{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T02:09:57Z","timestamp":1773713397440,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,8]],"date-time":"2022-11-08T00:00:00Z","timestamp":1667865600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,11]]},"DOI":"10.1145\/3560835.3564555","type":"proceedings-article","created":{"date-parts":[[2022,11,9]],"date-time":"2022-11-09T02:38:26Z","timestamp":1667961506000},"page":"83-92","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Talking Trojan"],"prefix":"10.1145","author":[{"given":"Nicholas","family":"Boucher","sequence":"first","affiliation":[{"name":"University of Cambridge, Cambridge, United Kingdom"}]},{"given":"Ross","family":"Anderson","sequence":"additional","affiliation":[{"name":"Universities of Cambridge and Edinburgh, Cambridge, United Kingdom"}]}],"member":"320","published-online":{"date-parts":[[2022,11,8]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Trojan Source: Invisible Vulnerabilities. Preprint. https:\/\/arxiv.org\/abs\/2111.00169 arXiv: 2111.00169 [cs.CR].","author":"Boucher Nicholas","year":"2021","unstructured":"Nicholas Boucher and Ross Anderson. 2021. Trojan Source: Invisible Vulnerabilities. Preprint. https:\/\/arxiv.org\/abs\/2111.00169 arXiv: 2111.00169 [cs.CR]."},{"key":"e_1_3_2_1_2_1","volume-title":"The Apache Software Foundation, (Dec.","author":"Software Foundation The Apache","year":"2021","unstructured":"The Apache Software Foundation. 2021. Apache Log4j Security Vulnerabilities. The Apache Software Foundation, (Dec. 2021). https:\/\/logging.apache.org\/log4 j\/2.x\/security.html."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","unstructured":"S. Peisert et al. 2021. Perspectives on the solarwinds incident. IEEE Security & Privacy 19 02 (Mar. 2021) 7--13. doi: 10.1109\/MSEC.2021.3051235.","DOI":"10.1109\/MSEC.2021.3051235"},{"key":"e_1_3_2_1_4_1","volume-title":"Executive Order on Improving the Nation's Cybersecurity. en-US. Executive Order 14028. (May","author":"Biden Joseph","year":"2021","unstructured":"Joseph Biden. 2021. Executive Order on Improving the Nation's Cybersecurity. en-US. Executive Order 14028. (May 2021). Retrieved July 5, 2021 from https: \/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/exec utive-order-on-improving-the-nations-cybersecurity."},{"key":"e_1_3_2_1_5_1","volume-title":"Version 14.0. en","author":"The Unicode Consortium","year":"2021","unstructured":"The Unicode Consortium. 2021. The Unicode Standard, Version 14.0. en. The Unicode Consortium, (Sept. 2021). https:\/\/www.unicode.org\/versions\/Unicode 14.0.0."},{"key":"e_1_3_2_1_7_1","volume-title":"Bad Characters: Imperceptible NLP Attacks. In 43rd IEEE Symposium on Security and Privacy. IEEE. https:\/\/ieeexplore.ieee.org\/document\/9833641","author":"Boucher Nicholas","year":"2022","unstructured":"Nicholas Boucher, Ilia Shumailov, Ross Anderson, and Nicolas Papernot. 2022. Bad Characters: Imperceptible NLP Attacks. In 43rd IEEE Symposium on Security and Privacy. IEEE. https:\/\/ieeexplore.ieee.org\/document\/9833641."},{"key":"e_1_3_2_1_8_1","volume-title":"HackerOne","year":"2022","unstructured":"HackerOne. 2022. Bug Bounty Platform. HackerOne, (2022). https:\/\/www.hack erone.com\/product\/bug-bounty-platform."},{"key":"e_1_3_2_1_9_1","volume-title":"BugCrowd","year":"2022","unstructured":"BugCrowd. 2022. Managed Bug Bounty. BugCrowd, (2022). https:\/\/www.bugcr owd.com\/products\/bug-bounty."},{"key":"e_1_3_2_1_10_1","volume-title":"d.] CERT Coordination Center. (). Retrieved","author":"Carnegie Mellon University Software Engineering Institute. [n.","year":"2021","unstructured":"Carnegie Mellon University Software Engineering Institute. [n. d.] CERT Coordination Center. (). Retrieved Oct. 29, 2021 from https:\/\/www.kb.cert.org."