Forgot your password?
typodupeerror
Programming Security

5th Underhanded C Contest Now Open 162

Posted by CmdrTaco
from the i-c-what-you've-done-there dept.
Xcott Craver writes "The next Underhanded C Contest has begun, with a deadline of March 1st. The object of the contest is to write short, readable, clear and innocent C code that somehow commits an evil act. This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field. The prize is a gift certificate to ThinkGeek.com."
This discussion has been archived. No new comments can be posted.

5th Underhanded C Contest Now Open

Comments Filter:
  • Watch list? (Score:4, Funny)

    by girlintraining (1395911) on Wednesday December 30, 2009 @01:27PM (#30596256)

    This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.

    All participants will also receive complimentary cavity-searches at airport checkpoints.

    • by w0mprat (1317953) on Wednesday December 30, 2009 @02:05PM (#30596914)

      This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.

      I am certain that this is already a feature of existing luggage routing software.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Yes, especially if the word "fragile" or "valuable" is in the comment field.

    • Re:Watch list? (Score:5, Insightful)

      by markkezner (1209776) on Wednesday December 30, 2009 @02:18PM (#30597106)

      Funny, but you've got a point. What would a potential employer think when, upon googling your name, they learn that you're so good at hiding malicious code that you won a contest for it. Would you hire that guy?

      It's not worth the $100 gift certificate.

      • Re:Watch list? (Score:5, Insightful)

        by Applekid (993327) on Wednesday December 30, 2009 @02:35PM (#30597374)

        Would you hire that guy?

        Definitely, but maybe for QA or as a Code Review consultant. Of course, I'm assuming that the winner of the contest would also be clever enough to detect hidden maliciousness in others' code.

        • by dangitman (862676)

          Definitely, but maybe for QA or as a Code Review consultant. Of course, I'm assuming that the winner of the contest would also be clever enough to detect hidden maliciousness in others' code.

          You employ people to work in your Mom's basement? You must get one heck of an allowance.

      • by SamAdam3d (818241)
        You think any of these guys are going to submit with their real names? Nah, they'll spend the extra 10 minutes to come up with a super-sweet hacker name.
      • by bonch (38532)

        That's pretty paranoid of you. The point of the contest is to illustrate your knowledge of esoteric bugs as a lesson to all. You don't want to work for an employer who sees your programming awareness and experience as a negative.

        • by mea37 (1201159)

          I agree, but GP has a point even if he asked the wrong question.

          Would I hire him? Sure - or at least, this wouldn't weigh against him. The guy I worry about has the same skills, but doesn't advertise them by participating in this contest because he intends to actually use them.

          But whould a lot of IT managers see it as a negative and decide not to hire him? Yes, they would. Like it or not, a lot of perfectly good jobs (and remember, for a couple years out of any given decade, "perfectly good" is likely t

      • Re: (Score:3, Insightful)

        by gad_zuki! (70830)

        >What would a potential employer think when, upon googling your name, they learn that you're so good at hiding malicious code that you won a contest for it.

        Thats a pretty lousy line of reasoning and probably responsible for all the mediocrity out there in the computer world. Heck, what if your employer found out you were in the military and fought? Do you want to hire the guy who shot at Iraqis with a 50 caliber machine gun? Or the guy who wrote an ad blocking program? Or the guy who wrote a cover lett

        • by story645 (1278106)

          who turn out to be good at not cheating on their wives

          Since when?

    • All participants will also receive complimentary cavity-searches at airport checkpoints.

      Second prize: two of them.

    • by Ksevio (865461)
      Why? My teeth are fine!
    • more like a complimentary DMCA take down for reproducing the current system.
      I mean, realy, isn't this what it does now?

    • All participants will also receive complimentary cavity-searches at airport checkpoints.

      Actually, I fully expect the entries to receive this very sort of examination...

    • This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field

      As opposed to the current system that does it at random? If you come up with a system that ONLY does it when malicious text is written in the comment field, the government wants to talk with you. They paid $500 per LINE for a baggage-routing system that never worked. [gsu.edu] It was finally abandoned after half a billion was sunk into it.

