<div dir="ltr">Oh for sure there's all sorts of hilarity in C. Doubtless in erlang, too. But the existence of other attack vectors doesn't suggest that you should ignore a new one. <div><br></div><div>It'd probably be a good idea, if this were to be implemented, if there were some tooling or flags for the compiler to warn when unicode was used in a potentially dangerous setting, so that people taking pull requests on erlang code (or even just typing code wrong) could avoid some classes of possible exploits.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 3, 2016 at 8:47 AM, Fred Hebert <span dir="ltr"><<a href="mailto:mononcqc@ferd.ca" target="_blank">mononcqc@ferd.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 02/03, Felix Gallo wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There's also an interesting security issue around Unicode source code.<br>
<br>
Take for example the recent hack of Cryptsy, which involved a guy taking<br>
what looked like an innocent and safe pull request to fix an issue in one<br>
part of his software, but through the magic of the preprocessor, turned out<br>
to do something else entirely:<br>
<br>
<a href="http://earlz.net/view/2016/01/16/0717/analyzing-the-56-million-exploit-and-cryptsys-security" rel="noreferrer" target="_blank">http://earlz.net/view/2016/01/16/0717/analyzing-the-56-million-exploit-and-cryptsys-security</a><br>
</blockquote>
<br></span>
My counter-argument to that is that you don't need any of that cool UTF stuff to do that.<br>
<br>
See:<br>
<br>
- <a href="http://www.underhanded-c.org/" rel="noreferrer" target="_blank">http://www.underhanded-c.org/</a> underhanded C contest is all about writing regular looking C code doing nasty stuff<br>
- <a href="http://arstechnica.co.uk/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/" rel="noreferrer" target="_blank">http://arstechnica.co.uk/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/</a> juniper code was broken by someone adding in a password check that looked like a log line<br>
- <a href="http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/" rel="noreferrer" target="_blank">http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/</a><br>
using a non-prime in crypto communication, possibly being a backdoor.<br>
<br>
</blockquote></div><br></div>