What is Algorithme bidirectionnel?

Algorithme déterminant l'ordre d'affichage des caractères dans un texte à direction mixte (par ex. anglais + arabe), en utilisant les catégories bidi des caractères et les substitutions directionnelles explicites.

What is RTL (Right-to-Left)?

Directionnalité du texte dans laquelle les caractères s'écoulent de droite à gauche. Utilisée par l'arabe, l'hébreu, le thaana et d'autres écritures ; nécessite l'algorithme bidirectionnel pour un affichage correct.

Sécurité

Attaque par substitution bidirectionnelle

Utilisation de caractères de substitution bidirectionnelle Unicode (U+202A–U+202E, U+2066–U+2069) pour déguiser des noms de fichiers ou du code malveillant. 'readme‮fdp.exe' s'affiche comme 'readmeexe.pdf'.

2024-11-04 · Updated 2025-07-03

What is a Bidi Override?

A bidi override is a Unicode text manipulation technique that uses bidirectional (bidi) control characters to reverse or scramble the display order of characters on screen, making text appear different from what it actually contains. Because many writing systems — Arabic, Hebrew, Persian, Urdu, and others — are written right-to-left (RTL), Unicode includes a bidirectional algorithm (Unicode Standard Annex #9) and a set of invisible control characters to control text direction. Attackers exploit these characters to disguise the true content of filenames, URLs, source code, and messages.

The Bidirectional Algorithm

Unicode's Bidirectional Algorithm (UBA) determines the display order of characters in mixed-direction text. It works automatically for most text — Arabic runs right-to-left, Latin runs left-to-right, and they are visually arranged correctly. The bidi control characters allow authors to override or modify this automatic behavior.

The most dangerous characters for security purposes are:

Character	Code Point	Name	Effect
RLO	U+202E	RIGHT-TO-LEFT OVERRIDE	Forces all following characters to display RTL
LRO	U+202D	LEFT-TO-RIGHT OVERRIDE	Forces all following characters to display LTR
RLE	U+202B	RIGHT-TO-LEFT EMBEDDING	Creates RTL embedding level
LRE	U+202A	LEFT-TO-RIGHT EMBEDDING	Creates LTR embedding level
PDF	U+202C	POP DIRECTIONAL FORMATTING	Ends the most recent override or embedding
RLI	U+2067	RIGHT-TO-LEFT ISOLATE	Isolates RTL section
LRI	U+2066	LEFT-TO-RIGHT ISOLATE	Isolates LTR section

Attack Scenarios

Filename spoofing (the classic attack) A malicious executable can be named to appear as a harmless document. For example, the actual filename might be stored as:

evil[RLO]fdp.exe

When rendered, the RLO character causes everything after it to display right-to-left. The screen shows: evil.pdf — the .exe extension is hidden and the fdp becomes pdf in the reversed display. Users believe they are opening a PDF file.

This attack was actively used in malware distribution, particularly in USB-spread worms and email attachments, and was exploited in targeted attacks against energy companies and government systems around 2011–2012.

Source code backdoors (CVE-2021-42574, "Trojan Source") Described by researchers Nicholas Boucher and Ross Anderson at Cambridge in 2021, the Trojan Source attack embeds bidi override characters inside code comments or string literals. The source code renders differently in a text editor (which respects bidi) than it is actually interpreted by the compiler (which ignores bidi control characters in code). An attacker can make a security check appear to be inside an if block when it is actually outside, or hide an entire malicious code path inside what appears to be a comment.

URL obfuscation Bidi overrides in URLs displayed in browser status bars or email clients can make a malicious domain appear to be a legitimate one.

Mitigations

Compilers and interpreters: After CVE-2021-42574, GCC, Clang, Rust, Go, Python, and others added warnings or errors for bidi override characters in source code
Code editors: VS Code, Vim, and others added visual indicators for bidi control characters
File managers: Modern operating systems show warnings for filenames containing bidi overrides
Email clients: Display raw filenames or strip bidi characters from attachment names

Quick Facts

Property	Value
Primary control character	U+202E RIGHT-TO-LEFT OVERRIDE (RLO)
Governing algorithm	Unicode Standard Annex #9 (UAX#9)
Notable CVE	CVE-2021-42574 (Trojan Source)
Trojan Source researchers	Boucher & Anderson, Cambridge, 2021
Affected surfaces	Filenames, source code, URLs, messages
Compiler responses	GCC, Clang, Rust, Go, Python all patched in 2021
Legitimate use	Displaying Arabic/Hebrew mixed with Latin text

Termes associés

Algorithme bidirectionnel RTL (Right-to-Left)

Plus dans Sécurité

Attaque par homographes IDN

Utilisation de caractères Unicode visuellement similaires dans les noms de domaine pour …

Bidi Text Attack

Exploiting Unicode bidirectional control characters to disguise malicious code or filenames. The …

Caractère confusable

Le terme officiel d'Unicode pour les paires de caractères pouvant être confondues …

Détection de scripts mixtes

Identification d'un texte mélangeant des caractères de différentes écritures (p. ex., latin …

Homoglyphe

Caractères de différentes écritures qui se ressemblent de façon identique ou très …

Normalization Attack

Exploiting Unicode normalization to bypass security filters. Input validated before normalization may …

Usurpation d'identité Unicode

Utilisation des fonctionnalités Unicode pour tromper les utilisateurs : homoglyphes pour de …

Zero Width Joiner (ZWJ)

U+200D. Demande la jonction des caractères adjacents. Essentiel pour les séquences d'emoji …

Zero Width Non-Joiner (ZWNJ)

U+200C. Empêche la jonction des caractères adjacents. Essentiel en persan/arabe pour les …

← Retour au glossaire