

Winners of the 7th Underhanded C Contest - vezzy-fnord
http://www.underhanded-c.org/

======
kayamon
I'm kinda annoyed that the judge completely misread my entry. I had it so that
data was leaked out of a function that could not possibly leak data, via a
malloc side-channel attack (ala HeartBleed).

Instead it got judged as being a 'simple buffer overflow'.

Grrr.

~~~
nitrogen
I'd call that a win. Even the judge was fooled.

~~~
kayamon
I'll post up my complete entry in case anyone's interested to look through it:

[http://www.codersnotes.com/files/piupiu.zip](http://www.codersnotes.com/files/piupiu.zip)

See surveil.txt for notes first.

Someone below asked what makes this different from the Obfuscated C contest.
In this contest, the idea is to make code that looks very clean and innocent.
Entries that hide their behavior in weird ugly macros or just general C
complexity are not really in the spirit of the contest. I tried to make my
entry very clean so that there is obviously no malicious code anywhere in it.

------
jimrandomh
SPOILERS. If you want to see if you can spot the tricks, do not look at this
page; it only contains solutions, it doesn't contain the programs themselves!

------
dbbolton
>The PiuPiu oversharing site allows users to create PiuPiu accounts and post
140-character messages.

Hah- "Piu-Piu" is the Brazilian-Portuguese name for the Looney Tunes character
Tweety:

[https://pt.wikipedia.org/wiki/Piu-piu](https://pt.wikipedia.org/wiki/Piu-piu)

[https://en.wikipedia.org/wiki/Tweety](https://en.wikipedia.org/wiki/Tweety)

~~~
andrepd
Yes, and "piu" is the Portuguese onomatopoeia for "tweet".

~~~
lamuerteflaca
And in Spanish it is "pio" for tweet. Very close to the portuguese one.

~~~
joeyoung
Interesting. I think "pio" is the onomatopoeia for tweet in Japanese too. It's
the noise cash registers at Tokyo's Inageya supermarkets make when you use
their points card.

~~~
djfm
And in French "piou piou" can be used colloquially to mean "bird"... Many
languages seem to agree on this.

~~~
balazsdavid987
In Hungarian, "pee-pee-pee-pee" is used to at farms to call chicken. :) And
sometimes, young woman are called "pee-pee"-s, in a playful way.

------
emiliobumachar
They did it backwards this year. A run-of-the-mill evil program that
unexpectedly does something heroic.

~~~
masklinn
Is that really backwards? The contest is "underhanded", not evil.
Underhandedness can be used for good or evil, and it is good that this year's
contest reminds entrant of that.

~~~
pavel_lishin
Sure, but it's explicitly defined as the Evil part.

------
sillysaurus3
Is it possible to view all the entries with no explanation? I want to try to
spot the problems.

~~~
jimrandomh
Yeah, that really spoiled the fun for me. I wanted to read through and see if
I could spot the tricks myself, but it keeps giving the answers before even
showing the code that the trick is in!

------
m3talridl3y
I'm glad to see that there are more women's names this year - including the
winner. A sign of better representation in tech in the future?

~~~
nickpsecurity
Or just more interested in our field of digital sorcery. Either way, I agree
it's good to see more women in these things. Having different types of people
makes things more interesting. And often more surprising. :)

------
sylvinus
Incredible mix of evil and genius, congrats to the winners. I'm still
astounded at how many obscure ways there are in C to fool a code reviewer.

Definitely makes me feel less safe considering the amount of C code there is
in tools we depend on.

------
chii
haha, the winning entry is pure genius! It was so difficult to follow, and the
code that produces the bug is only viewable if you examined the macro expanded
source code - and the macro used _all_ look like functions, so a casual code
reviewer probably won't recall them being macros in the first place.

~~~
masklinn
> and the macro used _all_ look like functions

AUDIT properly looks like a macro, which makes it even more likely a reviewer
wouldn't notice __isleap is one as well.

------
guelo
I'm not a C programmer so I'm wondering, don't the common C editors highlight
macros and functions differently?

~~~
nothrabannosir
I have personally never come across this. Moreover, "common" C editors are
vanilla vim and emacs, which don't actually know what's a macro and what's a
function without customization (ctags &c).

Good idea, though. I'd like it.

~~~
GFK_of_xmaspast
With emacs, this actually an ideological choice.

~~~
WalterGR
How so?

~~~
GFK_of_xmaspast
For that kind of code analysis one wants more detailed information about the
source file, like an AST, but Stallman has forbidden that level of detail to
be exportable from gcc, and more recently squashed efforts at deeper
emacs/clang integrations, both on ideological grounds.

~~~
WalterGR
Interesting.

How can deeper integration between any language and tools then be compatible
with rms's and/or GNU's and/or the FSF's ideology?

(Maybe the answer is, "Use Lisp since the syntax is the AST." I'm okay with
that. :)

------
egillie
How is this different from the Obfuscated C contest?
[http://www.ioccc.org/](http://www.ioccc.org/)

~~~
euid
In this contest, you are to intentionally insert a difficult-to-detect bug
into otherwise legible code. In the obfuscated C contest, you are writing
obfuscated code.

[https://en.wikipedia.org/wiki/Obfuscation_%28software%29](https://en.wikipedia.org/wiki/Obfuscation_%28software%29)

------
roscopcoltrane
Why is it underhanded to let a user know that his government is
censoring/surveiling his posts? This should be the freedom-c contest.

~~~
rcthompson
It's underhanded in that the function should look like it's doing one thing
but also do another hidden task as well.

------
shiggerino
Why someone would use this language for a real project is beyond me.

~~~
S4M
A real project like writing a Kernel or implementing a programming language?

~~~
shiggerino
Yes, real projects like that. Or projects like OpenSSL.

