Slashdot Mirror

← Back to Stories (view on slashdot.org)

The First Annual Underhanded C Contest

Posted by CowboyNeal on from the delightfully-malicious dept.

Xcott Craver writes "We have just announced a new annual contest, the Underhanded C Contest, to write clear, readable, innocent-looking C code that implements malicious behavior. The object is to hide evil functionality that survives visual inspection of the source. The prize is beer."

9 of 341 comments (clear)

  1. Re:What are the legal ramifications of this? by anthony_dipierro · · Score: 4, Insightful

    The authorities start a contest such as this, an unsuspecting programmer submits a malicious program, and he or she is arrested and charged with a variety of computer crimes.

    What computer crimes would be broken?

    Frankly, I won't participate in this contest considering the current legal state of America.

    No, you won't participate because of yor current state of paranoia over the legal state of America.

  2. Story is just plain bad by typical · · Score: 3, Insightful

    Everyone knows that it is possible to write malicious code in C. That's just because C gives you the near utmost control over your system, and does not discrminiate based on human emotions like "good", "bad", and "malicious". Perhaps a better idea would have been to try to write malicious code in a language such as Java, which tries to prevent a programmer from writing such code. That would be a real challenge.

    Yeah, I just flip the "+good +bad -malicious" flags on javac when I want to trust code. Come on, that's ridiculous.

    This is not a hard task, but it's kind of stupid, on the order of "who can break into the most computers today" (I dunno, who can run nmap the longest?)

    There are so many *interesting* things that could be done as a programming contest, and the submitter chose something that's a pain in the ass for other people, doesn't really challenge the brain ("shortest version of X"), and can't be used for much other than bogus arguments that "C is dangerous" or the obvious card, "Open Source is insecure" (you can look at the much larger sample set of SourceForge and the lack of Trojans implanted and later discovered).

    The number of *interesting* security stories that could have challenged people and been useful is legion. "Can we have a system that is unbreakable and does X", (followed by the inevitable followup posts where people punch holes in the design) or other things. You could have asked "How can OSS projects avoid allowing malicious code being sumitted?", which would have started an interesting set of threads from people who work on proof-carrying code, would have taught readers something, and maybe provided improved security for the world at large. Instead, we're going to see a handful of bad, obfuscated C, and a bunch of halfassed arguments against C and OSS, neither of which has much connection with reality. There will be some language arguments, where someone says "we should use [LANGUAGE_WITH_BOUNDSCHECKING]", some security guy that will point out that this doesn't begin to avoid stopping malicious code, someone will make some stupid arguments about how their favorite OS is more secure than anyone else's, we'll get some rehash of NX features that have been done time and time again on Slashdot...seriously, goddammit. The day someone makes a knockoff of Slashdot that's a bit more computer-science oriented and isn't solely aimed at producing the same tired old trolling every day is the day I jump ship.

    --
    Any program relying on (nontrivial) preemptive multithreading will be buggy.
  3. Why? by simulacrum25 · · Score: 4, Insightful

    Hacking was never about malicious behaviour, it was about learning and understanding. Granted, much of what one learned could be applied in malicious ways, but that wasn't the goal. Coding contests whether they be geared towards obfuscation or speed are still learning endeavors.

    Who is behind this and what is their motivations? What will they do with the ideas submitted in this contest? In a day of professional computer hackers, this is not a contest to have.

    1. Re:Why? by Nf1nk · · Score: 5, Insightful

      To find subtley malicous code in an open source project, we first must know what it looks like. Having contests like these creates a sample base of dangerous code and clever tricks to read and learn from.
      It is sort of like the computer version of a bomb squad.

      --
      I used to have a cool sig, back when I cared
  4. Re:It's a bad idea by Catamaran · · Score: 4, Insightful
    C gives you just enough rope to hang yourself.

    Java gives you a polished floor on which you can slip and break your neck.

