Slashdot Mirror

← Back to Stories (view on slashdot.org)

The 2006 Underhanded C Contest Begins

Posted by ryuzaki0 on from the segmentation-fault-core-dumped dept.

Xcott Craver writes "The second annual Underhanded C Code Contest is live as of April 4th, and runs until July 4th. The object is to write malicious C code that looks perfectly readable and innocent under informal inspection of the source."

6 of 232 comments (clear)

  1. Re:Can someone explain this to me? by chrismcdirty · · Score: 5, Insightful

    1. It teaches you not to take all code at face value, and actually read into it.
    2. It's fun.

    --
    It's like sex, except I'm having it!
  2. Re:Can someone explain this to me? by Xcott+Craver · · Score: 5, Insightful
    Well, ask yourself how the Obfuscated C Code contest "helps the community." To some extent, it's just a contest, and not meant to bring about world peace.

    On the other hand, I think it does teach us a thing or two about what to look for when reviewing code. I know I've learned a lot about sneaky coding practices since it started. I learned C in the 1980s and thought I was pretty knowledgeable by now, but I actually didn't know about ASCII trigraphs until last year. X

  3. Re:Can someone explain this to me? by tmjr3353 · · Score: 5, Insightful

    I understand about making source code available helps in a secure system, but what if that code has evil code...made to look innocent upon inspection....written into it?

    I think you've highlighted the point right there. By getting the community to find ways to write code of this fashion, you're simultaneously getting them to learn to read code better (or at least that would be my hope). If I know how to write code in a fashion that looks innocent but brings with it not-so-innocent consequences, then hopefully I know how to tell when someone else is doing the same thing.

  4. Re:Can someone explain this to me? by l2718 · · Score: 5, Insightful

    This problem arises whenever you need to use software for an application that must be secure. One famous case of tampering was by the CIA; control software for a Soviet oil pipeline purchased in the West was modified to fail upon a remote command causing a massive explosion.

    One hypothetical scenario: Diebold decide to act on their CEO's promise to deliver the election to the Republican party by making a small modification to their voting machines. If they can use the techniques this contest is looking for they would write the code so that it would escape even scrutiny by an outside agency (say, the government).

    In general, the idea of the contest is to showcase ways of breaking security and therefore perhaps ways to overcome them.

  5. Dangerous and suspicious looking by whitenaga · · Score: 4, Insightful

    Your code is dangerous, but it has to be exploited by a knowledgable user. I think what they're looking for in the Underhanded C Contest is code that exploits itself. But for the purpose of being pendantic, i'll bite... =)

    • You're using gets(), which is notorious for buffer overrun problems.
    • You mix fputs() and printf(), right next to each other. And you use printf() just like fputs(), and that looks suspicious.
    • printf(stuf); is practically asking for exploitation. If stuf contained the proper combination of "(filler) %junk %junk %n", printf()'s return address would be overwritten.
    --
    Lindsey
    @>-->-----
  6. Re:My entry -- the world's last C bug by joe_bruin · · Score: 4, Insightful

    so if(status = 1) in his code is always true. In your code, not neccesarily. Hence, his is a bug. And funny.

    Look again. This time, look for any extra semi-colons that shouldn't be there. The responder's joke was an improvement on the original, and would not have been flagged by an optional compiler warning (at least in the case of gcc).

    if(status == 1);