filmov
tv
[VDZ22] Trojan Source: Bad Characters Are Coming for Your Code by Nicholas Boucher
Показать описание
Your source code may be lying to you.
New research has uncovered a technique for creating vulnerabilities that are invisible to developers. By attacking the encoding of text in source code files, adversaries can craft code that shows different logic to compilers than human reviewers. This poisoned code, which persists through copy & paste from internet resources, raises a new risk for particularly insidious supply chain attacks.
Due the near-universal dependency on encoded text across all subfields of computer science, these evil encodings can also be used to attack a wide range of targets. Beyond source code, production systems implementing tasks such as toxic content identification and machine translation can be reduced to near-zero performance with these techniques.
Starting from a set of initial attacks against machine learning systems deployed by some of the world's largest tech companies, this talk will describe a new family of encoding-based attacks that build to the result that source code can no longer be trusted do what it says. The talk will include a series of practical defenses that can be used by all developers to mitigate their exposure to this threat vector.
New research has uncovered a technique for creating vulnerabilities that are invisible to developers. By attacking the encoding of text in source code files, adversaries can craft code that shows different logic to compilers than human reviewers. This poisoned code, which persists through copy & paste from internet resources, raises a new risk for particularly insidious supply chain attacks.
Due the near-universal dependency on encoded text across all subfields of computer science, these evil encodings can also be used to attack a wide range of targets. Beyond source code, production systems implementing tasks such as toxic content identification and machine translation can be reduced to near-zero performance with these techniques.
Starting from a set of initial attacks against machine learning systems deployed by some of the world's largest tech companies, this talk will describe a new family of encoding-based attacks that build to the result that source code can no longer be trusted do what it says. The talk will include a series of practical defenses that can be used by all developers to mitigate their exposure to this threat vector.
![[VDZ22] Trojan Source:](https://i.ytimg.com/vi/3Ql5hd999mc/hqdefault.jpg)
0:33:24
0:02:36
![[VDZ22] Building Distributed](https://i.ytimg.com/vi/nFkBX9Qq1TM/hqdefault.jpg)
0:20:28
![[VDZ22]Pains and gains](https://i.ytimg.com/vi/xoMchZNSz-g/hqdefault.jpg)
0:18:50
0:06:11
0:02:33
![[VDZ22] 9 Java](https://i.ytimg.com/vi/SN8hQ_7Hxlk/hqdefault.jpg)
0:19:27
![[VDT21] Keynote: Upside](https://i.ytimg.com/vi/ndOnh3mGZ7U/hqdefault.jpg)
0:42:23