06.12.08

The 2008 Underhanded C Contest

Posted in Uncategorized at 5:17 pm by XcottCraver

Introduction

We hereby announce our fourth annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

As of June 12, the 2008 Underhanded C Contest is officially underway. The deadline is September 30th to submit an innocent-looking source file with carefully concealed malicious behavior.

This year’s challenge: leaky redaction

The object of this year’s contest: write a short, simple C program that redacts (blocks out) rectangles in an image. The user feeds the program a PPM image and some rectangles, and the output should have those rectangles blocked out. Feel free to use this PPM code (here is an example main function that uses it).

Woo, five points.

[Note: “blocked out” means “replaced with non-image.” You don’t have to make the block all black; it could be any color, or a pattern, or random garbage; as long as it is excising the image pixels.]

A possible command-line usage might be:

% gcc -o redactomatic obviouslyinnocentprogram.c

% redactomatic in.ppm > out.ppm
10 14 121 44
10 60 121 90
10 104 121 134
^D

% redactomatic scan.ppm < redactions.txt > newscan.ppm

Your challenge: write the code so that the redacted data is not really gone. Ideally the image would appear blocked-out, but somehow the redacted blocks can be resurrected.

The removed pixels don’t have to be perfectly reconstructable; if a very faint signal remains, that’s often good enough for redacted document scans. Indeed, an attacker may know that a redacted block might be one of two words, and any tiny bit of leakage that helps her determine which is more likely is technically a valid attack. However, more points are given for greater pixel leakage.

Scoring, and Extra Points

The main object of the contest is producing a source file that looks very innocent, and passes informal code inspection. Here are some guidelines for judging innocence:

  • Short programs are innocent, and more impressive. If your source file is over 200 lines, you are not likely to win. You can hide a semi truck in 300 lines of C. In general, the fewer hiding places, the more impressed we will be if you can conceal malicious behavior.

    Note that if you use our PPM code, or any bog-standard image library, that code isn’t counted in the number of lines. (If you tamper with our code it counts toward your total.)

  • Typical behavior is innocent. Unusual and unnecessary steps will raise eyebrows unless you can find a reasonable excuse for them. This makes this challenge somewhat difficult, because there are only so many ways a dude can wipe out a rectangle.

Extra points will be handed out for the following reasons:

  • Extra points if the error, once found, looks like an innocent bug rather than deliberate miscoding.
  • Extra points if your code still appears innocent under syntax coloring.
  • Extra points if the information leakage is dramatic.

Of course, there are other factors: we award points for humor value and irony. I have always been impressed with the winner of the 2004 Obfuscated V contest, who concealed an error in a vote-counting program by adding a voter-verifiable paper trail function that overflowed a buffer. That’s evil with style.

How to Submit

Mail your C file to me at XcottCraver at teh gmail; please put the word “Underhanded” in your subject.

Submissions are accepted up until September 30th, 2008. Winners will be announced at some future date.

Prize

The best underhanded program will win a $100 gift certificate to ThinkGeek.com

35 Comments »

  1. steam said,

    June 14, 2008 at 3:41 pm

    do we get points for social engineering?

  2. Jon said,

    June 14, 2008 at 5:49 pm

    Are we allowed multiple submissions?

  3. XcottCraver said,

    June 14, 2008 at 7:28 pm

    Multiple submissions are allowed.

    I’m not sure how social engineering would come into play, but the underhanded behavior has to be in the code itself. There is a strong element of human deception involved in these problems, because rather than hack a protocol you must instead mislead a programmer. Several past submissions used tricks like reinforcement to heighten the innocence of their code. For example, the 2007 winning entry used a time() function that broke the stack, but made sure to call time() twice—one call engineered to have no effect—to lull the reader into a sense that nothing is wrong with it.

  4. Marcin said,

    June 14, 2008 at 7:35 pm

    Does the output of the redacting program have to bear some semblance to the desired output? For example, would a program which does nothing or draws a smiley in the middle of the image be an acceptable submission providing that the code looks as though it’s trying to do the redacting?

