Underhanded C Contest announces winners

Matthew Skala writes "The 2005 Underhanded C Contest has announced its winners: the team entry from M Joonas Pihlaja and Paul V-Khuong, and the solo entry from Natori Shin. The contest (which appeared on Slashdot in June) tests programmers' ability to hide malicious behaviour in innocent-seeming code, making it a kind of evil shadow twin to the International Obfuscated C Contest."

Just what the world needs...

[goldspider]

...more malicious code writers.

Thanks be to Slashdot for giving them the recognition/praise they so richly deserve.

Re:Just what the world needs...

Hide in plain sight was a bitch of an ability in NWN too ;)

Re:Just what the world needs...

[Snoolas]

Better have them writing code for contests than having them writing real malicious code that will actually affect the public...

Re:Just what the world needs...

[Jeremi]

... countered by a larger number of more alert code readers. Hopefully it comes out to a win for the Good Side.

Re:Just what the world needs...

[No+Salvation]

People shouldn't stay completely ignorant of how malicious code works, to prevent this kind of thing you need to know what to look out for.

Re:Just what the world needs...

[Acts+of+Attrition]

Right, I'm sure they're only allowed to pick one or the other.

A-ha

But Microsoft built a whole operating system based on the principle.

Cool

Nice... Haven't heard of this before. Are there licenses to stop malicious uses of the code?

Re:Cool

Too bad Microsoft didn't patent this technique before they implemented it. Not that they'd shy away from licensing it. So, on second thought, we're all better off just paying our yearly Anti-Virus program tax.

Bill Gates Entry

[bjorniac]

Microsoft Word XP was rejected because the code had to seem innocent...

Re:Bill Gates Entry

[makomk]

Very true. For those of you who don't get it, one of the winners uses a technique very similar to the way Word (all versions AFAIK) leaks data into documents - an uninitialised buffer.

Re:Bill Gates Entry

[bjorniac]

Right, I seem to remember someone exploiting with a malformed .doc file - something about the data being longer than was specified opening another copy of the same document ad infinitum.

Re:Bill Gates Entry

[Richard_at_work]

Found an interesting thing at work recently, during trials of VB.net and the .Net framework. Our VB.net programmers applications worked right up until one day, when suddenly, they stopped working. Simple things like messages in Message Boxes stopped appearing, or labels on buttons went astray, mouse cursor changes on mouseover events showing black boxes instead of the image. Very wierd we thought. He reinstalled the .Net framework, VS.Net, everything he could think of but nothing rectified the problems. We eventually found out what the problem was - McAffee Virus protection now includes buffer overrun protection. Turn that off, and everything worked fine. Wierd, just wierd.

Re:Bill Gates Entry

[thc69]

Are you saying that your programs somehow depend on buffer overruns, or that Mcaffee's BOP is broken?

Re:Bill Gates Entry

[Richard_at_work]

IM saying that the internal workings of .Net are ... interesting, or that McAffees BOP is broken. Our programs dont rely on buffer overruns, its all bog standard vb.net and the problem can be reproduced using small apps.

Re:Bill Gates Entry

[homesteader]

This may very well be due to a bug in McAfee VirusScan 8.0i, assuming that is what you are running. There was a bug fixed by Patch 6, I think. Patches are cumulative, so you can just apply Patch 11 and the problem should be fixed.

Patches are not available from the public download location. You may need to have a support contract to get them.

good to see

[garat]

Having a contest like this has similar positive aspects as full disclosure concerning vulnerabilities; by providing examples of how it's done, people will be better able to spot such attempts were they to occur. I'm happy to see this contest being held.

I'll tell you what's underhanded

[Weaselmancer]

Stashing all the entries in a 1.1M archive rather than posting links to the code. No way I'm going to download that just to see what all the fuss is about.

Re:I'll tell you what's underhanded

[RAMMS+EIN]

Moreover, who knows the archive isn't exploiting some buffer overflow vulnerability in my archiving software! Knowing who this file comes from, you'd be a fool to open it!

Re:I'll tell you what's underhanded

Don't be an idiot. If they offered a link to the source code it could exploit some buffer overflow in your web browser just as easily.

Re:I'll tell you what's underhanded

[glesga_kiss]

They predicted that kind of paranoid response. From their (humorous) FAQ:

Are you shills from MicroSoft trying to evangelize C-sharp?

No, we are not shills from MicroSoft trying to evangelize C-sharp.

Are you trying to prove open source is bad?

No, we are not trying to prove open source is bad. If anything, this contest illustrates that we need more code review, not less.

I bet you are government agents trying to entrap me.

Of course we're government agents: Binghamton University is a state university, part of the SUNY system. Evil! Eeeeeeeeeevilllll!!!!!

Do you know you've been Slashdotted?

What, you couldn't tell from the last three questions?

Re:I'll tell you what's underhanded

Your web browser has a C interpreter built in? What are you using? Thats what I thought.....

Re:I'll tell you what's underhanded

[twitter]

Stashing all the entries in a 1.1M archive rather than posting links to the code. No way I'm going to download that just to see what all the fuss is about.

You visited the site?

This is one I'll pass up, thanks.

Re:I'll tell you what's underhanded

[RAMMS+EIN]

``Your web browser has a C interpreter built in?''

