2008 Underhanded C Contest Officially Open

← Back to Stories (view on slashdot.org)

2008 Underhanded C Contest Officially Open

Posted by Soulskill on Friday June 13, 2008 @09:20PM from the sneaky-sneaky dept.

Xcott Craver writes "The 2008 Underhanded C Contest has just opened. Every year, contestants are asked to write a simple, innocent, readable C program that appears to perform an innocent task — but implements some non-obvious evil behavior. This year's challenge: redact blocks from an image, but do it so that the excised pixels can somehow be retrieved. We also have listed the winners of last year's contest, which was to write a simple encryption utility that mysteriously and undetectably fails between 1 percent and 0.1 percent of the time. The winning entry is truly impressive." We discussed the first of these contests in 2005.

10 of 160 comments (clear)

Min score:

Reason:

Sort:

Hide the evil code? by Dwedit · 2008-06-13 21:44 · Score: 4, Interesting

I'm sure it would be nearly impossible to hide the evil code here, because anything that isn't a simple assignment loop is suspicious.
Maybe stick in stuff in the image loader, image temporary copy code, and keep the blackener to the obvious implementation, then stick stuff in the saver.

I thought some crazy stuff involving function pointers as the function to call to return a black pixel might be promising. Maybe use some out of bounds array math to change one function pointer to point to some other code.
1. Re:Hide the evil code? by apathy+maybe · 2008-06-13 22:04 · Score: 5, Interesting
  
  Have a look at some of the previous contests. The original contest (2004 voting contest) has people exploiting stacks and various other sorts of nastiness.
  
  In 2006, http://www.brainhz.com/underhanded/results2006.html you get people exploiting the fact that 64 bit and 32 bit OS are different, or that some OSes are big endian and some little, and so on. There are all sorts of nasty tricks that are possible.
  
  One possible option for this contest is to hide information in the lower bounds of each pixel (stenography like), there isn't much space, but you could recover some information from the original. And a one bit difference in black isn't easy to spot...
  
  Of course, I can't code C, so I don't know what I'm talking about.
  
  --
  I wank in the shower.
2. Re:Hide the evil code? by Ifni · 2008-06-14 05:42 · Score: 4, Interesting
  
  Actually, this one is likely simple (haven't read the detailed requirements, so I may be off base), but instead of redacting with a solid black block, redact with a "random" pattern, perhaps using MD5 to generate the pattern from the original. MD5 is reversible (though maybe not for all values), though the computing requirements to do so might be a little more than the project demands. In that case, some other innocent looking but slightly flawed algorithm to obfuscate the image portion (I think someone mentioned the Photoshop Swirl filter) could be used. A casual observer would look at the code and go "oh, what a neat effect, and it is indeed unreadable", without investigating the reversibility of the process.
  
  --
  Oh, was that my outside voice?
Compression would be nice by 32771 · 2008-06-13 21:57 · Score: 5, Interesting

Wouldn't it be nice if the original under the blacked out area could be compressed and then put somewhere else in the image.

It would be much easier if one could just use an algorithm which just displaces the pixels and then forget to randomize the displacement. This could look much more innocent than the above.

That black area has so little expected channel capacity that hiding anything in it is kinda difficult.

Unfortunately the code for the blacking out can be made so small that it is tough to hide anything in it, unless ppm offers some ways to add complexity in some innocent way.

I wonder what means of deciphering the hidden area are allowed, i.e. can I write another program to get the kitty face information back?

That is a really cute picture. I wonder what it is thinking.

--
Je me souviens.
1. Re:Compression would be nice by irc.goatse.cx+troll · 2008-06-14 06:11 · Score: 4, Interesting
  
  Seems like you dont even have to go that far, all you have to do is compress the image to jpeg first keeping/embedding a JFIF thumbnail (leave this as uncommented black magic, preferably outsourced to another lib), then do all your work to the actual image without updating the thumbnail.
  
  Photoshop used to do this under certain conditions, like when Cat Schwartz from TechTV took topless pictures of herself and cropped them to just extreme closeups of her eyes for her blog, only to have someone save it and see the (uncropped) thumbnails.
  
  They made her do a story on it shortly thereafter. Cruel.
  
  --
  Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
Last years winner really deserves some praise by imsabbel · 2008-06-13 22:03 · Score: 4, Interesting

because the way it dumpes the key into the output is hidden in such a underhanded, innocent way...

--
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Even better by Moraelin · 2008-06-13 22:04 · Score: 5, Interesting

Reminds me of a "compression program" back in the early 90's. Seemed to compress better than Zip or RAR and was pretty fast too. You could also test it by compressing and uncompressing a few files, and you got your original back.

Turns out it just copied the contents to a temporary file and "uncompressing" got them back from there, while the "archive" was just random junk. Better yet, the temporary file was just a circular buffer, so when it filled, old data got discarded.

--
A polar bear is a cartesian bear after a coordinate transform.
Re:Hmm... by 32771 · 2008-06-13 22:14 · Score: 5, Interesting

Now we can speculate what the authors intentions behind the contest are.

I think their FAQ addresses most points pretty well:

http://underhanded.xcott.com/?page_id=7

I hope sensitizes open source programmers programmers to take great care with peoples submissions to their projects. Only good can come from that.

--
Je me souviens.
Re:invisible ink by jamesh · 2008-06-13 23:01 · Score: 4, Interesting

I recently investigated a problem in MS Outlook where an option was set to never show the body of the email when viewing the email, it could only be viewed when forwarding. There were actually a bunch of tick box options to enable and disable this behavior. Reminds me of the Far Side comic with a passenger in an airplane reaching down to adjust his seat and accidentally about to toggle the 'wings stay on / wings fall off' switch.
Bug? by Anders · 2008-06-14 02:22 · Score: 4, Interesting

There seems to be an error in the supplied ppm.c library file:
p.rgb[i] = z.pixel[y][(x+i)*3*z.bpp];
This only ever gets the R component, as all offsets are multiples of 3. I think the right code is:
p.rgb[i] = z.pixel[y][(x*3+i)*z.bpp];
Maybe this is part of the assignment :-).