The First Annual Underhanded C Contest 341
Xcott Craver writes "We have just announced a new annual contest, the Underhanded C Contest, to write clear, readable, innocent-looking C code that implements malicious behavior. The object is to hide evil functionality that survives visual inspection of the source. The prize is beer."
Re:This will work (Score:1, Insightful)
Re:What are the legal ramifications of this? (Score:4, Insightful)
The authorities start a contest such as this, an unsuspecting programmer submits a malicious program, and he or she is arrested and charged with a variety of computer crimes.
What computer crimes would be broken?
Frankly, I won't participate in this contest considering the current legal state of America.
No, you won't participate because of yor current state of paranoia over the legal state of America.
Re:Indeed. This could be a field day for Java and (Score:2, Insightful)
Story is just plain bad (Score:3, Insightful)
Yeah, I just flip the "+good +bad -malicious" flags on javac when I want to trust code. Come on, that's ridiculous.
This is not a hard task, but it's kind of stupid, on the order of "who can break into the most computers today" (I dunno, who can run nmap the longest?)
There are so many *interesting* things that could be done as a programming contest, and the submitter chose something that's a pain in the ass for other people, doesn't really challenge the brain ("shortest version of X"), and can't be used for much other than bogus arguments that "C is dangerous" or the obvious card, "Open Source is insecure" (you can look at the much larger sample set of SourceForge and the lack of Trojans implanted and later discovered).
The number of *interesting* security stories that could have challenged people and been useful is legion. "Can we have a system that is unbreakable and does X", (followed by the inevitable followup posts where people punch holes in the design) or other things. You could have asked "How can OSS projects avoid allowing malicious code being sumitted?", which would have started an interesting set of threads from people who work on proof-carrying code, would have taught readers something, and maybe provided improved security for the world at large. Instead, we're going to see a handful of bad, obfuscated C, and a bunch of halfassed arguments against C and OSS, neither of which has much connection with reality. There will be some language arguments, where someone says "we should use [LANGUAGE_WITH_BOUNDSCHECKING]", some security guy that will point out that this doesn't begin to avoid stopping malicious code, someone will make some stupid arguments about how their favorite OS is more secure than anyone else's, we'll get some rehash of NX features that have been done time and time again on Slashdot...seriously, goddammit. The day someone makes a knockoff of Slashdot that's a bit more computer-science oriented and isn't solely aimed at producing the same tired old trolling every day is the day I jump ship.
Diebold (Score:2, Insightful)
Now if only we can get them to enter their code in the contest...
Why? (Score:4, Insightful)
Who is behind this and what is their motivations? What will they do with the ideas submitted in this contest? In a day of professional computer hackers, this is not a contest to have.
Re:It's a bad idea (Score:5, Insightful)
Java gives you a polished floor on which you can slip and break your neck.
C++ gives you a thermo-nuclear device.
Mod Parent Up! (Score:1, Insightful)
Tin foil hat on, for sure.
Re:Why? (Score:5, Insightful)
It is sort of like the computer version of a bomb squad.
Re:Indeed. This could be a field day for Java and (Score:3, Insightful)
Actually, that's not really the case... not for the kind of "malicious code" that they're talking about here. They're not talking about "getting out of the sandbox", they're talking about "hiding information in the output". It's actually a lot easier to hide this kind of "malicious code" in an object-oriented language because you can play games with the namespace.
Re:There you programmers go again... (Score:3, Insightful)
Re:in other words... (Score:4, Insightful)
Yes, I know that must come as a shock, and most people here probably won't believe me...yet it's true.
(And just to head off the inevitable nutcase looking for a Score:5, Funny: no, replacing the prize with free pr0n isn't going to cut it.
New law. (Score:1, Insightful)
The new law which evolves beyond godwins law to allow people to discuss hitler shall be called what? Slashhdot can think of a name right?
You're just not used to it. (Score:5, Insightful)
A picky compiler is a blessing, not a curse. It's much easier to identify and fix compile errors than run-time errors.
difficult to convert to better languages (thank you preprocessor)
Meaningless troll.
encourages obfuscation
Unless the compiler is literally holding a gun to your head, this is meaningless. In C you have nearly limitless control to write your code the way you feel is clearest. If it came out obfuscated then you have nobody to blame but yourself.
some constructs are clearly tacked on and/or poorly implemented (switch), arbitrary nonorthogonality (struct, parens and brace usage, pointer/array declaration), shitty strings.
Tacked on? If you don't like the way constructs are set up then fine, that's your opinion. But if you read The C Programming Language you can tell that every single construct was scrutinized over for the proper balance of efficiency (why it makes sense to pass array parameters as pointers and structs as copies) and consistency (why data types are declared the way they are. Declaration and use of data is made to match.) Do you honestly believe the creators/first users of C, some of the greatest programmers who ever lived, really said, "Ahhh, fuck it. Let's just throw something together," when designing their own programming tools?
