On Ruby and ꝩduЯ, or
How Scary are Trojan Source Attacks

https://www.sw.it.aoyama.ac.jp/2023/pub/RubyꝩduЯ/

Ruby Kaigi 2023, Matsumoto City, Japan, May 12, 2023

Martin J. DÜRST (マーティンと呼んでください)

duerst@it.aoyama.ac.jp, Aoyama Gakuin University

© 2023 Martin J. Dürst, Aoyama Gakuin University

Overview

• Scare
• Explain
• Next Steps

Speaker Self-Intro

• From Switzerland, living and working in Japan
• Ruby Committer
• W3C Internationalization Interest Group Chair, IETF WG member,...
• Professor at Aoyama Gakuin University (青山学院大学)
• Teaching: Algorithms, Compilers, Math for CS students, Ruby on Rails, Functional Programming,..., in Japanese and English
• Various contributions to bidirectional solutions in HTML, CSS, and Unicode
• Research on display of bidirectional source code, in particular for HTML (2005, 2011)
• General research topics: Software Internationalization,
  World Wide Web Architecture, Programming Languagues (Ruby!)

Contributions to Ruby

Mainly in the following areas:

• Encoding conversion (String#encode, Ruby 1.9)
• Unicode normalization (String#unicode-normalize, Ruby 2.2)
• Non-ASCII case conversion (String#upcase,..., Ruby 2.4)
• Unicode version updates (Unicode 15.1.0 comming to Ruby in Fall 2023)

Troyan Source: Invisible Vulnerabilities

• Title: Trojan Source: Invisible Vulnerabilities
• Authors: Nicolas Boucher and Ross Anderson
• Prepublication: October 30, 2021 on Arxiv
• Revised: 8 Mar 2023
• To be presented at: 32nd USENIX Security Symposium, August 9–11, 2023, Anaheim, CA, USA

Who Wrote this Paper?

Nicholas Boucher, University of Cambridge

Ross Anderson: Well known security expert at University of Cambridge and University of Edinborgh

Author of Security Engineering, 1182 pages, 1.887kg

Troyan Source: Imagine you are ...

Unpredictible Programs: Example 1

white = 40
black = 45
whіtе = white + 6.5 # komi
score = white - black
if score>0 then puts 'white wins'
else            puts 'black wins'
end

Who wins?

Example 1

white = 40
black = 45
whіtе = white + 6.5 # komi
score = white - black
if score>0 then puts 'white wins'
else            puts 'black wins'
end

Please raise your hand:

✋White wins: Left handBlack wins: Right hand✋

Example 2

white = 40
black = 45
white​ = white + 6.5 # komi
score = white - black
if score>0 then puts 'white wins'
else            puts 'black wins'
end

Who wins?

Example 2

white = 40
black = 45
white​ = white + 6.5 # komi
score = white - black
if score>0 then puts 'white wins'
else            puts 'black wins'
end

Please raise your hand:

✋White wins: Left handBlack wins: Right hand✋

Example 3

50 => ‪white‬
40 => ‮‪black‬
score = ‮‪black‬ - ‪white‬
if score>0 then puts 'white wins'
else            puts 'black wins'
end

Who wins?

Example 3

50 => ‪white‬
40 => ‮‪black‬
score = ‮‪black‬ - ‪white‬
if score>0 then puts 'white wins'
else            puts 'black wins'
end

Please raise your hand:

✋White wins: Left handBlack wins: Right hand✋

Example 4

　= 50
​  = 40
if ​-　> 0 then puts 'white wins'
else           puts 'black wins'
end

Please raise your hand:

✋White wins: Left handBlack wins: Right hand✋

My Guess of Your Guesses

The Real Results

Example 1: black wins
Example 2: black wins
Example 3: black wins
Example 4: black wins

(source)

Who Actually Won

Don't be disappointed: It's my fault that you guessed wrong.

Where is the Problem in Example 1?

white = 40
black = 45
whіtе = white + 6.5 # komi
score = white - black
if score>0 then puts 'white wins'
else            puts 'black wins'
end

whіtе => wh\u0456t\u0435

Example 1: Details

whіtе = white + 6.5 # komi

whіtе => wh\u0456t\u0435

і: U+0456: Cyrillic Small Letter Byelorussian-Ukrainian I (Russian i: и)

е: U+0435: Cyrillic Small Letter IE

The 6.5 points gets assigned to the fake whіtе, so the real white looses

This is a homoglyph attack

Homoglyph Attacks

• Use identifiers that look the same but contain different characters
• Well known e.g. for internationalized domain names
• Old problem, e.g. paypal.com scare in 2005
• Lots of advice and data available:
  • Unicode Identifier and Pattern Syntax, UTS #31
  • Unicode Security Considerations, UTR #36
  • Unicode Security Mechanisms, UTS #39
  • Data about confusables (37 given for i, 19 for e)

What's Going On in Example 2

white = 40
black = 45
white<U+200B> = white + 6.5 # komi
score = white - black
if score>0 then puts 'white wins'
else            puts 'black wins'
end

U+200B: ZERO WIDTH SPACE

Ruby allows all non-ASCII spaces in identifiers!

Let's call this an invisible space attack

Invisible Space Attack

• Not well known
• Not widely possible
• Ruby is an exception
• We need to close this loophole

What's Going On in Example 4

<U+3000> = 50
<U+200B> = 40
if <U+200B> - <U+3000> > 0 then puts 'white wins'
else           puts 'black wins'
end

U+200B: ZERO WIDTH SPACE

U+3000: IDEOGRAPHIC SPACE (fullwidth space, 全角スペース)

Ruby allows variable/method names consisting only of spaces!

