The results of the 2014 Underhanded C Contest have been announced, revealing a variety of devious coding techniques used by competitors.

The aim of competitors entering the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, but to have the code do something ‘subtly evil’, and to fail to perform at its apparent function.

Each year, the competition organizers set the challenge of a supposedly simple data processing problem, but with covert malicious behavior. To be eligible, the code has to look innocent to visual inspection by other programmers.

As we explained when the competition was launched last November, see Evil C Coders Wanted, the most recent challenge revolves around PiuPiu and the National Security Letter. The background is that the (fictional) PiuPiu oversharing site allows users to post 140-character messages. The federal government wants PiuPiu to carry out surveillance on user activity on the site. If any post matches certain patterns of interest to national security, they should be archived for later analysis. PiuPiu may not inform anyone of the surveillance request.

Competitors were provided with the data structures for a a PiuPiu user and a Piu message, and given the challenge to write code to scan incoming Pius before they are posted, to see if they match any of the patterns requested in the fictional national security letter.

The underhanded goal is to write the surveillance function in such a way that the act of surveillance is subtly leaked to the user or to the outside world. PiuPiu cannot reveal the act of surveillance, but the programmers were told their functions could technically edit the Piu or user structure during scanning, in such a way that an informed outsider can tell if someone is being archived. The leakage should be subtle enough that it is not easily noticed.

The setters of the competition say that there were several dozen entries this year, with many creative approaches to manipulating a Piu. Common themes to alert outsiders to the surveillance included adding typos to the message; leaving out characters; sorting lists of messages, and delaying messages under surveillance for a noticeable amount of time.

The winning entry (by Karen Pease) uses an anonymized quarterly audit report to prove compliance, with a bug hidden in the audit macro that overwrites the time the user was created if that user was under surveillance. You can read the full details of the competition, the runners up and the winning entry on the Underhanded C Contest website 

 

More Information

Underhanded C Contest

Related Articles

Evil C Coders Wanted

Underhanded C Contest Revived 

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

ZLUDA Ports CUDA Applications To AMD GPUs 18/04/2024 ZLUDA is a translation layer that lets you run unmodified CUDA applications with near-native performance on AMD GPUs. But it is walking a fine line with regards to legality. + Full Story

Conference Times Ahead 29/03/2024 Following a well-established pattern both Google's and Microsoft's Developer Conferences will take place in May while Apple follows on in June. Here are the dates plus what to expect. + Full Story

More News Is PHP in Trouble? Explore SyncFusion's Blazor Playground Important Conference Results VLOGGER - AI Does Talking Heads The Appeal of Google Summer of Code Rust Twice As Productive As C++ Java Version 22 Released The Experience AI Challenge GitHub Introduces Code Scanning Actionforge Releases GitHub Actions VSCode Extension Avi Wigderson Gains Turing Award Quantum Computing Prize Awarded Apache Shiro 2.0 Released

 

 

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info