Slashdot Mirror

← Back to Stories (view on slashdot.org)

The 2006 Underhanded C Contest Begins

Posted by ryuzaki0 on from the segmentation-fault-core-dumped dept.

Xcott Craver writes "The second annual Underhanded C Code Contest is live as of April 4th, and runs until July 4th. The object is to write malicious C code that looks perfectly readable and innocent under informal inspection of the source."

14 of 232 comments (clear)

  1. I Win by ExE122 · · Score: 5, Funny

    In this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

    system("c:\Program Files\Internet Explorer\iexplore.exe");

    Where's my prize?

    --
    "Man Bites Dog
    Then Bites Self"
    --
    Capitalism: When it uses the carrot, it's called democracy. When it uses the stick, it's called fascism.
  2. Re:Can someone explain this to me? by chrismcdirty · · Score: 5, Insightful

    1. It teaches you not to take all code at face value, and actually read into it.
    2. It's fun.

    --
    It's like sex, except I'm having it!
  3. Re:Can someone explain this to me? by Xcott+Craver · · Score: 5, Insightful
    Well, ask yourself how the Obfuscated C Code contest "helps the community." To some extent, it's just a contest, and not meant to bring about world peace.

    On the other hand, I think it does teach us a thing or two about what to look for when reviewing code. I know I've learned a lot about sneaky coding practices since it started. I learned C in the 1980s and thought I was pretty knowledgeable by now, but I actually didn't know about ASCII trigraphs until last year. X

  4. I know... by scolby · · Score: 5, Funny

    ...I'll design a media player that appears to be playing a CD when it's actually installing a root kit that creates an easy way back door for malware.

    And then I'll get sued by Sony for copyright infringement.

  5. Re:Can someone explain this to me? by tmjr3353 · · Score: 5, Insightful

    I understand about making source code available helps in a secure system, but what if that code has evil code...made to look innocent upon inspection....written into it?

    I think you've highlighted the point right there. By getting the community to find ways to write code of this fashion, you're simultaneously getting them to learn to read code better (or at least that would be my hope). If I know how to write code in a fashion that looks innocent but brings with it not-so-innocent consequences, then hopefully I know how to tell when someone else is doing the same thing.

  6. Re:Can someone explain this to me? by l2718 · · Score: 5, Insightful

    This problem arises whenever you need to use software for an application that must be secure. One famous case of tampering was by the CIA; control software for a Soviet oil pipeline purchased in the West was modified to fail upon a remote command causing a massive explosion.

    One hypothetical scenario: Diebold decide to act on their CEO's promise to deliver the election to the Republican party by making a small modification to their voting machines. If they can use the techniques this contest is looking for they would write the code so that it would escape even scrutiny by an outside agency (say, the government).

    In general, the idea of the contest is to showcase ways of breaking security and therefore perhaps ways to overcome them.

  7. Re:Can someone explain this to me? by adyus · · Score: 5, Funny

    Um, I think your signature should be number three:
    1. It teaches you not to take all code at face value, and actually read into it.
    2. It's fun.
    3. It's like sex, except I'm having it!

    :)
  8. Re:Can someone explain this to me? by Guignol · · Score: 5, Funny

    Yes, for instance we could say it is malicious if it wouldn't halt

  9. My entry! by radiumhahn · · Score: 4, Funny
    #include <stdio.h>

    main() {

    /* Rob a bank! */
    /* Steal Stuff! */
    printf("hello, world\n");
    /* Use Drugs! */
    /* Kill, Kill, Kill! */
    }

  10. My entry -- the world's last C bug by PeeAitchPee · · Score: 4, Funny

    An oldie but goodie . . .

    while (1)
    {
    status = GetRadarInfo();
    if (status = 1)
    LaunchMissiles();
    }
    1. Re:My entry -- the world's last C bug by joe_bruin · · Score: 4, Insightful

      so if(status = 1) in his code is always true. In your code, not neccesarily. Hence, his is a bug. And funny.

      Look again. This time, look for any extra semi-colons that shouldn't be there. The responder's joke was an improvement on the original, and would not have been flagged by an optional compiler warning (at least in the case of gcc).

      if(status == 1);

  11. Re:I love this by Fizzl · · Score: 4, Interesting

    Heh, I've been ranting for years how I love C and C++ and how Java and pretty much all other higher level languages suck. I think they are ment just for crybabies who can't handle pointers and get confused while tying their shoelaces.
    I actually just thought that I'll whip something up for the contest. You know, first I'll just make the basic program and try to figure out how to sneak something in. It took me 10 minutes to realize that I have no fucking clue what I'm doing.

    "How do I read from stdin?"
    "How do I allocate without too much overhead for it?"
    "Wait, I really shouldn't be doing this in the main function. Perhaps I'll make a separate function. Now, hmm.. How do I define a function which takes a reference to an array of char pointers, and what else do I need to know to reallocate the array"
    "Oh right. It also needs to be separated by spaces too, not just newlines"
    "I wish there was a nice library function 'char *readfile(stream)' in ANSI C"
    "Shit. Real programming is hard!"

    I hereby turn in my coding gloves, and don the pink fluffy Java gloves I have actually worn for some time against my will.

    --
    Bot Assisted Blogging
  12. Re:Can someone explain this to me? by kimvette · · Score: 4, Funny

    Perhaps this "contest" is sponsored behind the scenes by Sony, in their search for more stealtht rootkit implementation methodologies in their next Anti-Fair-Use software release. They're counting on some smartass or two submitting really clever malicious code, I just know they are!

    This has been the crackpot conspiracy theory of the day.

    (Why yes, I'm bored! Why do you ask?)

    --
    The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
  13. Dangerous and suspicious looking by whitenaga · · Score: 4, Insightful

    Your code is dangerous, but it has to be exploited by a knowledgable user. I think what they're looking for in the Underhanded C Contest is code that exploits itself. But for the purpose of being pendantic, i'll bite... =)

    • You're using gets(), which is notorious for buffer overrun problems.
    • You mix fputs() and printf(), right next to each other. And you use printf() just like fputs(), and that looks suspicious.
    • printf(stuf); is practically asking for exploitation. If stuf contained the proper combination of "(filler) %junk %junk %n", printf()'s return address would be overwritten.
    --
    Lindsey
    @>-->-----