2014 Underhanded C Contest Winners Announced

Rei writes with a bit of news from earlier this week: It's that time of year again — the results of the 2014 Underhanded C Contest have been announced. Techniques used for secretly alerting a user to a NSA request include (among others) misleadingly long loop execution, replacing user #defines with system ones, K&R style function declarations to avoid type checking, and using system #includes to covertly change structure packing. The winning entry exploits a system-provided function that is implemented as a poorly protected macro, tricking it into executing a piece of code given as an argument multiple times.

Kudos To The Winner

[rsmith-mac]

This contest is always a good read. I continue to be impressed with the crazy things these participants can think of, and simultaneously disturbed by the fact that they actually came up with this.

The winner is especially good, both for being truly underhanded and for putting the lynchpin error in the location you'd least expect to see it. It's a beautiful combination of subtle subterfuge at several points to make the whole thing come together. As TFA so delightfully puts it: "The whole thing is hidden in auditing code, which wins points for sheer spite."

So kudos to the winner. And on behalf of the rest of humanity, please never end up in a situation where you get to use your evil skills in the real world!