5th Underhanded C Contest Now Open

← Back to Stories (view on slashdot.org)

5th Underhanded C Contest Now Open

Posted by CmdrTaco on Wednesday December 30, 2009 @05:25AM from the i-c-what-you've-done-there dept.

Xcott Craver writes "The next Underhanded C Contest has begun, with a deadline of March 1st. The object of the contest is to write short, readable, clear and innocent C code that somehow commits an evil act. This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field. The prize is a gift certificate to ThinkGeek.com."

24 of 162 comments (clear)

Watch list? by girlintraining · 2009-12-30 05:27 · Score: 4, Funny

This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.
All participants will also receive complimentary cavity-searches at airport checkpoints.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Watch list? by RichardJenkins · 2009-12-30 05:50 · Score: 3, Funny
  
  Uh-oh, looks like you got missed out the punctuation and got the words in the wrong order! You clearly meant:
  
  God, is stupid science there? Is that religion? Get some religion! Karma should fuck me good.
  Yeah, that makes more sense.
2. Re:Watch list? by w0mprat · 2009-12-30 06:05 · Score: 4, Funny
  
  This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.
  I am certain that this is already a feature of existing luggage routing software.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
3. Re:Watch list? by markkezner · 2009-12-30 06:18 · Score: 5, Insightful
  
  Funny, but you've got a point. What would a potential employer think when, upon googling your name, they learn that you're so good at hiding malicious code that you won a contest for it. Would you hire that guy?
  It's not worth the $100 gift certificate.
  
  --
  Dangerous, sexy, turing complete: Femme Bots
4. Re:Watch list? by Applekid · 2009-12-30 06:35 · Score: 4, Insightful
  
  Would you hire that guy?
  
  Definitely, but maybe for QA or as a Code Review consultant. Of course, I'm assuming that the winner of the contest would also be clever enough to detect hidden maliciousness in others' code.
  
  --
  More Twoson than Cupertino
5. Re:Watch list? by Anonymous Coward · 2009-12-30 07:10 · Score: 3, Funny
  
  Yes, especially if the word "fragile" or "valuable" is in the comment field.
Not fair! by Anonymous Coward · 2009-12-30 05:35 · Score: 3, Funny

Someone who works at any major airline can just submit the real production code they use for luggage routing and win the contest for sure!
1. Re:Not fair! by fuzzyfuzzyfungus · 2009-12-30 05:47 · Score: 4, Funny
  
  Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?
2. Re:Not fair! by derGoldstein · 2009-12-30 08:38 · Score: 3, Insightful
  
  Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?
  Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any software written in C meets that description?
  
  There, fixed.
  
  --
  Entomologically speaking, the spider is not a bug, it's a feature.
Wait a sec... by Anonymous Coward · 2009-12-30 05:36 · Score: 4, Funny

| This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.
What, we actually need to write code for something that happens by nature?
1. Re:Wait a sec... by bcong · 2009-12-30 06:46 · Score: 4, Funny
  
  the current method of writing in:
  "Package Handler,
  Customer was an asshat...you know what to do"
  was starting to get noticed
Possibilities by Rei · 2009-12-30 05:41 · Score: 3, Interesting

I don't have the time for something like this, but it seems to me a good possibility would be to have all of your inputs that the clerk fills out be contiguous in memory, including the destination, have the algorithm to figure out what destination to go to scan through the whole destination string looking for matches (rather than looking for an exact match) and taking the last one it finds, and have a broken bounds check for the length of that string so that the algorithm looks into the comments section as well.
So, for example, if the clerk fills out the destination as "LAX" but writes in the comments section, "Do not confuse his bags with those owned by CID who is also going to a different final destination; they're very similar looking.", the bags would be routed to Cedar Rapids (CID) instead of Los Angeles (LAX).

