Underhanded C Contest - The Winner
Written by Kay Ewbank   
Wednesday, 10 June 2015

The results of the 2014 Underhanded C Contest have been announced, revealing a variety of devious coding techniques used by competitors.

 

underhandedbanner

 

The aim of competitors entering the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, but to have the code do something ‘subtly evil’, and to fail to perform at its apparent function.

Each year, the competition organizers set the challenge of a supposedly simple data processing problem, but with covert malicious behavior. To be eligible, the code has to look innocent to visual inspection by other programmers.

As we explained when the competition was launched last November, see Evil C Coders Wanted, the most recent challenge revolves around PiuPiu and the National Security Letter. The background is that the (fictional) PiuPiu oversharing site allows users to post 140-character messages. The federal government wants PiuPiu to carry out surveillance on user activity on the site. If any post matches certain patterns of interest to national security, they should be archived for later analysis. PiuPiu may not inform anyone of the surveillance request.

Competitors were provided with the data structures for a a PiuPiu user and a Piu message, and given the challenge to write code to scan incoming Pius before they are posted, to see if they match any of the patterns requested in the fictional national security letter.

The underhanded goal is to write the surveillance function in such a way that the act of surveillance is subtly leaked to the user or to the outside world. PiuPiu cannot reveal the act of surveillance, but the programmers were told their functions could technically edit the Piu or user structure during scanning, in such a way that an informed outsider can tell if someone is being archived. The leakage should be subtle enough that it is not easily noticed.

The setters of the competition say that there were several dozen entries this year, with many creative approaches to manipulating a Piu. Common themes to alert outsiders to the surveillance included adding typos to the message; leaving out characters; sorting lists of messages, and delaying messages under surveillance for a noticeable amount of time.

The winning entry (by Karen Pease) uses an anonymized quarterly audit report to prove compliance, with a bug hidden in the audit macro that overwrites the time the user was created if that user was under surveillance. You can read the full details of the competition, the runners up and the winning entry on the Underhanded C Contest website 

 

 

underhand1

 

More Information

Underhanded C Contest

Related Articles

Evil C Coders Wanted

Underhanded C Contest Revived 

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, FacebookGoogle+ or Linkedin,  or sign up for our weekly newsletter.

 

Banner


Raspberry Pi CM5 - Expensive And Undocumented
27/11/2024

So the unexpected has happened - the Compute Module 5 has been launched. But it simply emphasises some problems with adopting the Pi as an IoT device.



Copilot Improves Code Quality
27/11/2024

Findings from GitHub show that code authored with Copilot has increased functionality and improved readability, is of better quality, and receives higher approval rates than code authored without it.

 [ ... ]


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Sunday, 23 August 2015 )