    C++ gives you a thermo-nuclear device.

    --
    Test 1 2 3 4
  5. Re:in other words... by grammar+fascist · · Score: 3, Insightful

    On a more serious note - they should rethink their prize. Not everyone drinks beer, and there are plenty of talented programmers who avoid it completely. In fact, the ones who do probably have more working brain cells to throw at the problem.

    Yes, I know that must come as a shock, and most people here probably won't believe me...yet it's true.

    (And just to head off the inevitable nutcase looking for a Score:5, Funny: no, replacing the prize with free pr0n isn't going to cut it. :p)

    --
    I got my Linux laptop at System76.
  6. You're just not used to it. by Tyler+Durden · · Score: 4, Insightful
    Problems: difficult to compile

    A picky compiler is a blessing, not a curse. It's much easier to identify and fix compile errors than run-time errors.

    difficult to convert to better languages (thank you preprocessor)

    Meaningless troll.

    encourages obfuscation

    Unless the compiler is literally holding a gun to your head, this is meaningless. In C you have nearly limitless control to write your code the way you feel is clearest. If it came out obfuscated then you have nobody to blame but yourself.

    some constructs are clearly tacked on and/or poorly implemented (switch), arbitrary nonorthogonality (struct, parens and brace usage, pointer/array declaration), shitty strings.

    Tacked on? If you don't like the way constructs are set up then fine, that's your opinion. But if you read The C Programming Language you can tell that every single construct was scrutinized over for the proper balance of efficiency (why it makes sense to pass array parameters as pointers and structs as copies) and consistency (why data types are declared the way they are. Declaration and use of data is made to match.) Do you honestly believe the creators/first users of C, some of the greatest programmers who ever lived, really said, "Ahhh, fuck it. Let's just throw something together," when designing their own programming tools?

    Most people who don't like C are really just saying they don't like low-level programming because that's what it was designed for, and that's what it's perfect for. Too many newbie programmers get used to some modern, flash-in-the-pan, all-things-to-all-people languages and when they are faced with the challenges of low-level languages rashly conclude that it's the language's fault they're having problems.

    C is the perfect language for the job it was designed for. The same cannot be said for most more modern languages.

    --
    Happy people make bad consumers.
    1. Re:You're just not used to it. by csirac · · Score: 3, Insightful

      I think it is very odd you can't believe we're still using C in operating systems. What the other language are we going to use for this task?

      Are you really going to want to wait 100s of milliseconds for a garbage collector to run at arbitrary intervals in your carefully word aligned DMA transaction code that needs to run within a matter of microseconds? And how exactly is Python, LISP, or any other interpreted/dynamic runtime compiled language going to be used to write a task scheduler or memory managment system worthy of being used in an OS kernel or embedded MCUs with barely 16KiB RAM?

      I think you're quite bitter about having to use C for writing applications, which I can perfectly understand. As for what C is actually MEANT for, it does the job quite well. And yes, the preprocessor issues suck, and it would be nice to have Pascal strings, but there really is no alternative to C that I have seen for low-level programming. It makes computer science purists who think everyone should program in Haskell or LISP feel dirty, but it does the job very well. It sure beats writing directly in ASM.

  7. Re:C is an awful language by jejones · · Score: 3, Insightful

    Well...

    C is good for what it was first used for: writing Unix. At least initially, it was mimimalistic; orthogonality took a back seat to ease of implementation. (See Gabriel's classic essay for details.)

    (It's certainly not flawless. Any language that needs a utility like cdecl to make declarations understandable has problems, and there should've been a Boolean type from the beginning. It would be nice if char (which should be whatever represents a glyph on the target system) weren't conflated with short short int. Basically, if C were in your back yard, it would be declared an "attractive nuisance.")

    I think the authors of The Art of Unix Programming wisely recognize that C, like any other tool, should be used only where appropriate. (Sorry if that's tautological, but I can't think of a better way to put it.)