},{"key":"e_1_3_2_1_11_1","volume-title":"Operating system distribution security contact lists. (Sept","author":"Project Openwall","year":"2021","unstructured":"Openwall Project. 2021. Operating system distribution security contact lists. (Sept. 2021). https:\/\/oss-security.openwall.org\/wiki\/mailing-lists\/distros."},{"key":"e_1_3_2_1_12_1","volume-title":"Retrieved","author":"MITRE.","year":"2021","unstructured":"MITRE. 2021. About the CVE Program. (Oct. 2021). Retrieved Oct. 29, 2021 from https:\/\/www.cve.org\/About\/Overview."},{"key":"e_1_3_2_1_13_1","volume-title":"Simple Analytics","author":"Analytics Simple","year":"2022","unstructured":"Simple Analytics. 2022. The privacy-first Google Analytics alternative. Simple Analytics, (2022). https:\/\/simpleanalytics.com."},{"key":"e_1_3_2_1_14_1","volume-title":"Krebs on Security, (Nov. 2021","author":"Krebs Brian","year":"2021","unstructured":"Brian Krebs. 2021. \"Trojan Source' Bug Threatens the Security of All Code. Krebs on Security, (Nov. 2021). https:\/\/krebsonsecurity.com\/2021\/11\/trojan-so urce-bug-threatens-the-security-of -all-code."},{"key":"e_1_3_2_1_15_1","volume-title":"Schneier on Security, (Nov. 2021","author":"Schneier Bruce","year":"2021","unstructured":"Bruce Schneier. 2021. Hiding Vulnerabilities in Source Code. Schneier on Security, (Nov. 2021). https:\/\/www.schneier.com\/blog\/archives\/2021\/11\/hiding -vulnerabilities-in-source-code.html."},{"key":"e_1_3_2_1_16_1","volume-title":"The Register, (Nov. 2021","author":"Corfield Gareth","year":"2021","unstructured":"Gareth Corfield. 2021. Trojan Source attack: Code that says one thing to humans tells your compiler something very different, warn academics. The Register, (Nov. 2021). https:\/\/www.theregister.com\/2021\/11\/01\/trojan_source_language _reversal_unicode."},{"key":"e_1_3_2_1_17_1","volume-title":"Gizmodo, (Nov. 2021","author":"Ropek Lucas","year":"2021","unstructured":"Lucas Ropek. 2021. Pretty Much All Computer Code Can Be Hijacked by Newly Discovered 'Trojan Source' Exploit. Gizmodo, (Nov. 2021). https:\/\/gizmodo.co m\/pretty-much-all-computer-code-can-be-hijacked-by-newly-1847974191."},{"key":"e_1_3_2_1_18_1","volume-title":"ZDNet, (Nov.","author":"Tung Liam","year":"2021","unstructured":"Liam Tung. 2021. Programming languages: This sneaky trick could allow attackers to hide 'invisible' vulnerabilities in code. ZDNet, (Nov. 2021). https:\/\/w ww.zdnet.com\/article\/this-sneaky-trick-could-allow-attackers-to-hide-invis ible-vulnerabilities-in-code."},{"key":"e_1_3_2_1_19_1","volume-title":"Computer Weekly, (Nov.","author":"Goodwin Bill","year":"2021","unstructured":"Bill Goodwin. 2021. Businesses and governments urged to take action over Trojan Source supply chain attacks. Computer Weekly, (Nov. 2021). https:\/\/w ww.computerweekly.com\/news\/252508879\/Businesses-and-governments-ur ged-to-take-action-over-Trojan-Source-supply-chain-attacks."},{"key":"e_1_3_2_1_20_1","volume-title":"Bleeping Computer, (Nov.","author":"Ilascu Ionut","year":"2021","unstructured":"Ionut Ilascu. 2021. 'Trojan Source' attack method can hide bugs into opensource code. Bleeping Computer, (Nov. 2021). https:\/\/www.bleepingcomputer .com\/news\/security\/trojan-source-attack-method-can-hide-bugs-into-opensource-code."},{"key":"e_1_3_2_1_21_1","volume-title":"LWN, (Nov.","author":"Edge Jake","year":"2021","unstructured":"Jake Edge. 2021. Trojan Source: tricks (no treats) with Unicode. LWN, (Nov. 2021). https:\/\/lwn.net\/Articles\/874951."},{"key":"e_1_3_2_1_22_1","volume-title":"Light Blue Touchpaper, (Nov. 2021","author":"Anderson Ross","year":"2021","unstructured":"Ross Anderson and Nicholas Boucher. 2021. Trojan Source: Invisible Vulnerabilities. Light Blue Touchpaper, (Nov. 2021). https:\/\/www.lightbluetouchpaper .org\/2021\/11\/01\/trojan-source-invisible-vulnerabilities."