Security concerns: OGHAM SPACE MARK
prosfilaes at gmail.com
Tue Jul 21 05:45:40 CDT 2015
On Tue, Jul 21, 2015 at 2:14 AM Dreiheller, Albrecht <
albrecht.dreiheller at siemens.com> wrote:
> If the author really intends to deceive potential readers he will succeed.
Possibly. Code is hard. But the Ogham space is not a real threat; it's easy
to search for and obviously a deliberate attempt to confuse.
> Programming languages like JS should at least implement exclusion rules
> from the "Unicode Confusables Characters" list.
Have you looked at that list? 1 and l is one pair of confusables in that
list, and while that is an incredibly classic confusable pair, it's not one
that's implementable in a programming language. а and a is another pair;
but if you ban а, you've practically banned Cyrillic identifiers completely.
> Otherwise such programming languages ought to be black-listed.
Black-listed? By whom? If you wish to make sure a set of code you control
does not use non-ASCII characters, most source-control systems.will let you
altogether, that is also your freedom. But of all the attacks weighed
As note for confusable code, let me point out this code that someone tried
to illicitly push into the Linux CVS back in 2003:
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
the all-ASCII trick being that current->uid is being set to zero, not
checked. It would be much easier to find any sort of Unicode trick then a
backdoor like that in a sufficiently large body of code.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unicode