Date: Fri, 18 Jun 2021 13:52:43 -0400
Unless you do script analysis, which is hard, you allow homoglyph attacks.
This does prevent a class of malice where RTL modifiers are injected into
symbol names, though.
On Fri, Jun 18, 2021 at 1:38 PM Peter C++ via Liaison <
liaison_at_[hidden]> wrote:
> if one reviews with a decent IDE it will show which is which.
>
> Sent from Peter Sommerlad's iPad
> +41 79 432 23 32
>
> > On 18 Jun 2021, at 18:08, Uecker, Martin via Liaison <
> liaison_at_[hidden]> wrote:
> >
> >
> > Similar looking symbols certainly makes it much worse
> > where code from untrusted sources needs to be reviewed.
> >
> > Am Freitag, den 18.06.2021, 08:53 -0700 schrieb JF Bastien via Liaison:
> >> No.
> >>
> >> If malicious source code through Unicode homoglyphs are a security
> >> issue, then you already have a security issue with trusting your
> >> developers. As underhanded C contests show, you don't need Unicode to
> >> hide malicious code.
> >>
> >>> On Fri, Jun 18, 2021 at 8:51 AM Robert Seacord via Liaison <
> >>> liaison_at_[hidden]> wrote:
> >>> Are there any security concerns if we don't make this change? (I
> >>> work in security, so people ask me questions like this when I ask
> >>> about working on a proposal.)
> >>>
> >>> rCs
> >>>
> >>> On Fri, Jun 4, 2021 at 3:06 PM Steve Downey via Liaison <
> >>> liaison_at_[hidden]> wrote:
> >>>> C++ Identifier Syntax using Unicode Standard Annex 31
> >>>> https://github.com/steve-downey/papers/blob/master/d1949.md
> >>>> Slides:
> >>>>
> https://github.com/steve-downey/papers/blob/master/UAX31-EWG-slides.org
> >>>>
> >>>> _______________________________________________
> >>>> Liaison mailing list
> >>>> Liaison_at_[hidden]
> >>>> Subscription:
> >>>> https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> >>>> Link to this post:
> >>>> http://lists.isocpp.org/liaison/2021/06/0602.php
> >>>
> >>> _______________________________________________
> >>> Liaison mailing list
> >>> Liaison_at_[hidden]
> >>> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> >>> Link to this post: http://lists.isocpp.org/liaison/2021/06/0612.php
> >>
> >> _______________________________________________
> >> Liaison mailing list
> >> Liaison_at_[hidden]
> >> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> >> Link to this post: http://lists.isocpp.org/liaison/2021/06/0613.php
> > _______________________________________________
> > Liaison mailing list
> > Liaison_at_[hidden]
> > Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> > Link to this post: http://lists.isocpp.org/liaison/2021/06/0614.php
> _______________________________________________
> Liaison mailing list
> Liaison_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> Link to this post: http://lists.isocpp.org/liaison/2021/06/0615.php
>
This does prevent a class of malice where RTL modifiers are injected into
symbol names, though.
On Fri, Jun 18, 2021 at 1:38 PM Peter C++ via Liaison <
liaison_at_[hidden]> wrote:
> if one reviews with a decent IDE it will show which is which.
>
> Sent from Peter Sommerlad's iPad
> +41 79 432 23 32
>
> > On 18 Jun 2021, at 18:08, Uecker, Martin via Liaison <
> liaison_at_[hidden]> wrote:
> >
> >
> > Similar looking symbols certainly makes it much worse
> > where code from untrusted sources needs to be reviewed.
> >
> > Am Freitag, den 18.06.2021, 08:53 -0700 schrieb JF Bastien via Liaison:
> >> No.
> >>
> >> If malicious source code through Unicode homoglyphs are a security
> >> issue, then you already have a security issue with trusting your
> >> developers. As underhanded C contests show, you don't need Unicode to
> >> hide malicious code.
> >>
> >>> On Fri, Jun 18, 2021 at 8:51 AM Robert Seacord via Liaison <
> >>> liaison_at_[hidden]> wrote:
> >>> Are there any security concerns if we don't make this change? (I
> >>> work in security, so people ask me questions like this when I ask
> >>> about working on a proposal.)
> >>>
> >>> rCs
> >>>
> >>> On Fri, Jun 4, 2021 at 3:06 PM Steve Downey via Liaison <
> >>> liaison_at_[hidden]> wrote:
> >>>> C++ Identifier Syntax using Unicode Standard Annex 31
> >>>> https://github.com/steve-downey/papers/blob/master/d1949.md
> >>>> Slides:
> >>>>
> https://github.com/steve-downey/papers/blob/master/UAX31-EWG-slides.org
> >>>>
> >>>> _______________________________________________
> >>>> Liaison mailing list
> >>>> Liaison_at_[hidden]
> >>>> Subscription:
> >>>> https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> >>>> Link to this post:
> >>>> http://lists.isocpp.org/liaison/2021/06/0602.php
> >>>
> >>> _______________________________________________
> >>> Liaison mailing list
> >>> Liaison_at_[hidden]
> >>> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> >>> Link to this post: http://lists.isocpp.org/liaison/2021/06/0612.php
> >>
> >> _______________________________________________
> >> Liaison mailing list
> >> Liaison_at_[hidden]
> >> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> >> Link to this post: http://lists.isocpp.org/liaison/2021/06/0613.php
> > _______________________________________________
> > Liaison mailing list
> > Liaison_at_[hidden]
> > Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> > Link to this post: http://lists.isocpp.org/liaison/2021/06/0614.php
> _______________________________________________
> Liaison mailing list
> Liaison_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> Link to this post: http://lists.isocpp.org/liaison/2021/06/0615.php
>
Received on 2021-06-18 12:53:10