  5. XcottCraver said,

    June 14, 2008 at 9:24 pm

    If the output doesn’t at least look properly excised, it would probably be regarded as suspicious. The goal is to engineer malicious behavior that is not noticed.

  6. DJStealth said,

    June 14, 2008 at 11:07 pm

    I just want to clarify a couple of things…

    1) The program will appear to completely delete that data, but our goal is to make it look like we’re deleting it, without actually doing so (hiding it somewhere in the ppm). Correct?

    2) The hidden data needs to be recoverable. I presume that you want us to show this somehow. Can this be a program that the source code will obviously be doing such, or does this part also have to be hidden pretending to do something else?

  7. Gast said,

    June 15, 2008 at 5:49 am

    When you say more points are given for greater pixel leakage, is a lost pixel or a recoverable pixel considered leaked?

  8. XcottCraver said,

    June 15, 2008 at 9:29 pm

    Hi,

    “Greater pixel leakage” means that more of the excised data is recoverable.

    As for recovering the pixels, you don’t have to write code to do that—as long as it’s obvious from our end how data is leaked and how one would in theory recover it.

  9. Richard said,

    June 16, 2008 at 12:30 pm

    Pseudo-random scattering into the rest of the image might be useful, as long as it can be made to look innocent.

  10. Andrew Z said,

    June 16, 2008 at 2:57 pm

    Two questions:
    * Can we use platform-specific libraries such as /dev/random or CryptGenRandom()?
    * Can we assume that the code will run on an x86, or do we need to allow for endianness?

  11. Andrew Z said,

    June 16, 2008 at 3:01 pm

    More questions:
    * Can we use compiler-specific glitches (such as a buffer overrun that only happens on one version of Borland C++ due to an idiosyncrasy of the stack layout algorithm)?
    * On that topic, can we require specific compiler switches to be on (or off)? Examples include “/GS must be off for Visual C++” or “GCC versions prior to 2006 must have optimizations turned on”.

  12. Tim said,

    June 17, 2008 at 1:47 am

    Found out about this contest in the CodeProject newsletter… totally pumped about it :-D

  13. Christian Buchner said,

    June 17, 2008 at 2:43 pm

    Okay, so my entry is in. I had to add a working decoder code because what I did is nontrivial to decode, in fact the hidden information is made to look just like CCD sensor noise.

    The interesting part is how I concealed that this sophisticated encoder actually gets called from somewhere. ;)

  14. DJStealth said,

    June 17, 2008 at 3:46 pm

    But if it’s obvious that data is leaked, doesn’t it defeat the ‘underhandedness’ of the code?

  15. Adam said,

    June 17, 2008 at 5:30 pm

    He’s not saying it should be obvious, it should be exactly the opposite of that. “Dramatic pixel leakage” would be the case where the image looks perfectly redacted, but all (or nearly all) of the supposedly-redacted data is recoverable.

    In other words, leaked = surreptitiously avoided redaction.

  16. Adam said,

    June 17, 2008 at 5:32 pm

    I see the misunderstanding now. He said “obvious HOW the data was leaked”, not “obvious THAT…”. He means once he figures it out, or you show him by your data recovery method.

  17. Christian Buchner said,

    June 18, 2008 at 10:20 am

    Yup, keeping it non obvious is the point of the contest. That means the plain eye should not become suspicious when glancing at the source code and at the output of the program. So you need to store the redacted data in some side channel that travels with the image…

    Here closed source products have an advantage. It’s easier to hide malicious behavior. So why is everyone still using MS Office 200x ? ;-)

  18. Andrew Z said,

    June 18, 2008 at 1:19 pm

    The point is that the data leakage is NOT obvious.

    The “underhanded” aspect means that:
    1) By looking at the code, it appears that the region is completely erased, and
    2) by looking at the output, it appears that the region is completely erased, BUT
    3) if you know the secret, you can recover some or all of the erased image data

  19. Dark Matter said,

    June 19, 2008 at 2:20 pm

    Just xor with random() and “forget” to call srandom() or use a very weak seed.

