The 2015 Underhanded C Contest Has Begun

Xcott Craver writes: The 8th Underhanded C Contest is now underway. The goal of the Underhanded C Contest is to write C code that is as readable, clear, innocent and straightforward as possible, but which performs some malicious function that is not obvious from looking at the source code. This year's challenge is based on a real problem in joint development for nuclear treaty verification, and the prize is $1000.

not obvious from looking at the source code.

So, pretty much any C program will be competitive here.

Sponsered by Systemd

Clearly this contest must be in someway related to Systemd but I find no mention in TFA

Start with this Password Verification Function

[mykepredko]

I'm trying to remember where I first saw this function (I think it's a pretty common example for security coding seminars):

int passwordCompare(char* enteredPassword, char* validPassword) {
int i;

        for (i = 0; (len(enteredPassword) > i) && (enteredPassword[i] == validPassword[i]; ++i) {
        }

        if (len(enteredPassword) == i) {
                return -1; /* true */
        }
        else {
                return 0; /* false */
        }
}

but, I would imagine that it would qualify as an example for the contest. I don't think it was originally designed to be malicious, but more of a coding error.

I would expect most of the entries in the contest would be of this variety, something that a (new) coder has put in that works for basic test cases, but has a serious flaw...

Re:Start with this Password Verification Function

[alvinrod]

Go look at some of the winners from previous years. Some of the solutions are on such a diabolical level that they might take days or weeks to fully track down and understand and are so convoluted that no one could possibly think it was intentional.

Last year's winner is a rather good example.

Re:Start with this Password Verification Function

[dotancohen]

I'm trying to remember where I first saw this function (I think it's a pretty common example for security coding seminars):

int passwordCompare(char* enteredPassword, char* validPassword) {

Hey, that's the routine that checks the password on my luggage!

C and C++ differ dramatically in complexity

Isn't all C++ underhanded?

This contest concerns underhanded C, not C++. There would be little point in an underhanded C++ contest.

C is a trivially simple language, with a very small syntax and a very narrow set of semantics. As a result, you have to work pretty hard to make ordinary C contain hidden functionality --- usually this requires abusing the C preprocessor, because the C grammar itself doesn't provide much room for hiding things.

C++ is at the other end of the complexity scale, being the language with the largest syntax and the most extremely complex semantics of any programming language on the planet. It took that crown from Ada many decades ago, and it hasn't stopped growing since.

Because of C++'s huge size in every respect, C++ programmers tend to develop their own preferred subsets of the language, and they stick with that subset throughout their lives. There's nothing wrong with that (indeed, it's probably the only way of working with C++), but it has the consequence that one person's clear C++ is another person's incomprehensible C++.

That makes writing underhanded C++ a rather pointless exercise.

Re:C and C++ differ dramatically in complexity

[epine]

C is a trivially simple language

You're crazy.

Back in the eighties when I was primarily a C programmer, I spent years mastering the art of writing portable C code. Our main application was required to compile under both the Microsoft and the Watcom compiler, and under the Watcom compiler we targeted both MSDOS and QNX. This was a royal PITA at times. The worst case I recall is that Microsoft had a bug in their type deduction logic for expressions that mixed signed and unsigned values. In actual fact, the Microsoft code generator used the correct rules, but the Microsoft diagnostic routine in the parser did not, causing it to issue "type conversion" warnings opposite to its own internal behaviour. Just imagine how that gave us a bad case of group-consciousness head spin until we tracked down the underlying cause.

It's terribly hard in C to defend yourself against certain kinds of accidental errors, which is one of my original reasons for moving to C++. My well-developed C programming subset (oh yes, I had a subset) was even more robust in C++. For example, in modern C++ there's much less justification for writing complex expressions using #define. Modern C++ programmers largely restrict the use of the C++ preprocessor for implementing a Turing-complete language at compile time.

Is the C99 preprocessor Turing complete?

