If you think like a super-villain, laugh like an anti-hero, and can write code, it's time to polish off the cackle, sharpen up the brain, get extra coffee, and start working on your entry to the Underhanded C contest.
The 7th Underhanded C contest seeks, like its predecessors, code that is “readable, clear, innocent and straightforward as possible”, but with the twist that “it must fail to perform its apparent function”.
In this year's challenge, the organisers have imagined a Twitter-like service called PiuPiu that the government wants to scan against a set of national security keywords. The “evil part” is to write the
surveil() function so it leaks the surveillance either “to the user or to the outside world”.
“The goal is a clever vulnerability that passes visual inspection, whatever the mechanics of the underlying bug”, the competition's site notes, with extra points based on:
- Plausible deniability;
- The code looks innocent under syntax colouring;
- There are “extra points for humorous, spiteful, or ironic bugs, such as evil behavior in an error-checking routine”.
Of the previous contests, this writer is particularly tickled by that of 2009, which asked underhanded programmers to write luggage-routing code that would send bags on the wrong flight based on text comments from check-in staff.
And why base the evil on the C language? The organisers explain:
“C is an ideal language for this contest because of both its universality and its ability to do horrible things. C lets you overwrite stack entries, screw up function pointers, and poison all data at the bit level. C nods encouragingly as you attempt to execute a floating point array. In terms of enforcing program correctness, your typical C compiler is basically the two guards from Swamp Castle in Monty Python and the Holy Grail.” ®