2014 Underhanded C Contest Winners Announced

Rei writes with a bit of news from earlier this week: It's that time of year again — the results of the 2014 Underhanded C Contest have been announced. Techniques used for secretly alerting a user to a NSA request include (among others) misleadingly long loop execution, replacing user #defines with system ones, K&R style function declarations to avoid type checking, and using system #includes to covertly change structure packing. The winning entry exploits a system-provided function that is implemented as a poorly protected macro, tricking it into executing a piece of code given as an argument multiple times.

Re:

[CaptainDork]

Cry me a river.

I remember walking uphill where ever we went until I was about 9 years old when that guy ... what's his name? ... I'll have to Google it, discovered downhill.

Re:

[ArcadeMan]

All of them are intentionally curved so that there is no shorter way from one destination to another.

I wonder how many readers understood the reference.

How does this work?

[PopeRatzo]

Techniques used for secretly alerting a user to a NSA request include (among others) misleadingly long loop execution, replacing user #defines with system ones, K&R style function declarations to avoid type checking, and using system #includes to covertly change structure packing. The winning entry exploits a system-provided function that is implemented as a poorly protected macro, tricking it into executing a piece of code given as an argument multiple times.

I've just come in from a few hours of sitting on the back porch and sipping spirits, so I'm not at the heights of my cognitive powers. Can someone explain in a few sentences how this works as an alert to the user? Wouldn't the user just think the website is a little bit broken? Or is that the point?

Re:

[Anonymous Coward]

The concept is that the user sends and receives these messages. The contestants write code to record and save any messages that match Big Brother's list. This code is supposed to not alert the user that Big Brother is interested in them.

So the code has to surreptitiously alert the user somehow. The ways people chose were causing a delay in the delivery of flagged messages, or changing some of the information "accidentally".

Re: How does this work?

[Anonymous Coward]

FTA:

The underhanded goal is this: write surveil() in such a way that the act of surveillance is subtly leaked to the user or to the outside world. PiuPiu can not reveal the act of surveillance, but your function is technically able to edit the Piu or user structure during scanning. Find a way to alter that data (this alone is a bit of a challenge, since you are not supposed to alter the data,just scan it) in such a way that an informed outsider can tell if someone is being archived. The leakage should be subtle enough that it is not easily noticed.

Emphasis mine.

Re:

[Anonymous Coward]

The Underhanded C Contest doesn't use real code. They give you an objective to accomplish using apparently innocuous code. That is, you write a function that looks harmless but does something it shouldn't, is hard to spot, and can be passed off as an honest mistake.

Another year I remember you had to do something that worked on different operating systems but run horribly slow on the competitor's OS (that is, it runs fast on an OS and slow on another)..

SOURCEFORGE is underhanded

[Anonymous Coward]

2015 Underhanded Company award goes to Dice Holdings Inc. and SOURCEFORGE.

All code ever written wins

[penguinoid]

The goal of the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

That sounds just like all code ever written, except some code obviously is not clear and readable. (at least before debugging)

Re:

[pushing-robot]

All except my code, which is virtuous, perfect and infallible.

I cannot take credit for this wonder, however, for I am simply a humble receiver. The code is given unto me in complete form from Stack—um, stake..er, sta-states beyond your comprehension. A State.

Re:

[Jumunquo]

Don't push it. You're just a robot.

Re:

[Idarubicin]

The goal of the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

That sounds just like all code ever written, except some code obviously is not clear and readable. (at least before debugging)

Yes, the original poster's specification should have read, "...it should do something subtly evil on purpose ."

Kudos To The Winner

[rsmith-mac]

This contest is always a good read. I continue to be impressed with the crazy things these participants can think of, and simultaneously disturbed by the fact that they actually came up with this.

The winner is especially good, both for being truly underhanded and for putting the lynchpin error in the location you'd least expect to see it. It's a beautiful combination of subtle subterfuge at several points to make the whole thing come together. As TFA so delightfully puts it: "The whole thing is hidden in auditing code, which wins points for sheer spite."

So kudos to the winner. And on behalf of the rest of humanity, please never end up in a situation where you get to use your evil skills in the real world!

Re:

[maestroX]

So kudos to the winner. And on behalf of the rest of humanity, please never end up in a situation where you get to use your evil skills in the real world!

Generally speaking the top of these contests are works of art.
I don't doubt however this kind of ingenuity is or will be used in the real world.

Re:

[Anonymous Coward]

As TFA so delightfully puts it: "The whole thing is hidden in auditing code, which wins points for sheer spite."

Which is a clear tell that there is something wrong going on. Real world code doesn't do auditing.

Re:

[superdana]

Real world code doesn't do auditing.

This hasn't been my experience at all. Especially when the government is involved.

Re:

[Anonymous Coward]

I review code for security issues all the time and My favorite is the rounding one.
I can see that sitting in code for years, the buffer overwrites and macro tricks are cute but I'll find them with a scanner and real tests one day.
Some people have evil minds with sick skills so fun to read!

c the language of love.

Re:

[Gryle]

I continue to be impressed with the crazy things these participants can think of, and simultaneously disturbed by the fact that they actually came up with this.

Something of a tangent. I work in security and this sentence pretty much sums up my feelings about my job every day. My colleagues think I'm nuts (probably not unwarranted) but I think there's a kind of noblise oblige when you across someone with a knack for subterfuge and deception. It takes a particular kind of mindset and I very much admire that capability, if not always their intentions.

Re:

[TinyTheBrontosaurus]

Going even further, it's tough to get certain engineers not to write code like this. Coding standards are needed not to prevent malice but to manage incompetence. A lot of less experienced developers will gladly fight to write software without standards then these types of bugs will be everywhere. The real malice in this case is this competition which is encouraging people to write obfuscated, and thus buggy, software.