Actually, I lied. That harmless looking C preprocessor from the dusty depths of time is but a C-hair short of being Turing complete at compile time. The smallest fiddle in the specification of token pasting might get you there.

Concerning underhandedness, the Karen Pease PIU winner would not survive having __isleap() recoded from a macro to a C++ inline function. Many of the other examples abuse the #define mechanism for encoding object lengths, rather than having the objects maintain their own lengths, such as any STL container does.

What you can foist in the unwary if you're off-scale malicious in C++ is off-scale high (it is, after all, a superset of C itself).

On the other end of the scale, if you use C++ abstractions to do good rather than evil, the never-ending refinement of the C++ language takes you to a better place, not a worse place.

Elements of Modern C++ Style

I'm not overly enamoured of Great Man theory, and likewise I'm not greatly enamoured of sanitary-conception language design, in which all the sins of the past are taken behind the woodshed and put straight en masse.

Co-existence with our dirty origins is a simple fact of human biology. It isn't true that every complexity of human evolution is automatically a turn for the worse (as you seem to imply about accrued complexity in programming language design).

The truth of the matter is that C++ used wisely can be a clean and empowering programming language, for those of us able and willing to pay the price of admission.

Whether it's reasonable to pay that price given the many other choices available now is another question. In my case, I had already paid half the price in my first professional decade as a C programmer, after stripping away the illusion that C is simple language.

I'm pretty much agnostic at this point about whether an ambitious young programmer should bother learning C++ or not, unless it happens that C++ is the only vehicle that will take you where you want to go (high abstraction level co-existing with raw hardware performance).

Too many people sit there in a state of contempt fundamentally saying "if C++ is the only viable solution, then I want a simpler problem to solve!"

Well, go to it. Fill your boots. But don't sit there and sneer at the brave souls who make the opposite choice.

Re:Wait, wait

[Dutch+Gun]

I'd argue that C++ has to be considered in two different cases, one for library writers and one for library users. Moreover, let's talk about modern C++ (C++14) rather than legacy C++, with all the cruft compatibility with C and older C++ version gives us.

C++ is an incredibly complicated but unbelievably powerful language for writing libraries. It allows high-level abstraction that compiles down to code every bit as efficient as the much more dangerous equivalent C code. A lot of the really complicated parts of C++ are actually intended for library writers, where advanced techniques can make the libraries easier to use, safer, and more efficient at the cost of code complexity. Many programmers believe that they need to master all these subtle and tricky parts of the language in order to properly use C++, but I don't believe that to be the case at all.

The other aspect of C++ is a programmer who mostly *uses* libraries to build new functionality (application-level programming). This sort of C++ is actually fairly straightforward, so long as you have a reasonable knowledge level of the language. That is, you can write classes properly (rule of three, now extended to rule of four), understand scope and resource management (RAII), simple rules for keeping classes exception safe (like the copy/swap idiom), and understand how to make use of the newest features like smart pointers. Modern C++ code can and should be written in such a way that it's impossible to stomp on memory you don't own, and difficult to accidentally leak memory or other resources, and all without losing any significant efficiency compared to C.

I'd say the biggest problem C++ has is that many programmers simply don't understand how to properly break things up into discrete classes and tend to overuse inheritance instead of composition as a means of building complex functionality. As such, you often tend to see nightmarish class hierarchies filled will massive classes that perform dozens and dozens of completely discrete functions, instead of classes composed of smaller classes, each with a well-defined and testable set of operators and behavior. Moreover, you see many programmers combining this with the most dangerous of C behaviors, such as passing around raw object pointers or memory buffers, especially in older legacy code. It's no wonder C++ has a reputation of being a difficult language.

I'd never argue that C++ is an *easy* language to use. In fact, it's pretty easy to write really horrible, unmanageable C++ code, which I think is probably *worse* than bad C code in many ways. However, *good* C++ is far more manageable and safer than the equivalent C code while being every bit as run-time efficient.