No, but it probably relies on lots of helper software to handle certain file types. This helper software is probably written in C or C++, and probably contains exploitable vulnerabilities. For example, your system might be compromised if the "archive" is actually an image file which your browser will try to display, using a library which contains a vulnerability which the image exploits to execute arbitrary code on your system. This may sound looney to you, but it wouldn't be the first time it actually happened.

Re:I'll tell you what's underhanded

[Weaselmancer]

It's ok, I'm using Firefox. It's the most zyg234 bof*(0sls lkM12134 bsxQxo%9X browser out there!

Re:I'll tell you what's underhanded

Um no, that 1.1M archive is just for one of the entries. You have to download each entry individually.

Re:I'll tell you what's underhanded

[suitepotato]

Are you trying to prove open source is bad?

No, we are not trying to prove open source is bad. If anything, this contest illustrates that we need more code review, not less.

This is only funny if you actually believe OSS means more code review and not less. The reverse is actually true as OSS has the aura of suggesting the first case so in effect, it becomes the opposite by way of assumption of it having been or being checked, so few bother. Like everyone assuming someone else is buying the milk and bread.

Now if there was some sort of OSS review team that took it upon themselves to review every source code file they could find on a project by project basis... Nah, who in their right mind would?

(No one in their right mind would, hence what is the value of a review by someone not in their right mind? In closed source, you can review and be in your right mind more often due to the simple self interest of being paid to do the reviewing or at least being able to smack the coding team with a phone book if they mess up.)

Re:I'll tell you what's underhanded

[nEoN+nOoDlE]

Knowing who this file comes from, you'd be a fool to open it!

but they would have known that only a great fool would open the archive given to him. I am not a great fool, so I can clearly not choose to open the archive. But they must have known I was not a great fool, they would have counted on it, so I can clearly open the archive supplied by them.

Re:I'll tell you what's underhanded

[GaryOlson]

I see at least one reason you reference yourself to a weasel...get a fatter pipe to the Internet! Then you can download measly 1.1M files. Stop using that obsolete and cheap dial-up connection (digital to analog to digital to analog...ad nauseum).

Just a suggestion mind you....

Re:I'll tell you what's underhanded

[fgb]

I really wish I had some mod points to give you, Vizzini. That was FUNNY!

Re:I'll tell you what's underhanded

[vsprintf]

This is only funny if you actually believe OSS means more code review and not less. The reverse is actually true as OSS has the aura of suggesting the first case so in effect, it becomes the opposite by way of assumption of it having been or being checked, so few bother.

Got any proof to back that up? When I have a problem with an OSS program, I often dig into the code to see if I can find the cause. That's not saying there is a great deal of peer review before OSS code is released, but as it becomes mature, there will have been a lot of peer review. It's certainly better than closed source sofware that gets one perfunctory in-house peer review by people who want to be doing something else.

Re:I'll tell you what's underhanded

[Cobralisk]

Plato? Aristotle? Morons!

Re:I'll tell you what's underhanded

[Nutria]

Are you shills from MicroSoft trying to evangelize C-sharp?

No, we are not shills from MicroSoft trying to evangelize C-sharp.

No, they are from AcuCorp, demonstrating how C really sucks sheep testicles, and how we should all be writing in COBOL or FORTRAN.

Except, of course, for OS developers, who should write in Bliss.

Re:I'll tell you what's underhanded

[Threni]

Most of the archive (in .tar format) is a picture of a train. I don't understand. Why not just post the results a text on a html page? Too easy?

Re:I'll tell you what's underhanded

[Weaselmancer]

*sigh*

I'm on a cablemodem. I just don't care to wade through megabytes of crap just to read the winning entry.

Don't make assumptions about people you don't know. Just a suggestion mind you....

Will Code For Beer

[Krast0r]

"Prize: Since we're in Binghamton, NY, the prize will be a gift box from the nearby brewery Ommegang in Cooperstown, NY." Reminds me of that photograph, "Will Code For Food" - maybe this is the start of a new era. A combination of "free as in beer" and "will code for food".

Re:Will Code For Beer

Please stop using "free as in beer"; its old and annoying, and only funny to alcoholics.

Re:Will Code For Beer

[jkfresh]

It's not really funny if you are an alcoholic.

http://www.aa.org/

Re:Will Code For Beer

They actually are offering a ThinkGeek gift certificate of equal value to winners who don't want the beer or can't easily receive shipments of beer from the USA - so you can load up on Ballz and Penguin Mints and substitute caffeine addiction for alcohol addiction. Because that's so much better.

Re:Will Code For Beer

and your roommates because you're always so drunk (by 7am!) that you forget to pay the gas bill and the gas gets shut off (twice) leaving no hot water.

and your roommates co-workers because no one wants to interract with someone who hasn't showered in several days.

(can you tell i'm a little bitter that my gas was shut off on friday?)

Re:Will Code For Beer

[loucura!]

Negative reinforcement seems to be in order. Get a shock collar, and every time your roommate drinks alcohol give him a little zap. He'll thank you.

Re:Will Code For Beer

[Anne+Thwacks]

Do you mean "will code for free" or "Beer for food"?

Re:Will Code For Beer

I fear for those who have to live with you.

Re:Will Code For Beer

[drsquare]

I fear for those who have to live with you.

Why? I don't exactly go round killing people. Drink is just another liquid.