--
As it says in the Constitution, Lenin is in my shower.
Re:Easy? by Anonymous Coward · 2009-12-30 05:47 · Score: 5, Informative

*Way* more deceptive. The default value for the destination field? It's supposed to look innocent - an innocent program would note that you left out a destination and prompt you to enter one. Any basic debugging done by someone else would turn this up. What they want is for you to leave a "comment" like "this package is top-heavy" (in a field designed for such comments) that changes the destination, but in a way such that someone reading the source code wouldn't realize anything was happening at all much what that you were changing the destination. Also such that whoever entered the text wouldn't obviously be at fault.
Contest or Job Posting? by Anonymous Coward · 2009-12-30 05:49 · Score: 5, Funny

a luggage routing program that mysteriously misroutes a customer's bag
sounds like Delta is looking for new programmers
1. Re:Contest or Job Posting? by Sebilrazen · 2009-12-30 06:15 · Score: 4, Funny
  
  No, that challenge would have random 3 hour tarmac waits generated too.
  
  --
  "There are no facts, only interpretations." --Friedrich Nietzsche.
I'm really impressed by troll8901 · 2009-12-30 06:15 · Score: 4, Informative

I've read the entire blog, and I must say, I'm impressed. Very impressed. Very, very impressed.
The person who writes the criteria knows what he's/she's writing about.
And the winners who submit the results are really, really good.
1. Re:I'm really impressed by troll8901 · 2009-12-30 06:50 · Score: 5, Interesting
  Here's some points I'd like to highlight, from the 2008 Winners.
  Linus Akesson: The BYTESPERPIXEL macro "gives the false impression that the code intelligently supports higher bit widths" but actually "causes the 8-bit case to leak information into the file" (by exploiting a buffer overflow). ... (thus allowing wiped image data to be reconstructed.)
  Avinash Baliga: The ExpectTrue macro overwrites the image mask (by exploiting a buffer overflow), allowing two bits to survive the wiping, (thus allowing wiped image data to be reconstructed). Furthermore, the evil behavior is concealed in an innocent-looking error checking macro.
  John Meacham: (Winner) The code is "extremely simple, innocent, obvious" ... and devious. "Low-intensity pixels are replaced with a ‘0, and high-intensity pixels replaced with a ‘00 or a ‘000" ... (thus allowing wiped image data to be reconstructed.)
  All I can say is, Wow.
2. Re:I'm really impressed by derGoldstein · 2009-12-30 08:42 · Score: 3, Funny
  
  I also started looking up past winners, Johns explanation/justification code was brilliant. I had no idea such evilness could be so cleverly concealed.
  So you're new to C?
  
  --
  Entomologically speaking, the spider is not a bug, it's a feature.
Re:This sounds familiar to, by Anonymous Coward · 2009-12-30 06:17 · Score: 5, Funny

I was going to say, don't forget Perl programmers, but then I remembered the legibility requirement.
For extra points: by w0mprat · 2009-12-30 06:19 · Score: 4, Funny

For extra points submit this to your favourite open source project and have it accepted into the main code release - since it appears to be prefectly geniune, compiles, and can do what it appears to - it's certainly possible. Finally demonstrate your backdoor when the project is released to the wild.

If you manage to get this into the GNU/Linux Kernel, you get a job at the NSA.

Write short, readable, perfectly innocent looking C code, that somehow commits an evil act under certain circumstances.

--
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
1. Re:For extra points: by Nemyst · 2009-12-30 06:43 · Score: 3, Funny
  
  Well, Linux already allows you to install Windows...
Totally opposite by SuperKendall · 2009-12-30 06:28 · Score: 4, Informative

The true "Underhanded" program would be one that was perfectly readable, so readable in fact that you totally overlook the sneaky thing it was doing because what you think it's doing seems so clear.
The ObsfuC contest is all about code that even after staring you can't tell what the heck is going on.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Easy? by Tyler+Durden · 2009-12-30 07:02 · Score: 4, Funny

C motherfucker, do you speak it?!

--
Happy people make bad consumers.
Write up of last entry by John+Meacham · 2009-12-30 09:48 · Score: 5, Informative

I am the winner of the previous underhanded C contest. If anyone is interested, I wrote up a description of my entry on my blog here: http://notanumber.net/archives/54/underhanded-c-the-leaky-redaction
It was a fun contest to enter and now I can shop at thinkgeek for silly gadgets without feeling guitly :)

--
http://notanumber.net/