

The Fifth Underhanded C Contest is Now Open - marcus
http://underhanded.xcott.com/?p=18

======
lanstein
One of the comments there: 'I think someone at American Airlines has already
written and is using this code in production.' Hilarious.

~~~
lanstein
Whoever downmodded this should really downmod the article - after all, it's
just a blatant repost of material found elsewhere.

~~~
lanstein
it's called sarcasm folks

------
lonestar
My favorite entry is the first runner-up from the encryption challenge in
2007: <http://underhanded.xcott.com/?page_id=16>

Basically a subtly buggy SWAP() implementation causes the RC4 cipher to output
more and more plaintext as time goes on.

------
DrJokepu
I love the Underhanded C Contest, I enjoy it a lot more than the Obfuscated C
Contest. It is also a great educational material; whenever someone advocates
human code inspection as a security measure I only need to point them to the
UCC website to display the weaknesses of that approach. (I'm not talking about
peer review of course, that serves a different purpose)

------
btilly
Writing it in C makes it too easy. You can just store the comment in a struct
before the airline so that a long comment overwrites the airline number and
luggage gets missed. Store the airline number as text and add a validation
routine in case numbers are input badly, and any long comment with a number at
the end will reroute your luggage to the new airline.

I'm sure the winning entry will be cleverer than that. But all of the entries
would have to be better if they insisted on a garbage collected language with
safe string handling.

You know, like Java, PHP, Visual Basic, C#, Python, JavaScript, Perl, Ruby,
etc. (I got that list by reading off the top 10 on the TIOBE index then
removing C and C++ because by default they are not garbage collected and offer
unsafe string handling.)

~~~
klodolph
I just submitted an entry. And it doesn't do any stupid stuff like that. No
overruns, no pointer tricks, no funny syntax. All the string handling is even
done correctly. My exploit abuses a simple, safe API call that sometimes
behaves in a way people don't expect if they're not looking for it.

~~~
omouse
This is good. I was thinking about how to make this program. Just write the
correct program and then look for the innocent-looking spots and insert the
malicious code there.

------
Shamiq
This looks really fun.

