供应链安全 on Answer

供应链安全 on Answer https://answer.freetools.me/tags/%E4%BE%9B%E5%BA%94%E9%93%BE%E5%AE%89%E5%85%A8/ Recent content in 供应链安全 on Answer Hugo -- 0.152.2 zh-cn Sun, 15 Mar 2026 07:27:56 +0800 当信任成为攻击武器：代码签名如何被系统性地武器化 https://answer.freetools.me/%E5%BD%93%E4%BF%A1%E4%BB%BB%E6%88%90%E4%B8%BA%E6%94%BB%E5%87%BB%E6%AD%A6%E5%99%A8%E4%BB%A3%E7%A0%81%E7%AD%BE%E5%90%8D%E5%A6%82%E4%BD%95%E8%A2%AB%E7%B3%BB%E7%BB%9F%E6%80%A7%E5%9C%B0%E6%AD%A6%E5%99%A8%E5%8C%96/ Sun, 15 Mar 2026 07:27:56 +0800 https://answer.freetools.me/%E5%BD%93%E4%BF%A1%E4%BB%BB%E6%88%90%E4%B8%BA%E6%94%BB%E5%87%BB%E6%AD%A6%E5%99%A8%E4%BB%A3%E7%A0%81%E7%AD%BE%E5%90%8D%E5%A6%82%E4%BD%95%E8%A2%AB%E7%B3%BB%E7%BB%9F%E6%80%A7%E5%9C%B0%E6%AD%A6%E5%99%A8%E5%8C%96/ 当信任成为攻击武器：代码签名如何被系统性地武器化一行看不见的字符如何让编译器背叛你：从Unicode双向文本到Trojan Source的供应链暗战 https://answer.freetools.me/%E4%B8%80%E8%A1%8C%E7%9C%8B%E4%B8%8D%E8%A7%81%E7%9A%84%E5%AD%97%E7%AC%A6%E5%A6%82%E4%BD%95%E8%AE%A9%E7%BC%96%E8%AF%91%E5%99%A8%E8%83%8C%E5%8F%9B%E4%BD%A0%E4%BB%8Eunicode%E5%8F%8C%E5%90%91%E6%96%87%E6%9C%AC%E5%88%B0trojan-source%E7%9A%84%E4%BE%9B%E5%BA%94%E9%93%BE%E6%9A%97%E6%88%98/ Sat, 07 Mar 2026 20:40:59 +0800 https://answer.freetools.me/%E4%B8%80%E8%A1%8C%E7%9C%8B%E4%B8%8D%E8%A7%81%E7%9A%84%E5%AD%97%E7%AC%A6%E5%A6%82%E4%BD%95%E8%AE%A9%E7%BC%96%E8%AF%91%E5%99%A8%E8%83%8C%E5%8F%9B%E4%BD%A0%E4%BB%8Eunicode%E5%8F%8C%E5%90%91%E6%96%87%E6%9C%AC%E5%88%B0trojan-source%E7%9A%84%E4%BE%9B%E5%BA%94%E9%93%BE%E6%9A%97%E6%88%98/ 深入解析Unicode双向文本(Bidi)算法如何被滥用于Trojan Source攻击，通过Bidi控制字符让源代码在人类视觉和编译器解析之间产生致命分歧。文章涵盖Bidi算法的技术原理、隔离混洗攻击、三种主要利用技术（早期返回、注释隐藏、字符串拉伸）、同形字攻击变体，以及GCC、Clang、GitHub等工具的防御方案。锁文件的两难困境：为何确定性构建的守护者成了攻击者的捷径 https://answer.freetools.me/%E9%94%81%E6%96%87%E4%BB%B6%E7%9A%84%E4%B8%A4%E9%9A%BE%E5%9B%B0%E5%A2%83%E4%B8%BA%E4%BD%95%E7%A1%AE%E5%AE%9A%E6%80%A7%E6%9E%84%E5%BB%BA%E7%9A%84%E5%AE%88%E6%8A%A4%E8%80%85%E6%88%90%E4%BA%86%E6%94%BB%E5%87%BB%E8%80%85%E7%9A%84%E6%8D%B7%E5%BE%84/ Sat, 07 Mar 2026 11:32:20 +0800 https://answer.freetools.me/%E9%94%81%E6%96%87%E4%BB%B6%E7%9A%84%E4%B8%A4%E9%9A%BE%E5%9B%B0%E5%A2%83%E4%B8%BA%E4%BD%95%E7%A1%AE%E5%AE%9A%E6%80%A7%E6%9E%84%E5%BB%BA%E7%9A%84%E5%AE%88%E6%8A%A4%E8%80%85%E6%88%90%E4%BA%86%E6%94%BB%E5%87%BB%E8%80%85%E7%9A%84%E6%8D%B7%E5%BE%84/ 锁文件是确定性构建的基石，但也是供应链攻击的隐形后门。本文深入分析锁文件的设计权衡、安全陷阱和不同包管理器的实现差异，揭示确定性构建背后的复杂性博弈。