Slashdot Mirror

← Back to Stories (view on slashdot.org)

2014 Underhanded C Contest Winners Announced

Posted by timothy on from the like-a-tongue-in-a-human-cheek-forever dept.

Rei writes with a bit of news from earlier this week: It's that time of year again — the results of the 2014 Underhanded C Contest have been announced. Techniques used for secretly alerting a user to a NSA request include (among others) misleadingly long loop execution, replacing user #defines with system ones, K&R style function declarations to avoid type checking, and using system #includes to covertly change structure packing. The winning entry exploits a system-provided function that is implemented as a poorly protected macro, tricking it into executing a piece of code given as an argument multiple times.

8 of 27 comments (clear)

  1. How does this work? by PopeRatzo · · Score: 2

    Techniques used for secretly alerting a user to a NSA request include (among others) misleadingly long loop execution, replacing user #defines with system ones, K&R style function declarations to avoid type checking, and using system #includes to covertly change structure packing. The winning entry exploits a system-provided function that is implemented as a poorly protected macro, tricking it into executing a piece of code given as an argument multiple times.

    I've just come in from a few hours of sitting on the back porch and sipping spirits, so I'm not at the heights of my cognitive powers. Can someone explain in a few sentences how this works as an alert to the user? Wouldn't the user just think the website is a little bit broken? Or is that the point?

    --
    You are welcome on my lawn.
  2. Re:Winners of giving away secrets by Anonymous Coward · · Score: 2, Informative

    The Underhanded C Contest doesn't use real code. They give you an objective to accomplish using apparently innocuous code. That is, you write a function that looks harmless but does something it shouldn't, is hard to spot, and can be passed off as an honest mistake.

    Another year I remember you had to do something that worked on different operating systems but run horribly slow on the competitor's OS (that is, it runs fast on an OS and slow on another)..

  3. SOURCEFORGE is underhanded by Anonymous Coward · · Score: 2, Insightful

    2015 Underhanded Company award goes to Dice Holdings Inc. and SOURCEFORGE.

  4. Re:All code ever written wins by pushing-robot · · Score: 2

    All except my code, which is virtuous, perfect and infallible.

    I cannot take credit for this wonder, however, for I am simply a humble receiver. The code is given unto me in complete form from Stack—um, stake..er, sta-states beyond your comprehension. A State.

    --
    How can I believe you when you tell me what I don't want to hear?
  5. Re:All code ever written wins by Jumunquo · · Score: 2

    Don't push it. You're just a robot.

  6. Kudos To The Winner by rsmith-mac · · Score: 4, Interesting

    This contest is always a good read. I continue to be impressed with the crazy things these participants can think of, and simultaneously disturbed by the fact that they actually came up with this.

    The winner is especially good, both for being truly underhanded and for putting the lynchpin error in the location you'd least expect to see it. It's a beautiful combination of subtle subterfuge at several points to make the whole thing come together. As TFA so delightfully puts it: "The whole thing is hidden in auditing code, which wins points for sheer spite."

    So kudos to the winner. And on behalf of the rest of humanity, please never end up in a situation where you get to use your evil skills in the real world!

    1. Re:Kudos To The Winner by Gryle · · Score: 2

      I continue to be impressed with the crazy things these participants can think of, and simultaneously disturbed by the fact that they actually came up with this.

      Something of a tangent. I work in security and this sentence pretty much sums up my feelings about my job every day. My colleagues think I'm nuts (probably not unwarranted) but I think there's a kind of noblise oblige when you across someone with a knack for subterfuge and deception. It takes a particular kind of mindset and I very much admire that capability, if not always their intentions.

      --
      Only two things are infinite, the universe and human stupidity, and I'm not entirely sure about the universe - Einstein
  7. Re:All code ever written wins by Idarubicin · · Score: 2

    The goal of the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

    That sounds just like all code ever written, except some code obviously is not clear and readable. (at least before debugging)

    Yes, the original poster's specification should have read, "...it should do something subtly evil on purpose ."

    --
    ~Idarubicin