Slashdot Mirror
Winner of the 2015 Underhanded C Contest Announced (underhanded-c.org)
Xcott Craver writes: The Underhanded C contest results have now been announced. This time the contest challenge was to cause a false match in a nuclear inspection scenario, allowing a country to remove fissile material from a warhead without being noticed. The winner receives $1000 from the Nuclear Threat Initiative.
Seems very much like the same guy. He posted chiptune on his site and also had some past underhanded entries there. Presumably, he's just not updating (or updated) for this last entry.
You're thinking of the obfuscated C contest. That involves C code that operates correctly, but looks like junk (even under scrutiny). This is the underhanded C contest. This involves C code that looks correct (even under scrutiny), but operates like junk.
Your ad here. Ask me how!
Hi,
In the winning entry there is no cast or "conversion" per se. It has one C file that calls a function and another C file that implements the function, with a mismatch between the types of the call and the implementation. Neither file by itself is performing any conversion or doing something wrong that can be caught by static analysis; the bug is caused by a mismatch between the code in two object files. This would only be caught by a tool that would examine the two files together, but it would not be caught by the compilation of either part.
We've actually seen a number of past entries that used this same basic trick to mismatch a call and an implementation. A previous winning entry managed to redefine the time() function as time_t time(void) instead of time_t time(time_t *ptr), avoiding a compiler warning by using the extern keyword. That's a neat trick because barely anyone uses the argument to time(), and after writing t=time(NULL) hundreds of times, it's easy to completely miss a call like t=time(). This caused a call to time() with the wrong number of arguments, so that another variable on the stack was used to hilarious effect.