|Underhanded C Contest - The Winner|
|Written by Kay Ewbank|
|Wednesday, 10 June 2015|
The results of the 2014 Underhanded C Contest have been announced, revealing a variety of devious coding techniques used by competitors.
The aim of competitors entering the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, but to have the code do something ‘subtly evil’, and to fail to perform at its apparent function.
Each year, the competition organizers set the challenge of a supposedly simple data processing problem, but with covert malicious behavior. To be eligible, the code has to look innocent to visual inspection by other programmers.
As we explained when the competition was launched last November, see Evil C Coders Wanted, the most recent challenge revolves around PiuPiu and the National Security Letter. The background is that the (fictional) PiuPiu oversharing site allows users to post 140-character messages. The federal government wants PiuPiu to carry out surveillance on user activity on the site. If any post matches certain patterns of interest to national security, they should be archived for later analysis. PiuPiu may not inform anyone of the surveillance request.
Competitors were provided with the data structures for a a PiuPiu user and a Piu message, and given the challenge to write code to scan incoming Pius before they are posted, to see if they match any of the patterns requested in the fictional national security letter.
The underhanded goal is to write the surveillance function in such a way that the act of surveillance is subtly leaked to the user or to the outside world. PiuPiu cannot reveal the act of surveillance, but the programmers were told their functions could technically edit the Piu or user structure during scanning, in such a way that an informed outsider can tell if someone is being archived. The leakage should be subtle enough that it is not easily noticed.
The setters of the competition say that there were several dozen entries this year, with many creative approaches to manipulating a Piu. Common themes to alert outsiders to the surveillance included adding typos to the message; leaving out characters; sorting lists of messages, and delaying messages under surveillance for a noticeable amount of time.
The winning entry (by Karen Pease) uses an anonymized quarterly audit report to prove compliance, with a bug hidden in the audit macro that overwrites the time the user was created if that user was under surveillance. You can read the full details of the competition, the runners up and the winning entry on the Underhanded C Contest website
To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
or email your comment to: email@example.com
|Last Updated ( Sunday, 23 August 2015 )|