},{"key":"e_1_3_2_1_23_1","volume-title":"Trojan Source Attacks, Another Apple Settlement, & more on DevNews! DEV, (Nov.","author":"Yitbarek Saron","year":"2021","unstructured":"Saron Yitbarek and Josh Puetz. 2021. No More Contacting Employees Off Hours in Portugal, Trojan Source Attacks, Another Apple Settlement, & more on DevNews! DEV, (Nov. 2021). https:\/\/dev.to\/devteam\/no-more-contacting-e mployees-of f-hours-in-portugal-trojan-source-attacks-another-apple-settl ement-more-on-devnews-59i1."},{"key":"e_1_3_2_1_24_1","volume-title":"Cyberwire, (Nov.","author":"Bittner Dave","year":"2021","unstructured":"Dave Bittner. 2021. Trojan Source--a threat to the software supply chain. Ransomware goes to influence operations school. Triple extortion? Criminal target selection. Cyberwire, (Nov. 2021). https:\/\/thecyberwire.com\/podcasts\/daily-po dcast\/1451\/notes."},{"key":"e_1_3_2_1_25_1","volume-title":"GitHub, (Oct. 2021","year":"2021","unstructured":"GitHub. 2021. Warning about bidirectional unicode text. GitHub, (Oct. 2021). Retrieved Jan. 30, 2022 from https:\/\/github.blog\/changelog\/2021--10--31-warnin g-about-bidirectional-unicode-text."},{"key":"e_1_3_2_1_26_1","volume-title":"Atlassian, (Nov. 2021","year":"2021","unstructured":"Atlassian. 2021. Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021--42574. Atlassian, (Nov. 2021). Retrieved Jan. 31, 2022 from https:\/\/confluence.atlassian.com\/security\/multipl e-products-security-advisory-unrendered-unicode-bidirectional-override-c haracters-cve-2021--42574--1086419475.html."},{"key":"e_1_3_2_1_27_1","volume-title":"Retrieved","year":"2021","unstructured":"GitLab. 2021. GitLab Security Release: 14.4.1, 14.3.4, and 14.2.6. (Oct. 2021). Retrieved Jan. 31, 2022 from https:\/\/about.gitlab.com\/releases\/2021\/10\/28\/secu rity-release-gitlab-14--4--1-released\/."},{"key":"e_1_3_2_1_28_1","volume-title":"Retrieved","year":"2021","unstructured":"Microsoft. 2021. Visual Studio Code: October 2021 (version 1.62). (Oct. 2021). Retrieved Jan. 31, 2022 from https:\/\/code.visualstudio.com\/updates\/v1_62."},{"key":"e_1_3_2_1_29_1","volume-title":"GNU, (Nov. 2021","author":"Zaretskii Eli","year":"2021","unstructured":"Eli Zaretskii. 2021. Better detection of potentially malicious bidi text. GNU, (Nov. 2021). Retrieved Jan. 31, 2022 from https:\/\/git.savannah.gnu.org\/cgit\/ema cs.git\/commit\/?id=b96855310efed13e0db1403759b686b9bc3e7490."},{"key":"e_1_3_2_1_30_1","volume-title":"Retrieved","author":"Security The Rust","year":"2021","unstructured":"The Rust Security Response WG. 2021. Security advisory for rustc (CVE-2021- 42574). (Nov. 2021). Retrieved Jan. 31, 2022 from https:\/\/blog.rust-lang.org\/202 1\/11\/01\/cve-2021--42574.html."},{"key":"e_1_3_2_1_31_1","volume-title":"Retrieved","author":"GNU.","year":"2022","unstructured":"GNU. 2022. GCC: Warning Options. (Jan. 2022). Retrieved Jan. 31, 2022 from https:\/\/gcc.gnu.org\/onlinedocs\/gcc\/Warning-Options.html."},{"key":"e_1_3_2_1_32_1","volume-title":"Julia v1.7 Release Notes. (Nov","author":"Project Contributors Julia Language","year":"2021","unstructured":"Julia Language Project Contributors. 2021. Julia v1.7 Release Notes. (Nov. 2021). https:\/\/docs.julialang.org\/en\/v1.7\/NEWS\/#Language-changes."},{"key":"e_1_3_2_1_33_1","volume-title":"Retrieved","author":"LLVM.","year":"2021","unstructured":"LLVM. 2021. New passes in clang-tidy to detect (some) Trojan Source. (Jan. 2021). Retrieved Jan. 31, 2022 from https:\/\/blog.llvm.org\/posts\/2022-01--12-troj an-source."},{"key":"e_1_3_2_1_34_1","volume-title":"Python Software Foundation, (Nov.","author":"Viktorin Petr","year":"2021","unstructured":"Petr Viktorin. 2021. PEP 672 -- Unicode-related Security Considerations for Python. Python Software Foundation, (Nov. 2021). https:\/\/www.python.org\/de v\/peps\/pep-0672."