Slashdot Mirror

You, my friend, should take part in the "Underhanded C" contest.

You deserve mod points if I had them because you touch on an important issue that just doesn't seem to be discussed publicly. Is the scrutiny of open source submissions good enough? How are sources gauged for trustworthiness? It's always bothered me how much security is assumed in the million eyes principal.

Sure Android is open source, but Google's default applications are closed source. In fact developers of after market mods have gotten into trouble for including apps such as Google Maps, Gtalk etc. http://mobile.slashdot.org/story/09/09/29/1510232/Android-Modder-Tries-To-Outmaneuver-Google?from=rss Even if the OSS portion of the OS is clean, who knows what these collect and send back to Google?

Tighten your tinfoil hats or even consider another layer of foil. You can indeed have perfectly innocent-looking code that even does what it appears to be coded for, but can indeed to do something malicious. http://underhanded.xcott.com/ (I think they should award extra points for getting your code approved for the iPhone/iPad App store and a instant first place win for getting your code into a open project)

I have to wonder if this technique has been used to get a back door into a OSS application at any point. We wouldn't necessarily know about it. When found, often the code could appear to be just a mistake or common vulnerability, having perhaps been made to look that way and someone will fix it there and then. It's not implausible that vulnerabilities have been intentionally injected into open projects.

Since Apple has an apparently arduous approval process for their app store, I'm assuming that they guarantee everything against this sort of foolishness.

And I sense that we've discovered the next year's Underhanded C Contest thema.
"Design a piece of code that looks like a genuine mobile funny game, but in fact turn the smartphone into a zombie node of a powerful and evil bot-net..."
"Bonus point if your game actually passes Apple's App Store certifications".
I can really see it coming :-D

I can see it already, the financial institutions will all cry "but these magical formulas are what makes us money and if we make them available our competitors will be able to use them too"! And of course they would also scramble to hire some of the winners of the Underhanded C Contest: http://underhanded.xcott.com/

So you're telling me whitelisting is going to give less false positives then current AV? That software updates will always be whitelisted before any user has a chance to download them?

The current crop of whitelisting software is nowhere near that good, and I doubt we will get there anytime soon. The whitelisted software is more trustworthy, but there are huge number of packages that are missed. In a corporation you can set them to ask permission from your IT staff who might be able to evaluate the software, but real-time updates for whitelisted AV for any sizable fraction of software out there is still a pipe dream at the moment. The only way for this to work is for software vendors to submit their programs to the whitelisters and wait until verification before releaseing, creating a vetting model much like Apple's app store. Unfortunately, without that whitelisting won't work for the home user so there's no benefit for them to use it. And if there's not a critical mass of users, there's no advantage for the software producers to deal with that gatekeeper either.

As Windows Vista showed, popups have to be really infrequent to be of any use. Once you ask the average user something more then 10 times or so, they've stopped considering the real threat at that point, and just say yes to anything..

Also, we have the problem that evaluating software for whitelisting is really hard and complicated. Hiding malicious code for VMs, time limiting bugs, and other nasty tricks can be used to get around it. For good examples of how hard a problem this is, see the underhanded C contest: http://underhanded.xcott.com/

You know, your post just made me realize that Microsoft has made a good entry for perhaps next year's Underhanded C Contest: write some innocent-looking code that is supposed to randomize a selection, but fails to do so fairly and favors certain selections over others.

http://underhanded.xcott.com/ doesn't mention anything about last year's winners and the contest ended almost 5 months ago.. The one time I bother sending a submission to these kind of contests and the contest appears to die :(

Ever heard of the Underhanded C contest?

I see that one of the chips in question is for a random number generator. Despite providing documentation/specs on how this chip runs, to make it possible to write free drivers, it's not the same as having the actual source code for the chip. With any other type of chip this would be well and good, but with random number generators, you can't really test them, and will need to rely on examination of the source code to prove that it works. Even then, it would not be that easy --see the Underhanded C Contest of 2007 in which people write encryption programs, and they work, and the source is open to inspection --and they STILL provide a back door to allow the encryption to be broken. (Man, that Underhanded C Contest is pretty scary.)