(not really an attack)

Example 3: Actual Code

50 => LREwhitePDF
40 => RLOLREblackPDF
score = RLOLREblackPDF - LREwhitePDF
if score > 0 then puts 'white wins'
else              puts 'black wins'

RLO, LRE, PDF: Unicode bidirectional (bidi) formatting characters

Allowed as part of variable names in Ruby!

Example 3: Core

score = RLOLREblackPDF - LREwhitePDF

is shown as

score = white - black

This is a bidirectional reordering attack

Example 3: Characters Involved

• RLO: 202E;RIGHT-TO-LEFT OVERRIDE
  In general: Forces everything to be displayed from right to left
  Here: Used to change token order
• LRE: U+202A: LEFT-TO-RIGHT EMBEDDING
  In general: Keeps things left-to-right where there's a choice
  Here: Protects from outside influence
• PDF: U+202C: POP DIRECTIONAL FORMATTING
  In general: end for LRE, RLO, and others
  Here: end for LRE; RLO ends at line end

What are RLO, LRE, PDF ?

• Bidirectional formatting characters
• Invisible, but can change order of characters on line
• Needed for special situations with bidirectional text
• Work inside a paragraph (including reflow)
• For programming languages, inside a line

Bidirectional Text

• Text can be displayed left-to-right (what we are all very much used to):
  • Most scripts (from Latin to Kanji,...)
  • Most numerals/digits (including real Arabic digits: ٠١٢٣٤٥٦٧٨٩)
• Text can be displayed right-to-left
  • Arabic, Hebrew,...
  • Text on the right side of Japanese cars
    E.g.: 社 会 式 株 送 本 松
• Appropriate display can be done mostly automatically using the Unicode Bidirectional Algorithm
• For more complicated text structures, additional control is needed
• Algorithm designed for general text (books, newspapers, reports)
• Algorithm not suited for source code

Bidi Formatting Characters

Example 3: The Whys

• Why RLO ?
  Reorders RLOLREblackPDF - LREwhitePDF
  to display as white - black
• Why LRE.....PDF ?
  Without it, we would get etihw - kcalb
• Why 40 => black and not black = 40 ?
  RLOLREblackPDF = 40 would display as
  40 = black, which does not look like Ruby

Bidi Reordering Attacks

• Identifier attacks
  
  • Maybe only in Ruby
  • Need to eliminate this
• Comment attack
  • Mainly for comments with closing delimiters (C, Rust,...)
• String attacks
  • Widely possible

Background: Vulnerabilities

• CVE-2021-42694 (homoglyphs)
• CVE-2021-42574 (Unicode Bidirectional Algorithm)
• Both vulnerabilities are disputed
• Vulnerabilites blame Unicode, but the underlying problem is the diversity of human writing culture

Who's Fault is it?

• Unicode?
• Language specifications?
• Language implementations?
• Editors / IDEs?
• Linters (e.g. Rubocop)?

Finger pointing doesn't solve any problems

The Baby and the Bathwater

Why not simply disallow non-ASCII characters in code?

• Useful for education
• Useful for bureaucratic jargon

Why Not to (Completely) Loose Your Sleep

(over Trojan source attacks, that is)

• Phishing scams are much easier than Troyan source attacks
• Homoglyph attacks are possible with ASCII, too
  (e.g. the randornhouse.com case)
• Many people don't look too closely anyway
  (hopefully not true for programmers)
• In Ruby, any method can be overwritten from anywhere in the code

Defense in Depth

• Language specification
• Language implementations
• Editors and IDEs
• Linters (rubocop,...)
• Healthy ecosystem

Editors: Current Status

• Sublime (Windows 11): No bidi, no ligating, bidi controls shown explicitly (e.g. <0x202c>)
• Visual Studio Code: U+020C for bidi controls, раураl for non-ASCII characters
• Emacs (Ubuntu): _ (underline) for bidi controls
• Emacs on Windows: Nothing special
• Vim (Ubuntu): <200C>
• Komodo Edit (Windows), Notepad++, Notepad2: LRI for second-generation bidi controls, nothing special for first-generation bidi controls

The Ideal Editor

• Understands programming language
  
  • Mostly there with syntax highlighting
  • Almost impossible for embedded code
    (e.g. bidi text in regexp in string eval in here document in ERB)
• Orders programming language tokens LTR→
• Insulates bidi controls in strings,...

Next Steps for Ruby

• Reduce set of characters allowed in identifiers:
  • Disallow spaces
  • Disallow bidirectional formatting characters
    (possibly except for requiring LRM at start/end of RTL script identifiers)
  • Disallow unassigned codepoints
• Disallow mixed script identifiers
• Follow Unicode guidelines
• Emit warning for unpaired bidi characters in strings/comments

Next Steps: Impementation

• Partial implementation done, but too many errors to push
• Only check non-ASCII, so compilation does not get slower
• Backwards compatibility may be affected for Trick programs
• Single-character checks easy to implement
  (we have all the Unicode character property data in the regexp engine)
• Mixed script checks difficult to implement
  (we have all the data, but in the wrong form (Bug #13241))

Recommendations (Summary)

• Defense in depth
• Ruby should do its share
  • Limit characters usable in identifiers
  • Limit character combinations usable in identifiers
  • Warn for unpaired bidi controls in strings and comments

Acknowledgments

• Nicholas Boucher and Ross Anderson for their research
• Everybody in the Ruby community for keeping Ruby a healthy ecosystem
• Matz (まつもと ゆきひろ) for Ruby, a programmer's best friend
• Amaya, Opera 12.17, and coderay for slide production and display

Q & A

Send questions and comments to Martin Dürst
(mailto:duerst@it.aoyama.ac.jp)
or open/contribute to a bug report or feature request

The latest version of this presentation is available at:

https://www.sw.it.aoyama.ac.jp/2023/pub/RubyꝩduЯ/