  • Not fair! (Score:3, Funny)

    by Anonymous Coward on Wednesday December 30, 2009 @01:35PM (#30596424)
    Someone who works at any major airline can just submit the real production code they use for luggage routing and win the contest for sure!
    • by fuzzyfuzzyfungus (1223518) on Wednesday December 30, 2009 @01:47PM (#30596634) Journal
      Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?
      • What are the odds that any of the airline production code meets that description?

        How it's written probably doesn't matter. Heathrow Airport has almost certainly patented the invention, and will go after the winner(s) of the competition with every platoon of lawyers at its disposal.
      • Re: (Score:3, Interesting)

        Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?

        Depends on the function -- if it's mission critical, you bet your ass it'll be documented and readable. Considering that most ATC technical failures are hardware, not software-based, that should say something. The problem is that while the code is quite well-documented, few people are left with the training or understanding of it to port it to newer systems, and it's not like they can ground all flights for a week to do an upgrade. So we're left with mainframes that were out of date in the 70s being used to

        • by PPH (736903)

          The problem is that while the code is quite well-documented, few people are left with the training or understanding of it to port it to newer systems,

          Because its written in COBOL, and when any new analysis/developers come in and suggest porting it to something else, all the geezers clutch their hearts and moan.

          We've had tools to reverse engineer, document and port code from practically any language to any other for years (a decade in cases I'm familiar with, actually). There's no excuse for keeping dead languages or platforms around any longer.

          and it's not like they can ground all flights for a week to do an upgrade.

          Nobody just pulls the plug on an old system, rolls in a new one and says, "Boy, I hope this will work!" Even for

        • by quanticle (843097)

          Airlines don't write Air Traffic Control code. That's the FAA's job. The luggage routing software that routes your bag to Boston when you're going to New York is the airline's responsibility.

          Also, there's no guarantee that "mission critical" implies readable or documented. Arguably, the reason the FAA is having so much trouble introducing a new flight control system is that the old one is so poorly documented, porting it to newer hardware is extremely difficult.

        • Depends on the function -- if it's mission critical, you bet your ass it'll be documented and readable.

          Not if someone bet their ass it won’t crash inexplicably and need to be fixed or rewritten.

      • Re: (Score:1, Funny)

        by Anonymous Coward
        Not to mention that their production code is probably written in COBOL. And that wouldn't be fair - everything written in COBOL is underhanded.
      • by Reziac (43301) *

        include airport.c
        baggage==random();

        Something like that?

        (IANAP, obviously :)

      • Re:Not fair! (Score:4, Insightful)

        by derGoldstein (1494129) on Wednesday December 30, 2009 @04:38PM (#30599202) Homepage

        Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?

        Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any software written in C meets that description?

        There, fixed.

    • Re: (Score:3, Interesting)

      by Skater (41976)
      Does anyone else remember the new Denver Airport's original luggage system? This system singlehandedly delayed the airport's opening for over a year [wikipedia.org]. Eventually the airport retrofitted a standard baggage moving system. If someone has access to the code of the original system, they could easily submit that.
    • by nortcele (186941)
      Relax. No one is going to submit the .bat file currently used to route luggage.
  • by Anonymous Coward on Wednesday December 30, 2009 @01:36PM (#30596438)

    | This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field.

    What, we actually need to write code for something that happens by nature?

    • by bcong (1125705) on Wednesday December 30, 2009 @02:46PM (#30597524)
      the current method of writing in:
      "Package Handler,
      Customer was an asshat...you know what to do"
      was starting to get noticed
    • What, we actually need to write code for something that happens by nature?

      Their logic is sound:
      Code written not to make this mistake will make it. How do you solve the problem? Write code that does make the mistake. The resulting software will then, logically, avoid making the mistake.

  • Easy? (Score:2, Interesting)

    Public Static String default_Address = "1600 Pennsylvania Ave NW, Washington, DC 20500, USA" --- hide this somewhere

    Private Sub Void Route_Bagggage(bag b)
    {
    if (comment.text == NULL)
    {
    b.destination = default_Address
    }
    else
    {
    b.destination = comment.text
    }
    }

    Or do I have to make it slightly more deceptive?

