Underhanded C Contest

Last updated

The Underhanded C Contest was a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake even if discovered. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs. [1]

Contents

The contest was organized by Dr. Scott Craver [2] of the Department of Electrical Engineering at Binghamton University. The contest was initially inspired by Daniel Horn's Obfuscated V contest in the fall of 2004. [3] For the 2005 to 2008 contests, the prize was a $100 gift certificate to ThinkGeek. The 2009 contest had its prize increased to $200 due to the very late announcement of winners, and the prize for the 2013 contest is also a $200 gift certificate.

Contests

2005

The 2005 contest had the task of basic image processing, such as resampling or smoothing, but covertly inserting unique and useful "fingerprinting" data into the image. Winning entries from 2005 used uninitialized data structures, reuse of pointers, and an embedding of machine code in constants.

2006

The 2006 contest required entries to count word occurrences, but have vastly different runtimes on different platforms. To accomplish the task, entries used fork implementation errors, optimization problems, endian differences and various API implementation differences. The winner called strlen() in a loop, leading to quadratic complexity which was optimized out by a Linux compiler but not by Windows.

2007

The 2007 contest required entries to encrypt and decrypt files with a strong, readily available encryption algorithm such that a low percentage (1% - 0.01%) of the encrypted files may be cracked in a reasonably short time. The contest commenced on April 16 and ended on July 4. Entries used misimplementations of RC4, misused API calls, and incorrect function prototypes.

2008

The 2008 contest required entries to redact a rectangular portion of a PPM image in a way that the portion may be reconstructed. Any method of "blocking out" the rectangle was allowed, as long as the original pixels were removed, and the pixel reconstruction didn't have to be perfect [4] (although the reconstruction's fidelity to the original file would be a factor in judging). The contest began on June 12, and ended on September 30. Entries tended to either xor the region with a retrievable pseudo-random mask or append the masked data to the end of the file format. The second placing programs both used improperly defined macros while the winner, choosing to work with an uncommon text based format, zeroed out pixel values while keeping the number of digits intact.

2009

The 2009 contest required participants to write a program that sifts through routing directives but redirects a piece of luggage based on some innocuous-looking comment in the space-delimited input data file. The contest began December 29, 2009, and was due to end on March 1, 2010. [5] However, no activity occurred for three years. The winners were only announced on April 1, 2013, with one overall winner and six runners-up. [6] [7]

2013

The 2013 contest was announced on April 1, 2013, and was due July 4, 2013; results were announced on September 29, 2014. [8] It was about a fictional social website called "ObsessBook". The challenge was to write a function to compute the DERPCON (Degrees of Edge-Reachable Personal CONnection) between two users that "accidentally" computes a too low distance for a special user.

2014

The 2014 contest was announced on November 2, 2014, and was due January 1, 2015. The results were announced on June 1, 2015. [9] The objective was to write surveillance code for a Twitter-like social networking service, to comply with a secret government surveillance request; but for non-obvious reasons, the code must subtly leak the act of surveillance to a user. The general approach is to obfuscate writes to the user data as writing to surveillance data, and the winning entry did so by implementing a buggy time-checking function that overwrites the input.

2015

The 2015 contest was announced on August 15, 2015, and was due November 15, 2015. The results were announced on January 15, 2016. The scenario was a nuclear disarmament process between the Peoples Glorious Democratic Republic of Alice and the Glorious Democratic Peoples Republic of Bob (Alice and Bob), and the mission was to write a test function for comparing potentially fissile material against a reference sample, which under certain circumstances would label a warhead as containing fissile material when it doesn't. Around a third of the submissions used NaN poisoning by erroneous floating-point operations, which generates more NaN's in the later computation and always evaluates to false for a comparison. The winning entry used a confusion of datatypes between double and float to distort values.

See also

Related Research Articles

<span class="mw-page-title-main">Client–server model</span> Distributed application structure in computing

The client–server model, also known as client server network architecture, is a distributed application structure that partitions tasks or workloads between the providers of a resource or service, called servers, and service requesters, called clients. Often clients and servers communicate over a computer network on separate hardware, but both client and server may reside in the same system. A server host runs one or more server programs, which share their resources with clients. A client usually does not share any of its resources, but it requests content or service from a server. Clients, therefore, initiate communication sessions with servers, which await incoming requests. Examples of computer applications that use the client–server model are email, network printing, and the World Wide Web.

