5th Underhanded C Contest Now Open - Slashdot

Slashdot

5th Underhanded C Contest Now Open 162

Posted by CmdrTaco on Wednesday December 30 2009, @01:25PM
from the i-c-what-you've-done-there dept.

Xcott Craver writes "The next Underhanded C Contest has begun, with a deadline of March 1st. The object of the contest is to write short, readable, clear and innocent C code that somehow commits an evil act. This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field. The prize is a gift certificate to ThinkGeek.com."

This discussion has been archived. No new comments can be posted.

5th Underhanded C Contest Now Open

Search 162 Comments Log In/Create an Account

Comments Filter:

Easy? (Score:2, Interesting)

by Monkeedude1212 (1560403) writes: on Wednesday December 30 2009, @01:40PM (#30596524) Journal

Public Static String default_Address = "1600 Pennsylvania Ave NW, Washington, DC 20500, USA" --- hide this somewhere
Private Sub Void Route_Bagggage(bag b)
{
if (comment.text == NULL)
{
b.destination = default_Address
}
else
{
b.destination = comment.text
}
}
Or do I have to make it slightly more deceptive?

Share
twitter facebook
Possibilities (Score:4, Interesting)

by Rei (128717) writes: on Wednesday December 30 2009, @01:41PM (#30596546) Homepage

I don't have the time for something like this, but it seems to me a good possibility would be to have all of your inputs that the clerk fills out be contiguous in memory, including the destination, have the algorithm to figure out what destination to go to scan through the whole destination string looking for matches (rather than looking for an exact match) and taking the last one it finds, and have a broken bounds check for the length of that string so that the algorithm looks into the comments section as well.
So, for example, if the clerk fills out the destination as "LAX" but writes in the comments section, "Do not confuse his bags with those owned by CID who is also going to a different final destination; they're very similar looking.", the bags would be routed to Cedar Rapids (CID) instead of Los Angeles (LAX).

Share
twitter facebook
Re:This sounds familiar to, (Score:1, Interesting)

by Anonymous Coward writes: on Wednesday December 30 2009, @01:53PM (#30596730)

IOCC rocks!
korn.c [ioccc.org] is a good example, probably one of the best one-liner programs I have seen.

Parent Share
twitter facebook
Re:Not fair! (Score:3, Interesting)

by girlintraining (1395911) writes: on Wednesday December 30 2009, @02:21PM (#30597176)

Hardly. It is supposed to be "short, readable, clear and innocent". What are the odds that any of the airline production code meets that description?
Depends on the function -- if it's mission critical, you bet your ass it'll be documented and readable. Considering that most ATC technical failures are hardware, not software-based, that should say something. The problem is that while the code is quite well-documented, few people are left with the training or understanding of it to port it to newer systems, and it's not like they can ground all flights for a week to do an upgrade. So we're left with mainframes that were out of date in the 70s being used today being used in critical infrastructure.
On the other hand, the code in applications used at the ticket counter and security checkpoints... not so much.

Parent Share
twitter facebook
Re:Possibilities (Score:3, Interesting)

by j-stroy (640921) writes: on Wednesday December 30 2009, @02:41PM (#30597480)

It could be hidden in piece of user interface that todays systems are full of, the extra clicks and bells that no one needs, but some client or marketing weenie will never give it up.. overwrite the destination with the first bytes of an audio file with some misdirection.
Example [ex-designz.net] on this page

Parent Share
twitter facebook
Re:I'm really impressed (Score:5, Interesting)

by troll8901 (1397145) * writes: <troll8901@gmail.com> on Wednesday December 30 2009, @02:50PM (#30597588) Journal
Here's some points I'd like to highlight, from the 2008 Winners.
- Linus Akesson: The BYTESPERPIXEL macro "gives the false impression that the code intelligently supports higher bit widths" but actually "causes the 8-bit case to leak information into the file" (by exploiting a buffer overflow). ... (thus allowing wiped image data to be reconstructed.)
- Avinash Baliga: The ExpectTrue macro overwrites the image mask (by exploiting a buffer overflow), allowing two bits to survive the wiping, (thus allowing wiped image data to be reconstructed). Furthermore, the evil behavior is concealed in an innocent-looking error checking macro.
- John Meacham: (Winner) The code is "extremely simple, innocent, obvious" ... and devious. "Low-intensity pixels are replaced with a ‘0, and high-intensity pixels replaced with a ‘00 or a ‘000" ... (thus allowing wiped image data to be reconstructed.)
All I can say is, Wow.
Parent Share
twitter facebook
Re:Possibilities (Score:3, Interesting)

by bberens (965711) writes: on Wednesday December 30 2009, @03:00PM (#30597748)

I could see this... have the front-end and back-end communicate over a socket or something and have a simple delimited message format where someone could alter the results by using a sql-injection style attack on your parser. That way, at least, the input has to be somewhat complex, but the code could look very innocent.

Parent Share
twitter facebook
Re:Easy? (Score:1, Interesting)

by Anonymous Coward writes: on Wednesday December 30 2009, @03:00PM (#30597752)

In other words, you need to replace an == with an = in just the right location (or vice versa) so that while it looks like you're doing a sanity check, you're actually assigning a stealth variable.
To make it even better, you need to set it up so that this causes a buffer overflow, and you're actually overwriting another variable. THEN, you go back and do a sanity check on the original value which corrects the mistake caused by the ==/= replacement. That way, someone sees the mistake, but sees that it is properly handled and doesn't think twice about it.
Meanwhile, the adjacent address field has just been overwritten, and unless you're checking for overflows, you're unlikely to notice, unless you've already isolated the variable in a debugger. However, in this case, you're going to catch it no matter what... unless it's the pointer that gets overwritten and while you're watching the variable, it just doesn't get called anymore (even though the code implies that it does).
Sounds like fun :)

Parent Share
twitter facebook
Re:Not fair! (Score:3, Interesting)

by Skater (41976) writes: on Wednesday December 30 2009, @04:35PM (#30599162) Homepage Journal

Does anyone else remember the new Denver Airport's original luggage system? This system singlehandedly delayed the airport's opening for over a year [wikipedia.org]. Eventually the airport retrofitted a standard baggage moving system. If someone has access to the code of the original system, they could easily submit that.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

738 commentsSoftware Engineering Is a Dead-End Career, Says Bloomberg
715 commentsThe Ugly Underbelly of Coder Culture
628 commentsUniversity of Florida Eliminates Computer Science Department
611 commentsC/C++ Back On Top of the Programming Heap?
474 commentsJudge to Oracle: A High Schooler Could Write rangeCheck

La-dee-dee, la-dee-dah.