    • Re:Easy? (Score:5, Informative)

      by Anonymous Coward on Wednesday December 30, 2009 @01:47PM (#30596638)
      *Way* more deceptive. The default value for the destination field? It's supposed to look innocent - an innocent program would note that you left out a destination and prompt you to enter one. Any basic debugging done by someone else would turn this up. What they want is for you to leave a "comment" like "this package is top-heavy" (in a field designed for such comments) that changes the destination, but in a way such that someone reading the source code wouldn't realize anything was happening at all much what that you were changing the destination. Also such that whoever entered the text wouldn't obviously be at fault.
      • LoL - I know.

        But wouldn't that be as easy as testing for whatever the secret comment is (for example, top-heavy) - when that's true, set off a top heavy flag (boolean). Then go somewhere towards the end of the Example, for example the final routing stages, where the destination has already been set by the clerk and confirmed it - and alter the shipping address that way? Like say the overview stage where they clerk reviews all the information, then submits it.

        I mean - to me, I cannot think of a single scenar

        • The point of something like "Underhanded C" would be more about hiding something from a code review than GDB. That code would easily trigger red flags in a code review...

        • by travdaddy (527149)
          Yeah, sounds like that second one would fulfill the requirements. Unlike a lot of other tech contests like the X Prize and Netflix, I don't think the contest is meant to stump a lot of the competition. So, the question becomes whether or not the code is simple enough and underhanded enough to be the absolute best out of however many hundreds of entries there will be.
        • Re: (Score:1, Informative)

          by Anonymous Coward
          You're still missing the point. Yes, it would be really easy to make a program that changes the destination based on a particular value in the comment field. It would also be really easy to see that someone did that. What is difficult (and worthy of a contest) is changing the destination based on a particular value in the comment field in such a way that a simple debugging wouldn't find it (assuming they don't know what the secret comment is in advance).

          Properly done there would be no boolean indicating t
          • (assuming they don't know what the secret comment is in advance)

            Thats the kicker though. If its a single occurance (meaning a very rare comment) then it wouldn't be very difficult to hide it at all, especially if you are the one who programs the entire algorithm start to finish.

            If it occurs multiple times, this "routing error" then the pattern is predictable, and they know -EXACTLY- where the problem will be. Testing with a regular expression and/or hashes won't change it one bit if you know what generates the error (the comment).

            And I assume they want you to route the

            • by quanticle (843097)

              If its a single occurance (meaning a very rare comment) then it wouldn't be very difficult to hide it at all, especially if you are the one who programs the entire algorithm start to finish.

              Who says it has to be a single comment? Perhaps you could make so that, if the comment starts with 'a', it routes to an alternate destination that's randomized based on the contents of the comment. That would be hell to debug, since the program would end up producing different outputs from the same input.

        • Well, if you have special comment categories from an enum, then you could have a switch/case statement that does a few things, where the comment inspection could seem less obvious... HandleComment(enum comment1, string comment2, string comment3) { switch(comment1) {... case myenum.sizeRestriction: if (comment2 == "top heavy") this.RouteToFrontOfPlane(); ... } RouteToFrontOfPlane() { this.DelayLoading(); this.PushToFront(); } ... with DelayLoading() making one change, then PushToFront() doing another, th
        • by Saxerman (253676) *

          To answer your first question, you're partially correct that a debugger can do wonders to highlight malicious code. Of course, as you point out, knowing when and where to use a debugger can be a little challenging. And then the realization that unless exceptional care is taken, the code you're stepping though might not even contain or reveal the exploit. (Since the mere act of viewing the byte code in a debugger can change affect it's operation.) There's one story that really opened my eyes to the possi

          • by lgw (121541)

            Of course, a C compiler produces bytes, not byte code. Existing malware will hide from a debugger by changing what that debugger shows the developer. At least one new virus has been spotted in the wild this way (a developer debugging his own code started seeing memory that just couldn't be right).

            I'd be interested to see how the DOD does code reviews to spot a Thompson hack. Manually reconcile source and object after each compile? That sounds a bit unwieldy, to say the least - plus whatever tool you use

      • by Bandman (86149)

        I'm thinking the best way would be an overflow in an array that flips the most significant digit of the target zip code. But I'm not a coder, so someone else can steal my idea.