<span class="mw-page-title-main">GIF</span> Bitmap image file format family

The Graphics Interchange Format is a bitmap image format that was developed by a team at the online services provider CompuServe led by American computer scientist Steve Wilhite and released on June 15, 1987.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In software development, obfuscation is the act of creating source or machine code that is difficult for humans or computers to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements. Programmers may deliberately obfuscate code to conceal its purpose or its logic or implicit values embedded in it, primarily, in order to prevent tampering, deter reverse engineering, or even to create a puzzle or recreational challenge for someone reading the source code. This can be done manually or by using an automated tool, the latter being the preferred technique in industry.

<span class="mw-page-title-main">International Obfuscated C Code Contest</span> Computer programming contest

The International Obfuscated C Code Contest is a computer programming contest for the most creatively obfuscated C code. Held semi-annually, it is described as "celebrating [C's] syntactical opaqueness". The winning code for the 27th contest, held in 2020, was released in July 2020. Previous contests were held in the years 1984–1996, 1998, 2000, 2001, 2004–2006, 2011–2015 and 2018–2020.

<span class="mw-page-title-main">Wolfram Mathematica</span> Computational software program

Wolfram Mathematica is a software system with built-in libraries for several areas of technical computing that allow machine learning, statistics, symbolic computation, data manipulation, network analysis, time series analysis, NLP, optimization, plotting functions and various types of data, implementation of algorithms, creation of user interfaces, and interfacing with programs written in other programming languages. It was conceived by Stephen Wolfram, and is developed by Wolfram Research of Champaign, Illinois. The Wolfram Language is the programming language used in Mathematica. Mathematica 1.0 was released on June 23, 1988 in Champaign, Illinois and Santa Clara, California.

The BMP file format or bitmap, is a raster graphics image file format used to store bitmap digital images, independently of the display device, especially on Microsoft Windows and OS/2 operating systems.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

<span class="mw-page-title-main">ActionScript</span> Object-oriented programming language created for the Flash multimedia platform

ActionScript is an object-oriented programming language originally developed by Macromedia Inc.. It is influenced by HyperTalk, the scripting language for HyperCard. It is now an implementation of ECMAScript, though it originally arose as a sibling, both being influenced by HyperTalk. ActionScript code is usually converted to byte-code format by a compiler.

The MCP is the operating system of the Burroughs B5000/B5500/B5700 and the B6500 and successors, including the Unisys Clearpath/MCP systems.

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

<span class="mw-page-title-main">Webmin</span> Web-based control panel for Unix-like systems

Webmin is a web-based server management control panel for Unix-like systems. Webmin allows the user to configure operating system internals, such as users, disk quotas, services and configuration files, as well as modify and control open-source apps, such as BIND, Apache HTTP Server, PHP, and MySQL.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The isolation metaphor is taken from the idea of children who do not play well together, so each is given their own sandbox to play in alone. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

<span class="mw-page-title-main">Git</span> Software for version control of files

Git is a distributed version control system that tracks changes in any set of computer files, usually used for coordinating work among programmers who are collaboratively developing source code during software development.

A dynamic-link library (DLL) is a shared library in the Microsoft Windows or OS/2 operating system.

The Skype protocol is a proprietary Internet telephony network used by Skype. The protocol's specifications have not been made publicly available by Skype and official applications using the protocol are closed-source.

Secure coding is the practice of developing computer software in such a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.

References

  1. "Underhanded C Contest Revived". I Programmer. April 6, 2013. Retrieved October 4, 2014.
  2. Faculty and Staff page of EE Dept. at Binghamton University Archived May 29, 2010, at the Wayback Machine
  3. "Underhanded C Contest FAQ". Underhanded C contest. Retrieved February 28, 2015.
  4. 2008 contest rules Archived March 22, 2015, at the Wayback Machine
  5. The Underhanded C Contest », xcott.com (archived from the original Archived October 6, 2014, at the Wayback Machine on 2011-07-18)
  6. "The Underhanded C Contest » Also, we're looking for good PhD students". January 8, 2010. Archived from the original on January 8, 2010. Retrieved March 12, 2019.
  7. "The Underhanded C Contest". Archived from the original on April 9, 2013. Retrieved April 3, 2013.
  8. Scott Craver (September 29, 2014). "2013 Winners" . Retrieved June 22, 2017.
  9. Scott Craver (November 2, 2014). "The 7th Underhanded C Contest is now Open" . Retrieved December 18, 2014.