04.16.07
The 2007 Underhanded C Contest is Now Open
Introduction
We hereby announce our third annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.
Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.
As of April 16, the 2007 Underhanded C Contest is officially underway. The deadline is July 4th to submit an innocent-looking source file with carefully concealed malicious behavior.
This year’s challenge: weak encryption
The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library. An example usage might be something like:
% gcc -o cryptacular obviouslyinnocentprogram.c -lcrypto
% cryptacular -e passphrase < bigfile.mp3 > ciphertext
% cryptacular -d passphrase < ciphertext > plaintext.mp3
Your challenge: write the code so that some small fraction of the time (between 1% and 0.01% of files, on average) the encrypted file is weak and can be cracked by an adversary without the password. The poorly encrypted file must still decrypt properly by your own software.
“Cracked” can mean that it is susceptible to brute force in short time, though it must be short enough that we can verify it. Or it could mean that the file is trivially obfuscated.
Scoring, and Extra Points
The object of the contest is producing a source file that looks innocent, and passes informal code inspection. Here are some guidelines for judging innocence:
- Short programs are innocent, and more impressive. If your source file is over 200 lines, you are not likely to win. You can hide a semi truck in 300 lines of C.
In general, the fewer hiding places, the more impressed we will be if you can conceal malicious behavior.
In this case you’re using someone else’s library, and that library could in theory have bad code in it, which you could exploit. That’s cool, and doesn’t count toward the “size” of your submission. Unless you put in the bad code yourself.
- Typical behavior is innocent. Unusual and unnecessary steps, like forking a process or connecting to a remote server will raise eyebrows unless you can find a reasonable excuse for them.
Extra points will be handed out for the following reasons:
- Extra points if the error, once found, looks like an innocent bug rather than deliberate miscoding.
- Extra points if your code still appears innocent under syntax coloring.
- Extra points if you can tell, quickly, which outputs are weak.
Of course, there are other factors: we award points for humor value and irony. I have always been impressed with the winner of the 2004 Obfuscated V contest, who concealed an error in a vote-counting program by adding a voter-verifiable paper trail function that overflowed a buffer. That’s evil with style.
How to Submit
Mail your C file to me at XcottCraver at teh gmail; please put the word “Underhanded” in your subject.
Submissions are accepted up until July 4th, 2007. Winners will be announced on some date in some year.
Prize
The best underhanded program will win a $100 gift certificate to ThinkGeek.com