        • by dgatwood (11270)

          Actually, I'd probably go with a packed data structure in which the string is allowed to overflow by one byte into the zip code integer or similar. Then, it will appear to be perfectly innocuous and functional. However, if you enter a string that is one byte too long, the top byte of the zip code integer becomes zero. Of course, it will always be zero on a big endian machine (assuming a 32-bit integer) because you only need the bottom 17 bits to hold all 5-digit zip codes. However, on little endian mach

          • by dgatwood (11270)

            You could also overflow into an integer that contains a normally constant value of 1 that points into an array of pointers that changes depending on whether you are using version 1 or 2 of the data structure. When the value overflows, it resets it to zero and using version 1 on a version 2 data structure causes the contents of the comment to be used for the address.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        In other words, you need to replace an == with an = in just the right location (or vice versa) so that while it looks like you're doing a sanity check, you're actually assigning a stealth variable.

        To make it even better, you need to set it up so that this causes a buffer overflow, and you're actually overwriting another variable. THEN, you go back and do a sanity check on the original value which corrects the mistake caused by the ==/= replacement. That way, someone sees the mistake, but sees that it is p

    • Re:Easy? (Score:5, Funny)

      by Tyler Durden (136036) on Wednesday December 30, 2009 @03:02PM (#30597778)

      C motherfucker, do you speak it?!

    • Yeah. You easily failed! ^^

      The whole point of the contest is, that there is no “hide somewhere”. All the code must pass an inspection and look reasonable.

  • by Anonymous Coward

    It seems like this has already been done and is in use at airports worldwide.

  • Possibilities (Score:4, Interesting)

    by Rei (128717) on Wednesday December 30, 2009 @01:41PM (#30596546) Homepage

    I don't have the time for something like this, but it seems to me a good possibility would be to have all of your inputs that the clerk fills out be contiguous in memory, including the destination, have the algorithm to figure out what destination to go to scan through the whole destination string looking for matches (rather than looking for an exact match) and taking the last one it finds, and have a broken bounds check for the length of that string so that the algorithm looks into the comments section as well.

    So, for example, if the clerk fills out the destination as "LAX" but writes in the comments section, "Do not confuse his bags with those owned by CID who is also going to a different final destination; they're very similar looking.", the bags would be routed to Cedar Rapids (CID) instead of Los Angeles (LAX).

    • Re: (Score:3, Interesting)

      by j-stroy (640921)
      It could be hidden in piece of user interface that todays systems are full of, the extra clicks and bells that no one needs, but some client or marketing weenie will never give it up.. overwrite the destination with the first bytes of an audio file with some misdirection.
      Example [ex-designz.net] on this page
    • Re: (Score:3, Interesting)

      by bberens (965711)
      I could see this... have the front-end and back-end communicate over a socket or something and have a simple delimited message format where someone could alter the results by using a sql-injection style attack on your parser. That way, at least, the input has to be somewhat complex, but the code could look very innocent.
      • by lgw (121541)

        Yeah, that's totally the way to go, if it's allowed. I wonder how much live code can be broken by an injection starting with ]]> because someone just crammed an input string into a CDATA section. Deliberately allowing this would be quite subtle.

      • “Um, why are you using sockets to do this? We just asked for you to read some luggage records from stdin and send the output to stdout.”

  • I've got this nailed. But do you have to know in advance the mystery input combo? I could never figure that out before I throw it over to QA.
    • by Eberlin (570874)

      I wrote an experimental javascript blackjack prog where if I type in "upupdowndownleftrightleftrightBASTARD" I always win. Seemed like a good, easy to remember input combo. :)

  • by Anonymous Coward on Wednesday December 30, 2009 @01:49PM (#30596672)

    a luggage routing program that mysteriously misroutes a customer's bag

    sounds like Delta is looking for new programmers

  • I'm really impressed (Score:4, Informative)

    by troll8901 (1397145) * <troll8901@gmail.com> on Wednesday December 30, 2009 @02:15PM (#30597058) Journal

    I've read the entire blog, and I must say, I'm impressed. Very impressed. Very, very impressed.