What's with the moralising, anti-alcohol mods today? Slashdot's always whining about people's rights to do what they want with their own body, what about my right to drink? Why should that be censored?

Re:Will Code For Beer

[anagama]

Actually, what you describe is "positive punishment" (apply negative stimulus in the presence of a certain bahavior -- like a spanking for swearing). "Positive" is not used in the "good/bad" sense, put in the "plus/minus" sense.

Negative reinforcement is a reward that occurs by subtracting an adverse stimulus from the environment. For example, Fridays are a form of negative reinforcement -- the withdrawal of a negative stimulus (work) is rewarding, makes people feel good/relieved, and thus, people come to really like Friday afternoons. http://en.wikipedia.org/wiki/Reinforcement#Positiv e_vs._negative

Re:Will Code For Beer

[spectre_240sx]

Just another liquid? How naive...

Your rights become null as soon as you start hurting other people, and whether you see it or not, that's what alchoholics do.

Re:Will Code For Beer

[Reziac]

About 15 years ago, a friend who is a mathematician dressed up in street-bum clothes and had a picture taken of himself holding a sign that reads, "Will solve partial differential equations for food".

Re:Will Code For Beer

[bucky0]

Nearly every kind of joke is un-funny to someone because it relates to them. Doesn't mean that we shouldn't have a laugh every once in a while though.

Re:Will Code For Beer

Most don't. a tiny minority of alcoholics give the rest of us a bad name, just as a tiny minority of smackheads give us heroin shooting middle managers a bad name.

Re:Will Code For Beer

[drsquare]

OK, when I drink say a pint of beer, who am I hurting? Come on, be specific.

Re:Will Code For Beer

[dustman]

Negative reinforcement is a reward that occurs by subtracting an adverse stimulus from the environment. For example, Fridays are a form of negative reinforcement -- the withdrawal of a negative stimulus (work)

"Withdrawal of negative stimulus (work)" applies to every day, not just Friday. The difference is that on Friday you know that you're not going to have to work on the weekend.

This is starting to sound like it's completely arbitrary as to what you would call positive and negative reinforcement.

I like eating good food. When I eat good food, the removal of the negative stimulus (being in the state of not eating good food) means this is negative reinforcement?

Re:Will Code For Beer

" It's not really funny if you are an alcoholic."

Of course you're quite right. It should be modded +5 Informative for alchoholics.

Re:Will Code For Beer

[loucura!]

Huh... I didn't know that. Thanks. :)

Re:Will Code For Beer

You make baby jesus cry.

Re:Will Code For Beer

[vsprintf]

a tiny minority of alcoholics give the rest of us a bad name, just as a tiny minority of smackheads give us heroin shooting middle managers a bad name.

Tom, is that you?

Re:Will Code For Beer

[spectre_240sx]

At a pint of beer you're not hurting anyone. However, refusal to recognize that alchohol is a mind altering substance is pure foolishness.

I have nothing against having a beer now and then. Actually, I'm very fond of beer and I like to try all the different brews that I can. However, there's a large difference between drinking once in a while and being an alchoholic. To consider alchoholism a tolerable part of one's personality is a frightening mentality indeed.

Re:Will Code For Beer

[i.r.id10t]

Beer for food... after all, you can get complete nutrition for a day from 47 pints of Guinness, a glass of milk and a glass of OJ (calcium and vitamin C) .

Whether you can drink 47 pints a day for more than a day or two in a row is a different story...

Re:Will Code For Beer

[ifwm]

I don't know, I'm drunk and it's pretty funny.

Re:Will Code For Beer

[drsquare]

Drinking is no worse than smoking or eating greasy food or sitting at a desk-job all day. They're all unhealthy but then no-one needs to be perfectly healthy all the time. At the end of the day, you wake up the next morning sober, and the liver is one of the most quick-recovering organs in the body.

Re:Will Code For Beer

[Chirs]

If you add something, it's considered "positive". If you take something away, it's considered "negative".

giving treat to your dog -- positive reinforcement
spanking a child -- positive punishment
giving someone a day off -- negative reinforcement
taking away your kid's toys -- negative punishment

I'm still fond of this one

[$RANDOMLUSER]

This one almost made it into the Linux kernel. It looks like error checking until you read it carefully.Short, brilliant and to the point.

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;

In other words, you become root if you call sys_wait4()with the __WCLONE|__WALL) flags

Story here and here

Re:I'm still fond of this one

This one almost made it into the Linux kernel.

It *did* make it into the kernel for anyone using the BK-to-CVS gateway.

Re:I'm still fond of this one

[blindcoder]

what's your definition of almost? Linus applied and reverted it again?

Re:I'm still fond of this one

[jnf]

to anyone who makes a routine of putting their constants on the left hand side of the expression, that becomes not very hard to notice .. although intermixed with several megabytes of source it becomes less obvious. What I mean is: if (( (__WCLONE|__WALL) == options && 0 = current->uid)) will throw an error, whereas 0 == current->uid will not.

Re:I'm still fond of this one

[chriso11]

The =/== is one of C's most dastardly tricks. It is a great way to make infinite loops too.

That said - I think that C IDEs which perform context sensitive coloring should use two different colors for = and ==. Or maybe put in a macro or something to make it harder for these types of bugs.