I hope the kernel developers and other programmers give us a choice whether to use random numbers from the Padlock chip or from some other source. Me, I'll just plug in my blinded webcam into my USB port and multiply it into any random stream for good measure.

hit closer to home perhaps? A quick glance at some of those code snippets and they can be easily missed. Now place them in large applications with thousands upon thousands of lines of code and who knows how long it'll take to find them.

I think the most important thing is that, according to the FAQ, it doesn't have to be black, although I'm pretty sure someone will get bonus points for figuring out a way to hide something in a black overlayed rectangle.

http://underhanded.xcott.com/?page_id=9

Now we can speculate what the authors intentions behind the contest are.

I think their FAQ addresses most points pretty well:

http://underhanded.xcott.com/?page_id=7

I hope sensitizes open source programmers programmers to take great care with peoples submissions to their projects. Only good can come from that.

Why only closed source applications? I don't think most people read the entire sources of open source applications that they use.

Not everyone has to, just one person.

When I use Open Source apps, I do so knowing that there are many developers and hobbyists that have looked over the code

Good point, but it's not as simple as you seem to think. For large and far-reaching projects like Linux (the kernel) or Samba, yes, there are many hobbyists who have looked over the code. Not so for small projects, little novelty programs or handy-to-use utilities; there, any hobbyists would probably not go over the code with a fine-toothed comb, and just read over the gist of the code more to understand it than to make sure it's not doing something nasty. You'd be relying on the developers, but if they had malicious intent, it's not like they're going to announce that their open source program has a trojan embedded.

You know what I would do, if I wanted to do something nasty? Suppose for a moment I was strongly motivated to exploit other people's computers using open-source software --say I was paid to bring a DDOS attack against some arbitrary website as part of a protection racket, or something. I'd write an open-source program; given enough time and motivation, I might even fork off some useful but immature OSS program. I'd embed some nasty stuff in there, add features to make lots of people want it. (Example: I take the on-screen clock in KDE (or GNOME) and make it announce the time out loud --kinda "cool" but doesn't take that much development effort.) I would upload it to some reputable site, like SourceForge. I might even fabricate a "development team", complete with different email addresses for various team members.

Do you really think other people are going to read over my source code? Only those people who are interested in extending and contributing to my sources would do so. That would take at least a few months, and before that, I'd probably have recruited a sizeable botnet.

Even if someone did look over the source code, the malicious part of it might not be that easy to spot. Check out the Underhanded C contest where people write innocent-looking programs that do subtle but nasty things. I remember the inaugural contest, which was to make a simple, straightforward vote-counting program that would give George Bush more votes, but ONLY on November second, and not any other date. I thought, "How could someone possibly sneak something underhanded in there, and not have the malicious code stick out like a sore thumb? Haven't people heard of syntax highlighting?" And then, lo and behold, there were programs that did exactly as requested, looking for all the world like an innocent program, with no obvious funny-looking-code on syntax highlighting, and counted the votes correctly on November first and third, but on November second, suddenly George Bush got more votes! The winning program used a pointer overflow and took advantage of the fact that the word "second" (as in "November second") had one more letter than "first" or "third", creating a buffer overflow only when the date string was too long. Since then, there have been three more contests.

That brings me to my somewhat off-topic point: I wish we could have some mechanism for peer review, a corps of OSS programmers (probably volunteers) who would go over code and sign it as reviewed. For example, someone might say, "I've reviewed the GUI portion of GNOME Evolution, and didn't see anything malicious." He would GPG-sign the source code, and we the community could evaluate this based on how well-known the programmer is --Bruce Perens might have more credibility than Ann Onymous Coward, for example. We might establish a database of reviewed pieces of code. And someone spotting some funny behaviour might put in a request to revi