOS:

github.com/NixOS/nixpkgs

Detecting Malicious Unicode in Source Code and Pull Requests

opened 11:32PM - 25 Jul 22 UTC

TNTBOMBOM

0.kind: bug 1.severity: security

Does NixOS scan their code/patches for this vulnerability? Details: https:…//web.archive.org/web/20220101033034/https://tech.michaelaltfield.net/2021/11/22/bidi-unicode-github-defense/ Implemented by e.g: - Red Hat: https://access.redhat.com/security/vulnerabilities/RHSB-2021-007 - Whonix anonymous os/Kicksecure: https://www.kicksecure.com/wiki/Unicode https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754 ThX!

Patrick · July 26, 2022, 1:43pm

Thank you. Outreach on this issue is certainly helpful.

Best to include the link to the original attack research:

nurmagoz · July 26, 2022, 4:26pm

already mentioned in michael altfield article as a reference.

Patrick via Whonix Forum:

Patrick · July 27, 2022, 11:46am

Didn’t try yet, interesting:

https://github.com/haveyoudebuggedit/trojansourcedetector

nurmagoz · July 30, 2022, 7:13pm

Gentoo:

https://bugs.gentoo.org/862372

Mint OS:

github.com/linuxmint/cinnamon

Detecting Malicious Unicode in Source Code and Pull Requests

opened 06:57PM - 30 Jul 22 UTC

TNTBOMBOM

I couldn't find any proper place to report this, feel free to shift it if this i…s not the right place. Quote [https://trojansource.codes/ Trojan Source: Invisible Vulnerabilities] > **Invisible Source Code Vulnerabilities** > > Some Vulnerabilities are Invisible > Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. > > These adversarial encodings produce no visual artifacts. > > **The trick** > > The trick is to use Unicode control characters to reorder tokens in source code at the encoding level. > These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens. > Compilers and interpreters adhere to the logical ordering of source code, not the visual order. > > **The attack** > > The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic. > ... > Adversaries can leverage this deception to commit vulnerabilities into code that will not be seen by human reviewers. This attack pattern is tracked as CVE-2021-42574. [CVE-2021-42574 at redhat](https://access.redhat.com/security/cve/cve-2021-42574) > **The supply chain** > > This attack is particularly powerful within the context of software supply chains. > If an adversary successfully commits targeted vulnerabilities into open source code by deceiving human reviewers, downstream software will likely inherit the vulnerability. > > **The technique** > > There are multiple techniques that can be used to exploit the visual reordering of source code tokens: > * Early Returns cause a function to short circuit by executing a return statement that visually appears to be within a comment. > * Commenting-Out causes a comment to visually appear as code, which in turn is not executed. > * Stretched Strings cause portions of string literals to visually appear as code, which has the same effect as commenting-out and causes string comparisons to fail. > > **The variant** > > A similar attack exists which uses homoglyphs, or characters that appear near identical. > > ... > > The above example defines two distinct functions with near indistinguishable visual differences highlighted for reference. > An attacker can define such homoglyph functions in an upstream package imported into the global namespace of the target, which they then call from the victim code. > This attack variant is tracked as CVE-2021-42694. > > **The defense** > > * Compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters. > * Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals. > * Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings. > > **The paper** > > Complete details can be found in the related [https://trojansource.codes/trojan-source.pdf paper]. By authors Nicholas Boucher and Ross Anderson, 2021, [https://arxiv.org/abs/2111.00169 arXiv]. tasks: - [ ] **check if potential existing compromises:** scan all distribution source code for existing unicode - [ ] **educate existing and future distribution source code reviewers:** add a distribution source code reviewer policy to a github repository or on the distribution website which existing and future reviewers need to acknowledge that I understand the issue. More of a reminder, a conversation starter. - [ ] **remove as much unicode from distribution source code as possible**: by reducing the amount of unicode in distribution source code, audits for malicious unicode with automated tools gets simpler. If possible, if unicode is considered essential, instead of writing `®` when required it should be encoded as `®`. - [ ] **local check by reviewer:** document tools that distribution source code reviewers could/should use to scan future contributions for malicious unicode - [ ] **remote cursory check:** add a github pull request hook that notifies when unicode is included in a pull request (This is just an additional, handy layer of protection. Since infrastructure should be distrusted this alone is not a full solution.) - [ ] **build scripts / CI scripts:** should check if there is unicode in any files except in opt-in expected files. If there is unexpected unicode, the build should error out. - [ ] **scan upstream projects source code**: check if these are compromised by malicious unicode - [ ] **notify upstream projects**: these might not be aware of this issue and already compromised by malicious unicode. references: * https://tech.michaelaltfield.net/2021/11/22/bidi-unicode-github-defense/ * https://www.kicksecure.com/wiki/Unicode

Patrick · October 3, 2022, 12:10pm

In a LKRG source code file a comment includes a real name which contains this sign: ł
Non-malicious.
This triggers to dm-check-unicode check.
Therefore excluding the files where this happens from the check.
This is clearly a non-ideal solution but fixing this is an issue for whole Free and Open Source community. See also Detecting Malicious Unicode in Source Code and Pull Requests

--exclude=LICENSE
--exclude=lkrg-openrc.sh

Patrick · April 6, 2023, 6:07am

Could you review this please? @grass

grass · April 24, 2023, 3:44pm

First thing, I don’t know perl too much, but I can understand it. I tried to make grep print but it wasn’t working, so perl seems better for this, besides the fact that grep’s option -P stands for Perl, so we were already using it.

I used the tool to scan the files on GitHub - nickboucher/trojan-source: Trojan Source: Invisible Vulnerabilities, especially on the Bash dir. Github web interface does not show all of the unicode, you have to use a local editor or paste to a functional online viewer such as Bidi Viewer which is made by the same person.

Another point is the pattern:

SEARCH_PATTERN='[^[:ascii:]]|[\x{061C}\x{200E}\x{200F}\x{202A}\x{202B}\x{202C}\x{202D}\x{202E}\x{2066}\x{2067}\x{2068}\x{2069}]'

I don’t see the need for the second part of everything after the pipe |, because negating ascii characters will also contain the second part.

From this sample, using only [^[:ascii:]] detected all the problems. I did a diff also from the whole directory using the full pattern and only the non-ascii and it was the same.

One thing I don’t like is printing No spurious characters found because it gets in the way of the really important part, if there are spurious characters found. What do you think?

Patrick · April 25, 2023, 2:20pm

Yes.