Underhanded C Contest - The Winner
Written by Kay Ewbank   
Wednesday, 10 June 2015

The results of the 2014 Underhanded C Contest have been announced, revealing a variety of devious coding techniques used by competitors.

 

underhandedbanner

 

The aim of competitors entering the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, but to have the code do something ‘subtly evil’, and to fail to perform at its apparent function.

Each year, the competition organizers set the challenge of a supposedly simple data processing problem, but with covert malicious behavior. To be eligible, the code has to look innocent to visual inspection by other programmers.

As we explained when the competition was launched last November, see Evil C Coders Wanted, the most recent challenge revolves around PiuPiu and the National Security Letter. The background is that the (fictional) PiuPiu oversharing site allows users to post 140-character messages. The federal government wants PiuPiu to carry out surveillance on user activity on the site. If any post matches certain patterns of interest to national security, they should be archived for later analysis. PiuPiu may not inform anyone of the surveillance request.

Competitors were provided with the data structures for a a PiuPiu user and a Piu message, and given the challenge to write code to scan incoming Pius before they are posted, to see if they match any of the patterns requested in the fictional national security letter.

The underhanded goal is to write the surveillance function in such a way that the act of surveillance is subtly leaked to the user or to the outside world. PiuPiu cannot reveal the act of surveillance, but the programmers were told their functions could technically edit the Piu or user structure during scanning, in such a way that an informed outsider can tell if someone is being archived. The leakage should be subtle enough that it is not easily noticed.

The setters of the competition say that there were several dozen entries this year, with many creative approaches to manipulating a Piu. Common themes to alert outsiders to the surveillance included adding typos to the message; leaving out characters; sorting lists of messages, and delaying messages under surveillance for a noticeable amount of time.

The winning entry (by Karen Pease) uses an anonymized quarterly audit report to prove compliance, with a bug hidden in the audit macro that overwrites the time the user was created if that user was under surveillance. You can read the full details of the competition, the runners up and the winning entry on the Underhanded C Contest website 

 

 

underhand1

 

More Information

Underhanded C Contest

Related Articles

Evil C Coders Wanted

Underhanded C Contest Revived 

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, FacebookGoogle+ or Linkedin,  or sign up for our weekly newsletter.

 

Banner


Two New Resources Tailored To Spring Developers
25/04/2024

Spring Academy Pro is now freely available and Spring Builders is a new meeting point to discuss everything Spring related.



GitLab Adds Google Cloud Integration
14/05/2024

GitLab has released public betas of the integration features with Google Cloud that the company announced in 2023. The integration means GitLab’s DevSecOps workflow integrates with Google Cloud secu [ ... ]


More News

 

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Sunday, 23 August 2015 )