Slashdot Mirror

← Back to Stories (view on slashdot.org)

2014 Underhanded C Contest Winners Announced

Posted by timothy on from the like-a-tongue-in-a-human-cheek-forever dept.

Rei writes with a bit of news from earlier this week: It's that time of year again — the results of the 2014 Underhanded C Contest have been announced. Techniques used for secretly alerting a user to a NSA request include (among others) misleadingly long loop execution, replacing user #defines with system ones, K&R style function declarations to avoid type checking, and using system #includes to covertly change structure packing. The winning entry exploits a system-provided function that is implemented as a poorly protected macro, tricking it into executing a piece of code given as an argument multiple times.

27 comments

  1. Get off my lawn by Anonymous Coward · · Score: 0

    In my days, we only had six registers and we had to push values through the snow, both ways!

    I didn't get even half of the summary but it sounds like there's giant security holes in modern design itself.

    1. Re:Get off my lawn by CaptainDork · · Score: 1

      Cry me a river.

      I remember walking uphill where ever we went until I was about 9 years old when that guy ... what's his name? ... I'll have to Google it, discovered downhill.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:Get off my lawn by Anonymous Coward · · Score: 0

      Good for you, when I was three years old my family moved to the city of eternal headwind. When two people meed they are both facing the wind here. Always have, always will.
      It's all flat so we have neither uphill nor downhill, yet there isn't a road that is straight.
      All of them are intentionally curved so that there is no shorter way from one destination to another.

    3. Re:Get off my lawn by ArcadeMan · · Score: 1

      All of them are intentionally curved so that there is no shorter way from one destination to another.

      I wonder how many readers understood the reference.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    4. Re:Get off my lawn by Anonymous Coward · · Score: 0

      In case anyone else was confused:

      Meed (v.), Meaning to have Sex with another person.

      http://www.urbandictionary.com/define.php?term=Meed

  2. How does this work? by PopeRatzo · · Score: 2

    Techniques used for secretly alerting a user to a NSA request include (among others) misleadingly long loop execution, replacing user #defines with system ones, K&R style function declarations to avoid type checking, and using system #includes to covertly change structure packing. The winning entry exploits a system-provided function that is implemented as a poorly protected macro, tricking it into executing a piece of code given as an argument multiple times.

    I've just come in from a few hours of sitting on the back porch and sipping spirits, so I'm not at the heights of my cognitive powers. Can someone explain in a few sentences how this works as an alert to the user? Wouldn't the user just think the website is a little bit broken? Or is that the point?

    --
    You are welcome on my lawn.
    1. Re:How does this work? by Anonymous Coward · · Score: 1

      The concept is that the user sends and receives these messages. The contestants write code to record and save any messages that match Big Brother's list. This code is supposed to not alert the user that Big Brother is interested in them.

      So the code has to surreptitiously alert the user somehow. The ways people chose were causing a delay in the delivery of flagged messages, or changing some of the information "accidentally".

    2. Re: How does this work? by Anonymous Coward · · Score: 1

      FTA:

      The underhanded goal is this: write surveil() in such a way that the act of surveillance is subtly leaked to the user or to the outside world. PiuPiu can not reveal the act of surveillance, but your function is technically able to edit the Piu or user structure during scanning. Find a way to alter that data (this alone is a bit of a challenge, since you are not supposed to alter the data,just scan it) in such a way that an informed outsider can tell if someone is being archived. The leakage should be subtle enough that it is not easily noticed.

      Emphasis mine.

  3. Winners of giving away secrets by Anonymous Coward · · Score: 0

    Now the large companies will fix all the holes and they did it at the cost of a paltry prize package (assuming there is one).

    If you're good at something, never do it for free.

    1. Re:Winners of giving away secrets by Anonymous Coward · · Score: 2, Informative

      The Underhanded C Contest doesn't use real code. They give you an objective to accomplish using apparently innocuous code. That is, you write a function that looks harmless but does something it shouldn't, is hard to spot, and can be passed off as an honest mistake.

      Another year I remember you had to do something that worked on different operating systems but run horribly slow on the competitor's OS (that is, it runs fast on an OS and slow on another)..

  4. SOURCEFORGE is underhanded by Anonymous Coward · · Score: 2, Insightful

    2015 Underhanded Company award goes to Dice Holdings Inc. and SOURCEFORGE.

  5. All code ever written wins by penguinoid · · Score: 1

    The goal of the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

    That sounds just like all code ever written, except some code obviously is not clear and readable. (at least before debugging)

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:All code ever written wins by pushing-robot · · Score: 2

      All except my code, which is virtuous, perfect and infallible.

