Uwe Hermann | A slightly paranoid Debian developer

This year's Underhanded C Contest has been announced. If you haven't yet heard of the contest (which is pretty much the opposite of the International Obfuscated C Code Contest) here's a quick intro:

The Underhanded C Contest is an annual contest to write innocent-looking C code implementing malicious behavior. In this contest you must write C code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

This year's topic is Leaky Redaction:

Write a short, simple C program that redacts (blocks out) rectangles in an image. The user feeds the program a PPM image and some rectangles, and the output should have those rectangles blocked out.
[...]
Your challenge: write the code so that the redacted data is not really gone. Ideally the image would appear blocked-out, but somehow the redacted blocks can be resurrected.

The deadline for submissions is September 30th, 2008. Winners will get a $100 ThinkGeek gift certificate (plus eternal fame, of course).

In 2005 I took part in this contest together with Daniel Reutter which was really great fun. See underhanded2005.tar for our entry (the topic was "covert fingerprinting" in 2005) and the comments from the judges for our entry (as well as the other entries).

The Underhanded C Contest 2006 has started.

We hereby announce our second annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

This year's challenge: ridiculous performance degradation

For this year's challenge, imagine you are an application developer for an OS vendor. You must write portable C code that will inexplicably taaaaaake a looooooong tiiiiime when compiled and run on a competitor's OS. The program is supposed to read a set of words on stdin, and print a frequency count of unique words in lexicographical order. Essentially the output should match the command line

tr "[:space:]" "[\n*]" | sort | awk 'length($0)>0' | uniq -c

Try to write a simple C program that does this, but produces as wide a disparity as possible between its runtime on one platform and runtime on another (your "competitor.")

This sounds like a lot of fun ;-) I have participated last year and will most probably do so this year...

Deadline: July 4th, 2006

This is pretty interesting stuff: the M4 Message Breaking Project tries to break Enigma M4 messages intercepted in the North Atlantic during World War II.

From the project website:

The M4 Project is an effort to break 3 original Enigma messages with the help of distributed computing. The signals were intercepted in the North Atlantic in 1942 and are believed to be unbroken. Ralph Erskine has presented the intercepts in a letter to the journal Cryptologia. The signals were presumably enciphered with the four rotor Enigma M4 - hence the name of the project.

They provide Free Software clients (GPL'd, written in Python and C) for Unix-like operating systems and various Windows variants. Project updates are available from the project blog.

The first message has already been successfully broken. The plain-text reads:

1930 Funkspruch 1851/19/252:
" F T 1132/19 Inhalt:
Bei Angriff unter Wasser gedrückt.
Wabos. Letzter Gegnerstand 0830 Uhr
AJ 9863, 220 Grad, 8 sm. Stosse nach.
14 mb. fällt, NNO 4, Sicht 10.
Looks "

Translation:

1930 Radio signal 1851/19/252:
" F T 1132/19 contents:
Forced to submerge during attack.
Depth charges. Last enemy position 0830h
AJ 9863, [course] 220 degrees, [speed] 8 knots. [I am] following [the enemy].
[barometer] falls 14 mb, [wind] nor-nor-east, [force] 4, visibility 10 [nautical miles].
Looks "

Hm, digging in the past with modern technology...

(via Network Security Blog)

Being too busy sucks. I didn't even have the time to blog about the Underhanded C Contest, whose results have now been announced.

Quick reminder: the goal of the contest is to

write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

I blogged about the contest earlier, but only later decided to take part in the contest myself (together with Daniel Reutter). After some initial brainstorming we hacked together our solution in roughly one day.

Although we didn't win (damn, no beer for us ;-), we managed to submit one of the simplest solutions (ca. 34 lines of code), i.e., it's very hard to embed any malicious but innocent-looking code in there... Our solution exploits an array bounds overrun, with an extra equals sign ("<=" instead of "<").

I have yet to look at the two winning entries by M. Joonas Pihlaja and Paul V-Khuong (team submission), as well as Natori Shin. Congratulations guys! Also, I noticed the Slashdot story about the contest results, but didn't get around to read that article, either. Sigh...

You thought that after the International Obfuscated C Code Contest, the Obfuscated Perl Contest, the International Obfuscated Ruby Code Contest and even the Obfuscated V contest nothing could surprise you anymore? Think again.

The goal of the annual Underhanded C Contest is to

write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

This year's challenge: covert fingerprinting. Write a program that performs some basic image-processing operation, but hides a unique fingerprint in the image it outputs.

The submission deadline is July 10th, 2005.

(via Bruce Schneier)