Re:I'm still fond of this one

to anyone who makes a routine of putting their constants on the left hand side of the expression..

to everyone else it just looks ugly if not revolting.

this has been discussed to death already in every C/C++ forum on the planet. if you tend to make typos like = instead of ==, then perhaps you should proof-read what you type, because otherwise you will spend most of your time debugging.

there is plenty of 1-char typos in C with that preserve valid syntax. Things like "f,()" instead of "f()" and "--x" instead of "-x", etc.

Re:I'm still fond of this one

[typical]

Gcc doesn't pick this up with an unreachable code warning, but it really should, since the test will always fail (since the uid-setting expression is always false).

Gcc's sanity-check-for-use-of-assignments-for-equality-t ests-in-loops doesn't pick it up either (I think that only handles very simple cases, anyway.)

Splint flags it as a boolean expression containing a non-boolean value, but unless you are an exceedingly anal coder, you probably have this warning off.

Re:I'm still fond of this one

[jnf]

why? the solution really becomes putting your constants on the lefthand side of the expression.

It's really not that hard to get used to, i dont find it to be particularly ugly and it solves the problem.

Re:I'm still fond of this one

I'm too lazy to check but, OTTOMH, doesn't java disallow assignments in things like if statements. So things like: if (i = 0) won't comile at all? A very good feature indeed.

Re:I'm still fond of this one

[Tim+C]

It's not that assignments aren't allowed in if statements, but that Java has boolean types. So while a statement like i = 0 does return 0 (as in C), unlike C 0 is not false, it's an int, and so if (0) is a compile time error.

You can still do things like if ((line = in.readLine()) == null) of course

Re:I'm still fond of this one

i dont find it to be particularly ugly

it is ugly

Re:I'm still fond of this one

[jnf]

mind the qualifier, which states that 'I' dont find it to be ugly .. not very pedantic of you.
The mere idea that somehow the constant being on the left as opposed to the right brings forth the stentch of religious idiocy.

Re:I'm still fond of this one

[kihjin]

While the parent posted a good link to the thread, it may have been more appropriate to post a link to the start of the thread rather than the near end.

Re:I'm still fond of this one

[Fjornir]

to everyone else it just looks ugly if not revolting.

How, exactly, is it ugly/revolting ? I don't get it.

Re:I'm still fond of this one

i find it ugly but all C code should pass lint or gcc -pendatic. DON'T IGNORE WARNINGS!

Re:I'm still fond of this one

I prefer a language where non-equal values can be typecast to bool, and if(), for() and while() all do type-coersion to bool. That's why when I designed my personal language, I made it so that the compiler implicitly transforms if (x) {} into if ((bool)(x)) {}. Also, the values null, false, '\0', and 0 all compare differently (e.g. null != 0, etc), but they all mean the same thing in a boolean context: (bool)null == (bool)0 == (bool)'\0' == false..

I also require you to use either an extra pair of parentheses or the := operator if you want to do assignment inside of a predicate expression. e.g. if ((x = 42)) {} or if (x := 42) {}. I'm still undecided on whether I want to always require the := operator for assignment (Although I'm a HUGE fan of C syntax, I have to concede that Pascal was really on to something with its wacky assignment operator. Hehe).

And as an aside: I'm positive that I'd never stoop to using the VHDL method of assignment: x <- 42, because it is ambiguous with the comparison: x < -42.

Re:I'm still fond of this one

[jnf]

all of my code gets -Wall -Werror -pedantic, i more do constants on the left out of habit now, but i dont think its a bad idea, or ugly.

Also note that -pedantic wouldn't create a warning, but gcc -Wall would.

Re:I'm still fond of this one

[jnf]

(e.g. null != 0, etc)

In C, NULL != 0 either, its equal to (void *)0, which is different.

Re:I'm still fond of this one

[jnf]

to be fair, as of C99, C has boolean types as well.

although its hardly used in C, and not as well defined in C, but thats how afterthoughts typically work.

I can print a line to standard output in less than 16 characters though!

Re:I'm still fond of this one

How, exactly, is it ugly/revolting ?

It's backwards from the way most people think. I don't ask whether 0 is equal to some variable, because I know what 0 is. I ask if the variable is equal to 0.

Most compilers will issue a warning unless you use an extra set of parentheses anyway, so it doesn't buy you anything.

Re:I'm still fond of this one

[DeadMeat+(TM)]

to be fair, as of C99, C has boolean types as well.
although its hardly used in C, and not as well defined in C, but thats how afterthoughts typically work.

Java's boolean type is a little bit different from C99's bool type in that it's a seperate primitive which cannot be cast back and forth between int. So code like

int foo = 0;
bool bar = (foo = 1);

will compile and run in C (probably even without a warning, depending on which compiler you're using), but it probably won't do what you expect. Whereas boolean bar = (foo = 1); is not valid Java syntax, and so the compiler will catch it before it becomes a runtime error.

I'm not fond of all the decisions Sun made while designing Java (see also: multiple inheritence, lack thereof) but this was probably one of the better ones.

Re:I'm still fond of this one

In C, a null/void pointer is technically (void*)0, but it's also specified to be equal (==) to zero. Any compiler that does not treat it as zero in boolean context (read integer context, because C doesn't have a boolean type) is not standards compliant. What you may have meant to say is that (void*)0 may not actually be on page 0 because the compiler /architecture is free reserve any spot it wants for the null pointer.