      I cannot take credit for this wonder, however, for I am simply a humble receiver. The code is given unto me in complete form from Stack—um, stake..er, sta-states beyond your comprehension. A State.

      --
      How can I believe you when you tell me what I don't want to hear?
    2. Re:All code ever written wins by Jumunquo · · Score: 2

      Don't push it. You're just a robot.

    3. Re:All code ever written wins by Idarubicin · · Score: 2

      The goal of the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

      That sounds just like all code ever written, except some code obviously is not clear and readable. (at least before debugging)

      Yes, the original poster's specification should have read, "...it should do something subtly evil on purpose ."

      --
      ~Idarubicin
  6. Kudos To The Winner by rsmith-mac · · Score: 4, Interesting

    This contest is always a good read. I continue to be impressed with the crazy things these participants can think of, and simultaneously disturbed by the fact that they actually came up with this.

    The winner is especially good, both for being truly underhanded and for putting the lynchpin error in the location you'd least expect to see it. It's a beautiful combination of subtle subterfuge at several points to make the whole thing come together. As TFA so delightfully puts it: "The whole thing is hidden in auditing code, which wins points for sheer spite."

    So kudos to the winner. And on behalf of the rest of humanity, please never end up in a situation where you get to use your evil skills in the real world!

    1. Re:Kudos To The Winner by Anonymous Coward · · Score: 0

      The real beauty of the winning entry is that it uses misunderstandings of how features of the standard library work.

    2. Re:Kudos To The Winner by maestroX · · Score: 1

      So kudos to the winner. And on behalf of the rest of humanity, please never end up in a situation where you get to use your evil skills in the real world!

      Generally speaking the top of these contests are works of art.
      I don't doubt however this kind of ingenuity is or will be used in the real world.

    3. Re:Kudos To The Winner by Anonymous Coward · · Score: 1

      As TFA so delightfully puts it: "The whole thing is hidden in auditing code, which wins points for sheer spite."

      Which is a clear tell that there is something wrong going on. Real world code doesn't do auditing.

    4. Re:Kudos To The Winner by Anonymous Coward · · Score: 1

      I review code for security issues all the time and My favorite is the rounding one.
      I can see that sitting in code for years, the buffer overwrites and macro tricks are cute but I'll find them with a scanner and real tests one day.
      Some people have evil minds with sick skills so fun to read!

      c the language of love.

    5. Re: Kudos To The Winner by Anonymous Coward · · Score: 0

      the language creating the cyber war domain..

      made by usg, perused by usg.

    6. Re:Kudos To The Winner by Gryle · · Score: 2

      I continue to be impressed with the crazy things these participants can think of, and simultaneously disturbed by the fact that they actually came up with this.

      Something of a tangent. I work in security and this sentence pretty much sums up my feelings about my job every day. My colleagues think I'm nuts (probably not unwarranted) but I think there's a kind of noblise oblige when you across someone with a knack for subterfuge and deception. It takes a particular kind of mindset and I very much admire that capability, if not always their intentions.

      --
      Only two things are infinite, the universe and human stupidity, and I'm not entirely sure about the universe - Einstein
    7. Re:Kudos To The Winner by superdana · · Score: 1

      Real world code doesn't do auditing.

      This hasn't been my experience at all. Especially when the government is involved.

  7. News for nerds by Anonymous Coward · · Score: 0

    And the nerdiest topics gather the least responses.

    Where have the nerds migrated? Is there some forum with less astroturfing, but with high quality articles and commentary for nerds?

    I tried hackernews but it's very politically correct.

    On topic, the underhanded-c continues to impress every year, keep on going with the good work.

  8. Coding standards? by Anonymous Coward · · Score: 0

    While impressive, most of these bugs would be prevented with a reasonable coding standard. No macros, our at least very limited macros. One statement per line. Buffer checking. Basic professional stuff. I don't see how lint doesn't catch these.

    I'd be impressed if strict standards were followed and they still pulled it off.

    1. Re:Coding standards? by TinyTheBrontosaurus · · Score: 1

      Going even further, it's tough to get certain engineers not to write code like this. Coding standards are needed not to prevent malice but to manage incompetence. A lot of less experienced developers will gladly fight to write software without standards then these types of bugs will be everywhere. The real malice in this case is this competition which is encouraging people to write obfuscated, and thus buggy, software.

  9. I have a feeling some of these by Anonymous Coward · · Score: 0

    I have a feeling at least some of these ideas originated as bugs in the authors' own code experience (hopefully in debugging someone else's code).