},{"key":"e_1_3_2_1_35_1","volume-title":"Call For Papers. 43rd IEEE Symposium on Security and Privacy, (2021","author":"IEEE.","year":"2021","unstructured":"IEEE. 2021. Call For Papers. 43rd IEEE Symposium on Security and Privacy, (2021). https:\/\/www.ieee-security.org\/TC\/SP2022\/cfpapers.html."},{"key":"e_1_3_2_1_36_1","volume-title":"Unicode, (Jan. 2022","author":"Davis Mark","year":"2022","unstructured":"Mark Davis, Robin Leroy, Peter Constable, and Markus Scherer. 2022. Avoiding Source Code Spoofing. Unicode, (Jan. 2022). https:\/\/www.unicode.org\/L2\/L202 2\/22007r2-avoiding-spoof.pdf."},{"key":"e_1_3_2_1_37_1","volume-title":"WEIS","author":"Camp L. Jean","year":"2002","unstructured":"L. Jean Camp. 2002. Marketplace incentives to prevent piracy: an incentive for security? WEIS, (2002)."},{"key":"e_1_3_2_1_38_1","volume-title":"WEIS","author":"Rescorla Eric","year":"2004","unstructured":"Eric Rescorla. 2004. Is finding security holes a good idea? WEIS, (2004). https: \/\/ieeexplore.ieee.org\/document\/1392694."},{"key":"e_1_3_2_1_39_1","volume-title":"WEIS, (2004","author":"Arora Ashish","year":"2004","unstructured":"Ashish Arora, Rahul Telang, and Hao Xu. 2004. Optimal policy for software vulnerability disclosure. WEIS, (2004). https:\/\/www.jstor.org\/stable\/20122417."},{"key":"e_1_3_2_1_40_1","volume-title":"WEIS","author":"Ozment Andy","year":"2005","unstructured":"Andy Ozment. 2005. The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. WEIS, (2005)."},{"key":"e_1_3_2_1_41_1","volume-title":"WEIS","author":"Arora Ashish","year":"2005","unstructured":"Ashish Arora, Ramayya Krishnan, Rahul Telang, and Yubao Yang. 2005. Ashish arora, ramayya krishnan, rahul telang, yubao yang. WEIS, (2005)."},{"key":"e_1_3_2_1_42_1","volume-title":"WEIS, (2006","author":"Sutton Michael","year":"2006","unstructured":"Michael Sutton and Frank Nagle. 2006. Emerging economic models for vulnerability research. WEIS, (2006). https:\/\/econinfosec.org\/archive\/weis2006\/docs \/17.pdf."},{"key":"e_1_3_2_1_43_1","volume-title":"Daily Mail","author":"Prigg Mark","year":"2015","unstructured":"Mark Prigg. 2015. Hackers reveal flaw in over 100 cars kept secret by volkswagen for two years: bug can be used to unlock everything from a kia to a lamborghini. Daily Mail, (2015)."},{"key":"e_1_3_2_1_44_1","volume-title":"This is How They Tell Me the World Ends","author":"Perlroth Nicole","unstructured":"Nicole Perlroth. 2020. This is How They Tell Me the World Ends. Bloomsbury Publishing, New York."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833581"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","unstructured":"C. Le Goues Y. Brun S. Apel E. Berger S. Khurshid and Y. Smaragdakis. 2018. Effectiveness of anonymization in double-blind review. Commun. ACM 61 6 (May 2018) 30--33. doi: 10.1145\/3208157.","DOI":"10.1145\/3208157"},{"key":"e_1_3_2_1_47_1","unstructured":"Christian Szegedy Wojciech Zaremba Ilya Sutskever Joan Bruna Dumitru Erhan Ian Goodfellow and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199"}],"event":{"name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA","acronym":"CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3560835.3564555","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3560835.3564555","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:09Z","timestamp":1750182549000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3560835.3564555"}},"subtitle":["Analyzing an Industry-Wide Disclosure"],"short-title":[],"issued":{"date-parts":[[2022,11,8]]},"references-count":46,"alternative-id":["10.1145\/3560835.3564555","10.1145\/3560835"],"URL":"https:\/\/doi.org\/10.1145\/3560835.3564555","relation":{},"subject":[],"published":{"date-parts":[[2022,11,8]]},"assertion":[{"value":"2022-11-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}