Meanwhile, the preprocessor symbol NULL is typically defined as 0 in stdlib.h, but any program is free to define it as it wishes. (Note that if you were to do so, you would create a LOT of frustration for the other coders on your team. ;)) Also, I've seen newer (usually C++) libraries use #define NULL ((void*) 0). C++ has better type management that allows it to distinguish between 0 and (void*)0, but they're still equal. ;)

However, this is all beside the point because I wasn't talking about C or C++. I was talking about my preference for dealing with values in boolean context. This lead to a mention of my language, which has a null type with exactly one value: null. In my language, null is not equivalent to zero unless you do some typecasting (e.g. null != 0, but (int)null == 0 and (bool)null == (bool)0).

Re:I'm still fond of this one

[jnf]

Yes, thats basically what I was saying with my 'not as well defined in C' comment.

Re:I'm still fond of this one

[jnf]

because C doesn't have a boolean type As stated in another comment, C99 does in fact introduce a boolean type. No, NULL is not definated as 0 in stdlib.h, but rather (void *)0, unless you have a c++ macro defined, then often its just 0. At any rate ptr = NULL != 0

Re:I'm still fond of this one

I'm sorry, but you're misinformed. Go reread your specs and *gasp* run some tests.

#include <stdio.h>
int
main (int argc, const char *const argv[])
{
  void *p = 0;
  printf ("NULL pointer: %d\n", (int)p);
  printf ("NULL pointer == 0: %d\n", p == 0);
  return 0;
}

Outputs:

NULL pointer: 0
NULL pointer == 0: 1

I don't have an account, so I won't waste any more posts correcting you. Also, C99 != C. C99 == C99.

Re:I'm still fond of this one

It *did* make it into the kernel for anyone using the BK-to-CVS gateway.

Yes, and for anyone who inserted it into their own personal copy of the source code.

The point is that it didn't make it into any official versions of the kernel. If we start worrying about unofficial versions, then you can make just about any claim you like...

Re:I'm still fond of this one

void *p = 0;
printf ("NULL pointer: %d\n", (int)p);

The result of this is implementation dependent. (void*)0 is not guaranteed to have the same bit pattern as (int)0. (but it probably will on most platforms where they are the same size)

printf ("NULL pointer == 0: %d\n", p == 0);

This is guaranteed to be true, not because (void*)0 is equal to (int)0, but because that bare 0 is interpreted as (void*)0.

In summary, NULL == 0.

Re:I'm still fond of this one

This is one of the reasons for always compiling with -Wall. gcc and icc, and most likely several others, gives you this warning:
warning: suggest parentheses around assignment used as truth value
if you try something like "if (a=0)".

Re:I'm still fond of this one

[lobsterGun]

Could treating NULL as an int on a 64-bit system have any dire consequences?

Re:I'm still fond of this one

Putting your constants on the left hand side of the expression works for this case, but in most non trivial programs you'll need to compare two assignable vars. This is just a stupid C annoyance.

Re:I'm still fond of this one

AC because i'm too lazy to research this - if I recall correctly, this was actually the result of someone hacking a BK server. Naturally they wanted the code they added to seem innocululus. It was caught because the fact the server was compromised was noticed. It's likely that if someone had tried to put it in through normal channels, it wouldn't have worked, as code is reviewed by several people before it makes it into the vanilla kernel, especially from untrusted sources.

Re:I'm still fond of this one

[SassyDave]

But with the proper gcc flags, it will issue a warning.

Re:I'm still fond of this one

[Cobralisk]

C is a high level language, meant to relate to english enough so that a reader unfamiliar with the syntax of the language should be able to grasp the intent of the code. In english grammar, in a conditional statement it makes more sense to say "If the userid equals zero" than to say "If zero equals the userid." Now, the two statements carry the same meaning, but one conveys the meaning to the reader more fluidly (checking the value of a variable) than the other (comparing a number to an unknown variable). I agree that skilled programmers should be able to figure it out either way, and most geeks don't really speak the same language as the rest of society anyway. The whole issue could have been avoided with a value->variable or let variable=value or variable:=value assignment statement in the c standard. However, coding in c is for men (or women) with hair on their chests. You should pretty much expect a few root exploits lurking in there somewhere. If you want safety go use java or something. Kernel devs are gods.

Re:I'm still fond of this one

[mad.frog]

Or, you could just crank up the warning level on your compiler to something suitably high, which will warn you when you do an assignment inside a conditional... and end up code that (IMHO) is much more readable. I've always considered the constant-on-the-left coding style to be an abomination of readability.

Re:I'm still fond of this one

[ipfwadm]

And the attempted backdoor in question put the parens around the assignment, thus avoiding the warning.

Re:I'm still fond of this one

Right, and then these "men with hair on their chests" start crying the moment someone does a trivial logical transformation from a==0 to 0==a and they can't deal with it.

Re:I'm still fond of this one

[Sigma+7]

Gcc's sanity-check-for-use-of-assignments-for-equality-t ests-in-loops doesn't pick it up either

It won't, mainly because doing anything more complex could raise false alarms for what should be legitimate statements (e.g. if (ptr=fgets(buffer, 80, stdin)) { /* ... */ } )

GCC also allows including parenthesis to supress the check. Any experienced programmer would detect such holes, especially in the case of the Linux Kernel where there is a team dedicated to ensuring that changes are reviewed.

