I recently setup my Ada environments Gnat compiler to warn me if utf8 characters (> ASCII-7) were being compiled because even trusted developers might use A.I. that could manipulate their code without them noticing or knowing about it. Is anything like this possible for Flutter/dependencies?
1 Like
In the early 80’s we had issues with diacritics (which even English use, for instance, in résumé and naïve). 'Member using c, backspace and , to get Portuguese ç (exactly the same as German ß).
So glad we’re in 21st century and no longer have these issues. 
I don’t think you have realised the issue. I can isolate the need for utf-8 or utf-16 for that matter in Ada to certain trusted files or implemented as ASCII. This means I can avoid source code attacks even if the file and Ada language server operate in utf-8 mode. I am asking if these attacks can be avoided in Flutter? I wouldn’t be surprised if they cannot, today and A.I. makes the risk/attack vector much much higher/worse.
Perhaps I need to explain. The anthropic attack coupled with the knowledge that jail breaking LLMs is trivial to achieve and difficult to prevent means that a remote attacker could make a trusted vendors code do something differently to how it reads and the dependency vendor we trust wouldn’t even know unless they have tests or tooling to catch it. A simple way to combat this is to only allow ASCII-7 characters as human readable code even if said code can create multibyte characters or ASCII-8. A cyrillic a looks exactly like a so even close inspection can’t identify that visually.
There’s no such thing as “ASCII-8”. Are you referring to one of the ISO-8859-[number] codes?
Feels rather naive to think that just by blocking specific characters, that you are safe from AI generated code. Yes, it might detect some AI generated code but if you can’t trust your developers, how can you then trust them not just ensuring not having invalid characters?
You don’t make it clear what kind of usage you want to restrict to pure ASCII? E.g. do you also want to restrict string constants because I would think that would restrict your development a lot since there are lot of reasons to use UTF-8 characters in applications. E.g. localization but also emoji based icons.
Do you mean class/variable/method names? Well, they are already not allowed to be non-ASCII in Dart.
So, are we just talking about code comments? If so, then limiting those to only ASCII are also going to be painful since there can be lot of useful UTF-8 characters for making e.g. figures in comments. And you also don’t want your developers to stop writing comments to decrease the risk of being detected by your simple “AI detector”.
1 Like
Yes sorry I just made up the term to cover the various 8 bit iso systems.
I specifically said that the developers are trusted but they don’t know that the AI is compromising them. Like the Bidi control characters the concern is the AI is instructed (remotely) to help you by making code look like it does one tjing but actually does another. So a shadow variable here looks like the sane variable that was previously used but it has a different a and so is always False and obviously many variations of the idea.
Perhaps that avoids the issue (for people who actually read and understand the code atleast). I shall have to test that out. I’m surprised if as you say UTf-8 characters aren’t allowed in actual variable names. I believe they’'re allowed by default in Ada with Alire these days.
It was considered for a period of time but was then finally rejected exactly for the security vulnerabilities you are trying to prevent:
2 Likes