    The person who writes the criteria knows what he's/she's writing about.

    And the winners who submit the results are really, really good.

    • by troll8901 (1397145) * <troll8901@gmail.com> on Wednesday December 30, 2009 @02:50PM (#30597588) Journal

      Here's some points I'd like to highlight, from the 2008 Winners.

      • Linus Akesson: The BYTESPERPIXEL macro "gives the false impression that the code intelligently supports higher bit widths" but actually "causes the 8-bit case to leak information into the file" (by exploiting a buffer overflow). ... (thus allowing wiped image data to be reconstructed.)
      • Avinash Baliga: The ExpectTrue macro overwrites the image mask (by exploiting a buffer overflow), allowing two bits to survive the wiping, (thus allowing wiped image data to be reconstructed). Furthermore, the evil behavior is concealed in an innocent-looking error checking macro.
      • John Meacham: (Winner) The code is "extremely simple, innocent, obvious" ... and devious. "Low-intensity pixels are replaced with a ‘0, and high-intensity pixels replaced with a ‘00 or a ‘000" ... (thus allowing wiped image data to be reconstructed.)

      All I can say is, Wow.

  • by w0mprat (1317953) on Wednesday December 30, 2009 @02:19PM (#30597134)
    For extra points submit this to your favourite open source project and have it accepted into the main code release - since it appears to be prefectly geniune, compiles, and can do what it appears to - it's certainly possible. Finally demonstrate your backdoor when the project is released to the wild.

    If you manage to get this into the GNU/Linux Kernel, you get a job at the NSA.

    Write short, readable, perfectly innocent looking C code, that somehow commits an evil act under certain circumstances.

  • Depending on the number of working entries, I think this guy will have to update his song [spaff.com].
  • But years before the contest.

    http://en.wikipedia.org/wiki/Denver_International_Airport#Automated_baggage_system [wikipedia.org]

    http://users.csc.calpoly.edu/~dstearns/SchlohProject/problems.html [calpoly.edu]

    The second article sounds familiar. All the warning signs of a risky project failure were there, but no one seemed to know it or pay attention.

  • I have a program, actually a large system, that sends boxes to different areas in warehouse depending from various aspects. Sending/transfer is done by conveyor belts and sometimes even with robots. Boxes are actual physical boxes containing food items.

    It has a little defect though which I've been unable to track down. Sometimes when it tries to send box to place A the box is actually found in place B but the UI tells that it is located in places C and D, which of course is impossibility.

    Unfortunately it is

    • by nschubach (922175)

      If it was written in C, wouldn't the boxes in A and B overwrite it?

      • by weicco (645927)

        Possibly yes, but it would duplicate as C and D. And before you know it world would be full of Cs and Ds!

  • Doesn't the example on the contest page qualify as Useless Use of Cat?

    i.e., shouldn't this line:
    cat luggage.dat | ./lug UA129086 - - -

    be this: ./lug UA129086 - - - http://en.wikipedia.org/wiki/Cat_(Unix)#Useless_use_of_cat

    • It is indeed a terribly redundant use of cat, but not useless: it makes it easier to read, by placing the command line invocation by itself at the end of the line.
  • If the code has a comment field for special handling, you wouldn't need much to do this. The biggest problem would be to make it so that somebody can't correlate bad handling to the comment. You might want to have a 'bad handling' string that varies from hour to hour, one that is displayed as part of a 'quote of the moment'.

  • Never done this myself, but people have inserted backdoors into Unix V7 kernels they compiled by replacing a "if (userid == 0)" with a "if (userid = 0)" check. I assume they are looking for a more sophisticated version of that trick.
  • by John Meacham (1112) on Wednesday December 30, 2009 @05:48PM (#30599982) Homepage

    I am the winner of the previous underhanded C contest. If anyone is interested, I wrote up a description of my entry on my blog here: http://notanumber.net/archives/54/underhanded-c-the-leaky-redaction [notanumber.net]

    It was a fun contest to enter and now I can shop at thinkgeek for silly gadgets without feeling guitly :)

    • I loved your solution, by the way. Will you be entering this year’s contest – or have you already? (Okay, so it’s only two days in as of yet...)

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...