← Back to context

Comment by rurban

4 days ago

They should also turn off the C11 Unicode identifier bugs with -fhardened, which enabled homoglyph attacks. There is no plan for C26 to fix this. No unicode identifiers without proper security measures

6 comments

rurban

Reply
rwmj  4 days ago

What is the threat profile here? I don't understand how this would be exploited in the real world. Once you're linking to a library, there are so many ways for the library to exploit your main program (eg. by running arbitrary code in constructors).

  • rurban  4 days ago

    https://github.com/rurban/libu8ident

    Search for homoglyph attacks and the unicode security guidelines for identifiers

    • rwmj  4 days ago

      OK that is pretty interesting. For the TL;DR crowd, the exploit was:

        if(environmentǃ=ENV_PROD){
    // bypass authZ checks in DEV
    return true;
  }

      where the 'ǃ' is a Unicode homoglyph (U+1C3 "LATIN LETTER ALVEOLAR CLICK") which obviously completely changes the nature of the code.

      I'll note that GCC gives a clear warning here ("suggest parentheses around assignment used as truth value"), so as always, turn on -Werror and take warnings seriously!

      2 replies →