Most people who don't like C are really just saying they don't like low-level programming because that's what it was designed for, and that's what it's perfect for. Too many newbie programmers get used to some modern, flash-in-the-pan, all-things-to-all-people languages and when they are faced with the challenges of low-level languages rashly conclude that it's the language's fault they're having problems.
C is the perfect language for the job it was designed for. The same cannot be said for most more modern languages.
Re:C is an awful language (Score:4, Insightful)
C is good for what it was first used for: writing Unix. At least initially, it was mimimalistic; orthogonality took a back seat to ease of implementation. (See Gabriel's classic essay [jwz.org] for details.)
(It's certainly not flawless. Any language that needs a utility like cdecl to make declarations understandable has problems, and there should've been a Boolean type from the beginning. It would be nice if char (which should be whatever represents a glyph on the target system) weren't conflated with short short int. Basically, if C were in your back yard, it would be declared an "attractive nuisance.")
I think the authors of The Art of Unix Programming wisely recognize that C, like any other tool, should be used only where appropriate. (Sorry if that's tautological, but I can't think of a better way to put it.)
Re:So are you very, very good or very, very bad? (Score:2, Insightful)
Writing code of that quality that looks like it does what it's supposed to do, while actually doing something subtly different, sounds like a very difficult challenge to me.
Programmers do that every day. It's called a "bug". Now, doing something subtly different and controlling what the subtly different thing actually is, that is a challenge.
Re:Why? (Score:2, Insightful)
Methinks the poster refers to this [iu.edu], wherein some as yet uinidentifed party inserted a line into the kernel sources on the CVS repository.
if these random options are passed, and the uid of the "current" struct is 0, then do the block, right? 8^o Fortunately, some sharp programmers caught this before those files got integrated back into the kernel, but who knows what the future may bring.Re:You're just not used to it. (Score:3, Insightful)
I'm not sure about strings. With the really low level stuff like OS development, I can see the case for just contiguous characters terminated by a NULL character. Otherwise it's not so hot.
But I still maintain that C works extremely well for what it was created for. I mean, how long did it take before it needed to change as opposed to C++ that becomes more complex by the hour? (I really have a love/hate attitude towards C++. I think it's a horrible language to match the needs of a horrible world. Then again, I should look more into Objective C.)
C99 addresses a lot of valid concerns with the language, though. That and D sounds promising.
Re:You're just not used to it. (Score:3, Insightful)
Clarity. All the data types in C are intended to be clear. It's only a single step up from assembly, really. C handles strings the same way assembly does: it eats bytes sequentially from an array, and it's up to the programmer to tell the program when it's had enough. Data handling in C is a virtually transparent veneer of abstraction from pointer arithmetic. A string data type with length encoded into it would require special handling, and C just don't play that game. C is all about pounding raw bytes and twiddling naked bits. If you want fancy meta-data, you're using the wrong language. Try C++ of Java.
Comment removed (Score:2, Insightful)
Re:You're just not used to it. (Score:3, Insightful)
I think you're confusing C with a high-level language. It doesn't give you lists, associative arrays, or strings because those are high-level data types and C is a low-level language. Your complaints are like saying the biggest problem with a car is you can't drive it on water -- they display a fundamental misunderstanding of the subject.
Re:Attack the Compiler (Score:3, Insightful)
I guess the thing is: What we're really concerned about here, (if I may project a little,) is voting software.
In those cases, they're probably not going to say, "download the compiler from a random site on the net." In fact, it's probably going to be very hard to control the people who compile the software, and even harder to control the people who compile the compiler. At some point, somebody's going to get the compiler, and they're going to get it from some specified place.
If it's a secret place, then the vote is determined by whoever controls that secret place. If it's a public place, well- that's something to think about.
Maybe we should have a Federal list of 100 places to get the compiler from. Or a thousand places. However it is done, we want to make it more expensive to buy the vote than the vote is worth.
Re:You're just not used to it. (Score:4, Insightful)
Are you really going to want to wait 100s of milliseconds for a garbage collector to run at arbitrary intervals in your carefully word aligned DMA transaction code that needs to run within a matter of microseconds? And how exactly is Python, LISP, or any other interpreted/dynamic runtime compiled language going to be used to write a task scheduler or memory managment system worthy of being used in an OS kernel or embedded MCUs with barely 16KiB RAM?
I think you're quite bitter about having to use C for writing applications, which I can perfectly understand. As for what C is actually MEANT for, it does the job quite well. And yes, the preprocessor issues suck, and it would be nice to have Pascal strings, but there really is no alternative to C that I have seen for low-level programming. It makes computer science purists who think everyone should program in Haskell or LISP feel dirty, but it does the job very well. It sure beats writing directly in ASM.