Slashdot Mirror

← Back to Stories (view on slashdot.org)

Underhanded C Contest announces winners

Posted by CmdrTaco on from the games-people-play dept.

Matthew Skala writes "The 2005 Underhanded C Contest has announced its winners: the team entry from M Joonas Pihlaja and Paul V-Khuong, and the solo entry from Natori Shin. The contest (which appeared on Slashdot in June) tests programmers' ability to hide malicious behaviour in innocent-seeming code, making it a kind of evil shadow twin to the International Obfuscated C Contest."

10 of 150 comments (clear)

  1. good to see by garat · · Score: 5, Insightful

    Having a contest like this has similar positive aspects as full disclosure concerning vulnerabilities; by providing examples of how it's done, people will be better able to spot such attempts were they to occur. I'm happy to see this contest being held.

    --
    Support alternatives to Paypal: http://www.e-gold.com
  2. Re:Just what the world needs... by Snoolas · · Score: 2, Insightful

    Better have them writing code for contests than having them writing real malicious code that will actually affect the public...

  3. Re:Just what the world needs... by Jeremi · · Score: 2, Insightful

    ... countered by a larger number of more alert code readers. Hopefully it comes out to a win for the Good Side.

    --


    I don't care if it's 90,000 hectares. That lake was not my doing.
  4. Important contest by jurt1235 · · Score: 2, Insightful

    Does anybody remember the about 1.5 year ago event when a programmer managed to smuggle malicious code into the linux kernel?

    Virus writers and script kiddies are not a worry for this kind of code writing. The programmer you hire to write that AJAX extention to your website is also worth to worry about. This contest just shows how it is done.

    --

    My wife's sketchblog Blob[p]: Gastrono-me
  5. Making Wrong Code Look Wrong by lelkes · · Score: 3, Insightful

    It would be extremely important to use coding standards which make wrong code look wrong. Not only that it would be more difficult to inject malicious code, but if somebody made mistakes, it would be really easy to discover it.
    Joel has a great article on this.

  6. Re:Just what the world needs... by Acts+of+Attrition · · Score: 2, Insightful

    Right, I'm sure they're only allowed to pick one or the other.

  7. Re:I'm still fond of this one by chriso11 · · Score: 2, Insightful

    The =/== is one of C's most dastardly tricks. It is a great way to make infinite loops too.

    That said - I think that C IDEs which perform context sensitive coloring should use two different colors for = and ==. Or maybe put in a macro or something to make it harder for these types of bugs.

    --
    No, I don't trust in god. He'll have to pay up front, like everybody else.
  8. Re:I'm still fond of this one by jnf · · Score: 2, Insightful

    why? the solution really becomes putting your constants on the lefthand side of the expression.

    It's really not that hard to get used to, i dont find it to be particularly ugly and it solves the problem.

  9. Re:Runtime code generation by nothings · · Score: 3, Insightful

    Who in the world generates code to the stack? Compiling code is expensive, so you want to cache it, that is, keep it around for a while, which means putting it on the heap.

  10. Re:I'm still fond of this one by ipfwadm · · Score: 3, Insightful

    And the attempted backdoor in question put the parens around the assignment, thus avoiding the warning.