This Year

Introduction

We hereby announce the fifth annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

As of December 29, the 5th Underhanded C Contest is officially underway. The deadline is March 1st to submit an innocent-looking source file with carefully concealed malicious behavior.

This year’s challenge: losing my freakin’ luggage

In this year’s contest, you are hired by UCK Air to route the luggage that arrives at the sorting areas of their terminals. Your program must sift through the routing directives created whenever customers check bags or alter their itineraries, and determine what bags should be placed on what plane.

The luggage data is a flat file of single-line records, one for each routing order. Each record contains the following fields, separated by whitespace:

• Time of record: the number of seconds since Jan 1, 1970;
• Luggage ID: 2 letters followed by 6 digits;
• Flight ID: 2 letters denoting the airline followed by a maximum four-digit flight number;
• 3-letter departing airport code;
• 3-letter destination airport code;
• Any further comment or special instructions added by airline employees (free text.)

Basically the lines satisfy regexp {^(\w*)\s*(\w*)\s*(\w*)\s*(…)\s*(…)\s*(.*)} $inline — time luggage flight depart arrive comment. These records are never altered or deleted once added: if a customer’s flight is changed, a new routing order is added to the end of the file and supersedes previous orders. Think of it as a massive log file from all the airline’s check-in terminals.

Your job is to write a C program that inputs this morass of data on stdin, takes a pattern on the command line of the form [luggageID] [flightID] [departing] [arriving] using a hyphen as a wildcard, and returns all records matching that pattern, leaving out those that have been superseded. An example:

% cat luggage.dat
1261959531 UA129086 UA530 ORD FRA
1261959531 UA129086 LH1111 FRA OPO
1261959580 UA129089 UA530 ORD FRA
1261959580 UA129089 LH1111 FRA OPO (Original reservation)
1262002831 UA129086 TP579 FRA OPO
1262002831 UA129089 TP579 FRA OPO   Passengers missed first connecting flight, sent on next one
1262027494 UA129086 LH1230 FRA LIS
1262027495 UA129089 LH1230 FRA LIS   Next flight canceled, passengers rerouted to Lisbon
1262029822 UA129086 LH1230 FRA LHR  Passenger A says screw it, send me to London
1262030463 UA129086 LH1230 FRA DUB  Direct flight canceled, routed through Ireland
1262030463 UA129086 LH1230 DUB LHR  

% gcc -o lug luggage.c
% cat luggage.dat | ./lug UA129086 - - -
1261959531 UA129086 UA530 ORD FRA
1262030463 UA129086 LH1230 FRA DUB  Direct flight canceled, routed through Ireland
1262030463 UA129086 LH1230 DUB LHR

% cat luggage.dat | ./lug - TP579 FRA OPO

% cat luggage.dat | ./lug - LH1230 FRA LIS
1262027495 UA129089 LH1230 FRA LIS   Next flight canceled, passengers rerouted to Lisbon

The evil part

Your program must inexplicably misroute a piece of luggage if the right kind of free text comment is provided by the check-in clerk. Misrouting means that your program’s output either places that luggage on the wrong flight, or fails to provide a record when it should. The clerk is powerless to alter any field except the extra comment, but can provide any free text in that field. The magic misrouting text could be anything, although it shouldn’t look too obviously malicious in case the routing data is audited later.

Scoring and Extra Points

As always, the basic rules of fake sincerity apply:

• Your submission is worth more if it is short and easy to read. Hiding malicious behavior in short and readable source files is more impressive.
• Your submission is worth more if it is universal. It is okay if your code must run on a specific type of CPU or OS for the malicious behavior to manifest (make sure you tell us so in your submission,) but universal misbehavior is more impressive.
• Your submission is always worth more if the bad behavior, once discovered, is plausibly deniable as a newbie coding mistake.
• Your submission is worth more if the underhanded code does not look suspicious under syntax coloring.

For this contest, there are a few more opportunities for bonus points:

• Bonus points if the misrouting trigger looks innocent in retrospect.
• Bonus points if luggage can be flexibly misrouted.
• Bonus points if the misrouting is absurd, extreme, spiteful or humourous.

Due date and submission

The due date is March 1, 2010. Please send your underhanded code to XcottCraver@gmail.com, with the word “underhanded” in the subject header. Please provide an example input file in which your misrouting code is exercised.

• Archives

  • December 2009
  • October 2009
  • August 2008
  • June 2008
  • April 2007

  
  

   

• Categories

  • Uncategorized
   

• Meta

  • Login
  • Entries RSS
  • Comments RSS
  • Wordpress
   

Dossier theme derived from Ocadia theme by Beccary · XHTML · CSS