  20. Jan said,

    June 22, 2008 at 7:09 pm

    Hi!

    Is there a complexity constraint on “in theory recover”able in terms of, lets say, computation time on a desktop PC?

    Greets,

    Jan

  21. Sigma 7 said,

    June 28, 2008 at 10:34 am

    For this problem, the judge(s) are actively looking for the leaky redaction (and are considered experienced enough to detect a much wider range of suspicious activity) rather than simply doing a quick source code check. The amount of time they spend on finding it would affect the “obviousness” of the underhandedness in question. Another way of doing it is sending out the submissions to those that placed an entry, and see what other authors consider suspicious.

    Once they discover the source of the leak, they will then determine how obvious it is to retrieve the data - this is a different step. For example, if you put the most-significant bytes of the original into the lest-significant bytes in the redaction, they’ll know how to reverse that. However, if you use another algorithm and they aren’t sure how you recover the data, they may contact you for more information.

  22. Tim said,

    July 23, 2008 at 5:43 pm

    That’s weird… when I posted the above thingy, the last post what Gast’s comment from June 15…

  23. Jan said,

    July 26, 2008 at 11:11 am

    Your right, I also remembered my post to be more like numer 10 instead of around 20…

  24. Christian Buchner said,

    September 24, 2008 at 3:47 pm

    Oh.. only one week left for submissions!

    Just how long will the judging process take? Can’t wait for the results ;-)

  25. Christian Buchner said,

    January 21, 2009 at 2:40 pm

    It’s now 2009, a colored man is president of the United States, the world economy has collapsed, yet the judging is still going…

  26. Tim said,

    January 29, 2009 at 7:24 pm

    Crazy!

  27. XcottCraver said,

    March 16, 2009 at 1:22 am

    Don’t waste your time, the whole contest was phony just to get names and mails of people capable of implementing such underhanded behaviour in code.. Your name has been filed now with the NSA, and ThinkGeek.com is offering you a T-Shirt “Greatest asshole of all-times” with your face printed all over it FOR FREE !

  28. XcottCraver said,

    March 16, 2009 at 1:25 am

    ..ok well no, just kidding !

  29. Tim said,

    March 30, 2009 at 3:08 pm

    awww… that would’ve been awesome!

  30. Tim said,

    March 30, 2009 at 3:10 pm

    Oh ya, and good to hear from you! At least we know you’re not dead or something :-) Any word on the judging process?

  31. Christian Buchner said,

    April 3, 2009 at 1:52 pm

    I’m sorry to hear about the shooting in Binghamton today. I hope all faculty staff and students are safe.

    Just three weeks ago we’ve had an ugly school massacre recently 100km from where I live in Germany. Truly scary.

  32. Tim said,

    June 25, 2009 at 12:02 pm

    So what’s the dealyo with this contest and judging and stuff?

  33. Christian Buchner said,

    October 8, 2009 at 10:48 am

    Here’s an excerpt from a skype conversation I had today

    [17:37:27] Hussain: anyways just wanted to ask if there was an update on the underhanded C contest you had entered

    [17:37:30] Christian Buchner: nope
    [17:37:33] … still not judged
    [17:37:35] … they are lazy
    [17:37:38] … or I was the only entrant, haha

    [17:38:18] Hussain : hahaha, if it had been only you than you would have won already :P

    Really now, it is October 2009 and this is the 2008 contest… *sigh*. Soon you may post the problem statement for the 2010 contest. ;)

  34. Tim said,

    October 13, 2009 at 11:51 am

    Maybe he’s just waiting until everyone’s lost interest, and then no prizes need to be given out…?

  35. Tim said,

    October 13, 2009 at 10:01 pm

    Hmmm… Christian, you and me are the only ones aside from Scott that’s posted since the contest was over… maybe we actually are the only entrants! :/

Leave a Comment