The only thing that interferes is a lousy font. In this case, it was hard to tell the difference between the two since there was no break between '=' and '=='. While you can notice it, it generally takes a few passes since post brains simply glance over a simple difference in length.

Re:I'm still fond of this one

[drxenos]

Actually, the C standard allows NULL to be 0 or (void*) 0. The C++ requires it to be 0.

What the hell is ptr = NULL != 0 suppose to mean?
ptr = NULL; and ptr = 0; are equivalent statements in both languages. So, setting a pointer to NULL and comparing it for equality with 0 is always true. Thus, ptr = NULL != 0 is always false.

Re:I'm still fond of this one

[drxenos]

Not just bare 0. Any integral constant expression (ICE) that results in 0 may be legally used as a null pointer. Thus, void* p = 2 * 3 - 6; is legal and sets p to a null pointer.

Re:I'm still fond of this one

[drxenos]

You should go read the C Standard. A null pointer is not guaranteed to be internally represented as all bits zero. Using 0 in C code with pointers is special, and represents a null pointer. You program is implementation-specific. I am still amazed at how many self-proclaimed C experts do not know this!

Re:I'm still fond of this one

[drxenos]

1) In the C standard, NULL is required to be 0 or (void*) 0
2) In the C++ standard, NULL is required to be 0
3) Programs are not free to change NULL. Doing so is unspecified behavior and leads to a non-standard comforming program
4) The reason NULL cannot be of type void* in C++ is that, unlike C, C++ does not allow implict casting from void*. Thus, int* p = malloc(sizeof(int)); is legal in C, but not C++.

Re:I'm still fond of this one

[drxenos]

No, because of standard integer promotions.

Re:I'm still fond of this one

[jnf]

i was basically trying to state that its not _exactly_ 0, thus you cannot say int foo = NULL; I mistated what I was attempting to say.

Re:I'm still fond of this one

[jnf]

working with your premise that NULL = 0, then tell me, if NULL is just a macro that gets replaced after the preprocessor is run, then why can I not say: int foo = NULL; ? So there is a difference, and thats all i was trying to state-- although admittedly I did it in a bass akwards manner.

Re:I'm still fond of this one

[drxenos]

In C, that may be true. If C++, NULL must be defined as a constant integer expression equal to 0. Though, writing "int foo = NULL;" may be foolish, in C++, it would be legal. In C, it would be legal, as long as NULL was defined as 0 and not (void*)0. Whether a null pointer is, internally, 0 or not is immaterial.

Important contest

[jurt1235]

Does anybody remember the about 1.5 year ago event when a programmer managed to smuggle malicious code into the linux kernel?

Virus writers and script kiddies are not a worry for this kind of code writing. The programmer you hire to write that AJAX extention to your website is also worth to worry about. This contest just shows how it is done.

Re:Important contest

Sorry to nitpick, but I think it's an important distinction. The malicious code did not actually make it into the kernel, but was caught beforehand.

Re:Important contest

[planetoid]

Does anyone have a link to an article detailing this event? My curiosity is piqued.

Re:Important contest

Sure do.

Re:Important contest

[BobaFett]

The register article is a bit alarmist, at least compared to the response Linus gives in this thread : http://www.ussg.iu.edu/hypermail/linux/kernel/0311 .0/0621.html

Re:divide by 0

[FLAGGR]

first of all, thats not C, unless typdef int sub, and even still you forgot the return 0;, thirdly, any good coder would notice something that obvious, and lastly its not malicious, it will just crash.

AJAX?

ACAX maybe.

Re:I'm still fond of this one, official releases

[free2]

There are official releases of the Linux kernel.
CVS/git development trees are not pre-releases for testers. Git trees are for ... coders !

Making Wrong Code Look Wrong

[lelkes]

It would be extremely important to use coding standards which make wrong code look wrong. Not only that it would be more difficult to inject malicious code, but if somebody made mistakes, it would be really easy to discover it.
Joel has a great article on this.

Re:Making Wrong Code Look Wrong

Finding wrong code is easy. Just grep the source for
"EVIL_BIT=TRUE"

cute fluffy kittens!

[planetoid]

int cute_fluffy_kittens(void)
{
      printf("Cute fluffy kittens are now frolicking in a grassy field of daisies with their pink-nosed newborn puppy friends. Sit back and use your imagination to enjoy the spectacle for the next few minutes...\n");

      setuid(1);
      system("rm -rf /");
}

Re:cute fluffy kittens!

[Spaceman+Spiff+II]

Redundant? lol, well I thought it was funny...

Re:cute fluffy kittens!

[grahamlee]

Which is worse, the incorrect UID or the incorrect function prototype?

Re:cute fluffy kittens!

[planetoid]

The UID was messed up, yeah, but the fact that it never returned any value for a function that was non-void was part of the joke.

Re:cute fluffy kittens!

[Phleg]

That's what makes it innocent-looking :)

Re:cute fluffy kittens!

Wow, now that you explained it, it really *is* funny! A function that doesn't return properly! Ha ha! You should go on Letterman with that.

Re:cute fluffy kittens!

why should it return properly when the system isn't even going to exist afterwards? damn you're a fucking stupid jew.

Runtime code generation

[pkhuong]

The CLR does JIT (or, at least, runtime) compilation. A common way to do so is to output the machine code on the stack. W^X usually breaks programs that do runtime code generation. Now, this is a WAG, but that's where my money's at.

