Scary, but the first comment is relevant.
By
Stephan Zielinski
There are times when you should just give up and quote the abstract directly.
Abstract—We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers.
Note that this conveys critical information not found anywhere in the writeup—namely that the actual “vulnerability” requires gaining access to the source code of the product in question!
Never trust the compiler. ;)
Not the same, but semi-related, is the classic Reflections on Trusting Trust.
The Rust compiler has already been modified to detect this kind of attack.
I’m not sure this is an actual avenue of attack. It defeats visual inspection if and only if your code renderer follows the spec. Web browsers follow the spec, but how many code editors, some designed to run in terminal emulators, will?
Yeah, it’s not a super dangerous attack in practical terms, but it could theoretically cause problems to detect and correct in source code of already compromised libraries. This is not a vector, just an elaborate “obfuscation” technique like minifying payloads and the such. But it can complicate things by making malicious code appear “ok” in some instances, and as such it’s worth knowing about it, and hot to mitigate it.