Schedule

Back
Martin J. Dürst
Martin J. Dürst
  • @duerst

Martin is a Professor of Computer Science at Aoyama Gakuin University in Japan. He has been one of the main drivers of Internationalization (I18N) and the use of Unicode on the Web and the Internet. He published the first proposals for DNS I18N and NFC character normalization, and is the main author of the W3C Character Model and the IRI specification (RFC 3987). Since 2007, he and his students have contributed to the implementation of Ruby, mostly in the area of I18N.

EN

On Ruby and ꝩduЯ, or How Scary are Trojan Source Attacks

A bit over a year ago, the Trojan Source attacks created quite a scare. This talk looks at what can and should be done for Ruby.

Ruby has embraced Unicode in the form of UTF-8 for source code so that identifiers as well as comments can use non-ASCII characters. This can be very convenient but also may be dangerous.

We will explain the dangers: Bidirectional attacks can use special Unicode formatting characters to regroup source text so that it looks like it does something, but actually does something else. Homoglyph attacks can use lookalike characters to confuse code reviewers. Invisible characters and special spaces can be even more difficult to detect.

Remedies include better Ruby parsing, new checks to editors, IDEs, and code management sites such as github, and stronger linters such as Rubycop.

Presentation slides at https://www.sw.it.aoyama.ac.jp/2023/pub/RubyꝩduЯ

Presentation Material

Recorded video

from RubyKaigi on YouTube
Back