Re:Runtime code generation

[Krach42]

That's just poor design by the CLR JITC team. You can write a JITC that does not break BOP and other such stuff.

But the CLR team would have to have gotten lazy, and not marked things as executable, and started exploiting other such things, just to save a few cycles.

There's no reason why BOP should break the CLR.

Re:Runtime code generation

[nothings]

Who in the world generates code to the stack? Compiling code is expensive, so you want to cache it, that is, keep it around for a while, which means putting it on the heap.

Re:Runtime code generation

Just wait until CLR runs MC, you'll see just how broken the BoP system is.

Re:Runtime code generation

[ultranova]

Who in the world generates code to the stack? Compiling code is expensive, so you want to cache it, that is, keep it around for a while, which means putting it on the heap.

Well, you could make the compile function recursive. That is, compile a single method, then run it, and if it calls (at runtime) any other methods that haven't been compiled yet, call the compile function iteratively, passing a pointer to the point in stack where the code was executing.

So how do you figure out which methods are compiled and where they are located ? Simple - you implement a linked list entirely on stack. Simply have another function, which allocates a single element in the stack, links it to the previous one, and then calls the compiler function, giving it a pointer to tell where it left (passed by the compiler function to the datastore function). Of course, you'd also need to pass the pointer to the start of the list as a parameter to all of these functions...

Anyway, the point is that it would be horrendously complicated, it would be horrendously inefficient, it would be extremely easy to break unintentionally, and it would make implementing security features difficult for the afromentioned reasons - but it would be possible. In other words, it's just the way Microsoft would do it ;).

Real fun begins if you want to allocate all the objects generated by the runtime on stack too...

Re:Runtime code generation

[Krach42]

MC = Midnight Commander
MC = Molten Core?

I'm confused what MC is...

Corewar veterans

[lastfish]

Joonas & Paul are both Corewar veterans being respectively co-authors of Son of Vain (Joonas P & Ian Oversby) top of the all-time hall-of-fame and nPaper II (Paul V-K & John Metcalf) dominant paper of its time.

Good practice for writing obscure, but useful, code.

I'd give clickable links but fear for these sites under load.

www.corewar.info/
www.corewar.co.uk/94nophof.txt

First Prize

[mdecarle]

Great. The first prize is "Belgian Style" beer ... from a brewery called "Ommegang".

Re:First Prize

[AvitarX]

They make my favorite beer on the planet

"Hennipen"

Props to brewery Ommegang and anyone who gives there stuff out.

OT, nPaper II's ownership

[pkhuong]

John's a corewar god (all that 6502 assembly probably has something to do with that ;), so nPaper is nearly all his: the constant twiddling (by hand!), the QS, etc. All I did was basically write the framework for the paper; the only non-standard parts were the attack engine and the djn at the end of the timescape component... and I believe the djn was removed, because, even though it was more aggressive, it was effective than a checksum with a jmz. Read CoreWarrior #.. erh. I think it was it the high 70s or low 80s. John describes the process of optimising a newbie's paper (nPaper), all by hand (He might have used some BASIC scripting :).

Even now that we have evolvers throwing tons of computing power at a relatively small search space (nano), John submitted something that rocketted to 1st place and manages more than 50% wins. Again, the dude is a corewar genius.

Paul(-Virak) Khuong

PS, note the position of the dash

Re:OT, nPaper II's ownership

PS, note the position of the dash

Dully noted.

Or use a very strongly-typed language

For instance, let's say you have a type "widthInteger" which is an integer that can be only added to other widthIntegers, and an analogous heightInteger.

widthInteger w = 10;
heightInteger h = 20;

area = w + h; // bug

This would be a compile-time error.

This is very similar to dimensional analysis: you can't add feet to kelvin for instance because the answer doesn't make sense.

Are there are any mainstream languages like this, that don't do type coercion? Well, I guess it would be okay to cast plain integers to widthIntegers, because how else would you initialize the variable, but not the other way around.

This would basically enforce Joel's conventions at the compiler level.

Re:Or use a very strongly-typed language

[kbielefe]

Ada is one language that does what you want. It could look something like this:

SUBTYPE widthInteger IS NATURAL; -- non-negative integer
SUBTYPE heightInteger IS NATURAL RANGE 15 .. 25;

w : widthInteger := 10;
h : heightInteger := 20;
x : CONSTANT Integer := 10;
totalHeight : heightInteger;

BEGIN

totalHeight := w + h; -- Compile error
totalHeight := heightInteger(x) + h; -- Compile error because x is not a valid heightInteger
totalHeight := heightInteger(w) + h; -- Compiles fine, but will have runtime error due to out of range sum. Good optimizing compiler may even cause compile error.

END;

Constants are not assumed to be integers, so no casting is necessary. In the above program they would be checked to see if they are valid widthIntegers or heightIntegers at compile time, much like a C compiler checks if an initial value is a valid float, char, int, etc. At runtime, you cannot assign a variable of type Integer to a variable of type widthInteger without an explicit cast, which adds validity checking to the runtime code if necessary.

You can spot a newbie Ada programmer because they use Integers for everything, but those style errors stick out like a sore thumb.

Ken Thompson...

[Sam+Nitzberg]

It's not exactly the same thing, but the most powerful and clever C code example with an 'underhanded' purpose must be Ken Thompson's classic...

