The First Annual Underhanded C Contest

Xcott Craver writes "We have just announced a new annual contest, the Underhanded C Contest, to write clear, readable, innocent-looking C code that implements malicious behavior. The object is to hide evil functionality that survives visual inspection of the source. The prize is beer."

It's a bad idea

Count on the likes of Sun, Microsoft, and anyone else selling a non-C language to pounce on this as a marketing opportunity.

C is a superb language. Why besmirch its reputation with a contest to make it seem as untrustworthy as possible?

Attack the Compiler

[LionKimbro]

Why attack the source code when you can instead attack the compiler?

You need only attack the compiler, or the linker, or the interpreter.

An example from years ago

[exp(pi*sqrt(163))]

There was a bug in the Watcom compiler for DOS many years ago. As a bug report I sent them a piece of code something like:

char *s = "Fortune coookie";
int *p = (char *)s;
for (i = 0; i<4; ++i) {
putchar(((char *)p)[i]);
}

Looks innocent enough. But actually it actually printed an obscenity. There was a bug in the pointer addition code generated by the compiler so that even though (char *)p was a pointer to type char it still used sizeof(int) to index into the array and so it printed every 4th character. (And that explains why I used three o's.)

When will we see this pop up in the real world?

[creative_Righter]

Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

Oh dear, now we're rewarding people for writing actual malicious code that is designed to pass visual inspection from other programmers.

When these sort of tricks will show up eventually in actual voting machines or the gigantic corpus of finincial code that's been hacked together?

Or when will we start to find the underhanded tricks in things we use?

easy

[RailGunner]

The Windows Auto Blue screen... (yes, even XP still blows up on this):

int main (){
for (int i = 0; i < 100000; i++)
printf ("\t\t\b\b\b\b\b");
}

Re:Here you go

I'll see your compile-time error and raise you a runtime error:

template<class A, class B> inline bool operator != (A & left, B & right) { return left == right; }

As an added bonus, most (all?) debuggers won't let you step into inlined code, making it even harder to detect.

Re:Beer

[spauldo]

They used to use the back section of planes to make ice cream (the cold and vibration from the propeller planes was perfect for it). It was air force tradition for quite some time.

It really just depends on what kind of plane you're talking about. I'm sure there's areas on even modern large-body jets where there's an uninsulated section large enough for a keg.

Re:What are the legal ramifications of this?

[Genrou]

Not the same paranoia of the previous post, but paranoia anyway. But the first thing that I thought was something like: "oh, so, this contest will show that malicious code can be inserted in open source and it will be very difficult to spot?" -- there are at least one software company that will like to point to it. Then again, I might actually be paranoid.

Volunteer to help out!

[real+gumby]

Clearly most of us should be submitting innocuous code to help camouflage the actual malign entries. That will make it harder for the judges to find badness. If you know that all the entries have some badness, then you'll look really hard. If you don't know which ones do, your checking gets worse.

This would make the test more like the real world too.