Coders alert: Rust, Java, and Python prone to new cyberthreats

If you’re working with the Rust programming language — or JavaScript, Java, Go, or Python — you might wish to look for inconsistencies between the code you’ve evaluated and the code you’ve output.

The Rust Security Response Working Group (WG) has identified a weird security vulnerability, CVE-2021-42574, and is recommending that developers upgrade to Rust 1.56.1.

Today, news of the unusual flaw was circulated via a mailing list. In a blog post, the Rust project also raised the issue of Unicode’s “bidirectional override.” However, it’s a flaw that affects all programmes written in popular languages that use Unicode, not just Rust.

According to security expert Ross Anderson, this flaw affects not only Rust but also other top languages such as Java, JavaScript, Python, C-based languages, and code written in other recent languages because it is Unicode.

To detect any potentially dangerous contributions by volunteers, many open-source projects, such as operating systems, rely on human evaluation of all new code. However, Cambridge University security experts claim to have figured out how to change the encoding of source code files so that human viewers and compilers see different reasoning.

“We’ve figured out how to manipulate source code files’ encoding such that human users and compilers see distinct reasoning.” One especially nefarious technique exploits Unicode directionality to display code as an anagram of its real logic.

The attack involves reordering source code characters in a way that affects the logic by using control characters encoded in comments and strings.

Unicode, the foundation for text and emoji, allows both left-to-right languages like English and right-to-left languages like Persian. This is accomplished by “bidirectional override,” an unseen feature known as a codepoint that allows left-to-right words to be embedded inside a right-to-left sentence and vice versa.

Rust isn’t a commonly used programming language, but it’s been adopted by Google, Facebook, Microsoft, Amazon Web Services (AWS), and others for systems (rather than application) programming because of its memory-related safety guarantees.

The Rust team examined its add-on software packages, termed “crates,” and discovered that five of them contain the impacted codepoints in their source code. It did not, however, uncover any harmful codepoints.