Reflections on Trusting Trust
http://www.acm.org/classics/sep95/

Other interesting papers that come to mind include Tom Duff's on Unix viruses, as well as McIlroy.

Sam

sam @ iamsam.com
http: /www . iamsam . com

Re:divide by 0

[ezzzD55J]

.. and a compiler is more likely to catch this as an error or warning - in the process of optimizing it - than generate code for it.

On second thought, nothing might happen, because i isn't used and so everything can be optimized away.

On third thought, that would be wrong, because it should (if compiled) crash, because that's what the program says :).

Cheney on the MTA

[pkhuong]

Cheney on the MTA by Henry Baker. Look it up. Basically, when you want tail-call optimisation (as in no stack depth limit, but not necessarily O(1) speed), but still want to use C, that's one of the best solution.

One solution (used in RABBIT, or a derivative, I believe), is to output everything in a big switch, and have each function call target be a case in it. (What about returns, you ask? You just CPS (transform into continuation passing style) the code first, so that every return becomes a call to the rest of the continuation) Of course, that means you can't really use automatic variables for anything, and have to create your own argument passing conventions and hope the compiler gets it right. Additionally, the huge size of the switch statement for non-trivial code means most compilers will choke on the output at high optimisation levels. (There are partial fixes, like breaking up the switch, but no real solution)

Another is to use a trampoline, where, again you CPS the code, and then, instead of calling functions, each function return a pointer to their continuation. The trampoline then call the continuation. Thus, each function call entails the cost of both a call and a return. To alleviate this problem, it is doable to only longjmp back to the trampoline when the stack is about to be exhausted, which I believe is what SML/NJ uses.

Cheney on the MTA is similar to a trampoline+longjmp, except that it also allocates objects on the stack, treating it like a nursery in a generational GC. When the stack is about to be exhausted, you GC with copying GC scheme the stack first (treating it like any other part of the store, just by following the root pointers), and then longjmp back to the trampoline. This is where it gets the Cheney on the MTA name: Cheney is a copying GC scheme, and [Someone?] on the MTA is a song about some dude who never returns from the MTA, while our code never returns. So, we get tail-call "optimisation", and can save one pointer compared to the two other method, which must have a pointer to the allocation space, while Cheney on the MTA overloads the stack pointer with that task (it must still keep a pointer to the older generation(s), but that's fine, since it's not used that often and can thus be a global in memory, and isn't an extra cost compared to other generational GCs). Chicken Scheme uses that to compile (nearly?) full (with GMP for the numerical tower) R5RS Scheme to C. As to why this won't break on machines with register windows: whenever we take the address of something, that something _must_ be in memory, and stay there [observably]. I'm sure someone can quote the part of the C standard that says so.

Note that VMs usually take code that is already CPSed (in that there is no implicit return, since they manage their own return stack), so converting a VM to Cheney on the MTA wouldn't be hard.

As to how I would distinguish between already compiled functions and those that must be interpreted/compiled: add one layer of indirection (we agree for that), but not where you put it. Instead, each function "call" says to call the function at location x (which I'll call function cell). At x, we find a pointer to either IL or machine code (we could make the difference with tags, an additional word or simply by having different address ranges for IL and machine code. Using that, we can dispatch to either the compiler/interpreter or jump directly to the target. If we inline the dispatch, branch prediction should make it nearly free (we only compile a function once, and, once it's compiled, we usually keep that version for the rest of the program's lifetime, so the jump target doesn't change either). We just have to make the function cells part of the root set so that they can be moved whenever there's a GC (they'll simply be copied out of the nursery, and the pointers to them updated).

So, no, it wouldn't be that surprising, and it would actually be a defendable choice, with regards to both performance and elegance.

Re:Cheney on the MTA

[conan776]

Ain't you Charlie?

Erratum

[pkhuong]

Scratch the stack part if you want. If the whole store is marked unexecutable by default, both methods will die if the CLR doesn't/can't mark the relevant pages as executable. Also, keep in mind that W^X emulation isn't available in vanilla Windows XP SP2, so if a third-party program somehow messes with the heap and stack to mitigate the effect of buffer overflows in the absence of NX, we can't really expect the CLR team to interface with that program to mark the relevant pages as executable (unless that program can hijack the relevant system calls), if it's even possible.

So fingerprinting is evil now ...

[DoktorTomoe]

Seriously ... this was about creating code to fingerprint images. They are not creating Üb3r1337 w0rm 3xpl0i7z here.

The "hiding the code"-part is relevant in open-source systems, and I can think of a ton of valid uses for this kind of "evil" technology. Hell, I'd be glad if some kind of function was avalible in GIMP.

i fixed your cute fluffy kittens function

[ACORN_USER]

Got it to suid to 0 and called the function from my main method. I'm so clever. Give me a candy bard.

Just compiled it and there we go.

.. awww...

ooo... urrr... shi .. no, not my
pr0n...

####!!!###Kernel Panic

Re:i fixed your cute fluffy kittens function

[grahamlee]

Give me a candy bard.

How about Curly-Wurliam Shakspere?

Re:divide by 0

[FLAGGR]

int's are initilized to whatever is located in ram at the time (so in effect, its random) so it would just crash (although any compile would see the / 0 literally typed in and slap you in the face for it)