The Underhanded C Contest
Department of Electrical and Computer Engineering
Binghamton University
  • Links
    • Main page
    • FAQ
    • 2005 contest
    • 2005 results
  • This page can also be found at http://bingweb.binghamton.edu/~scraver/underhanded/

  • 2005 Contest

    For results, go here
  • Introduction

    Inspired by Daniel Horn's Obfuscated V contest in the fall of 2004, we hereby announce an annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

    Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

  • This year's challenge: covert fingerprinting

    The challenge for the first UCC is to write a simple program that performs some basic image-processing operation, for example smoothing or resampling, but manages to conceal a unique imperceptible fingerprint in each image it outputs.

    The fingerprint should be different for every execution of the program. It doesn't have to have any particular meaning, but useful tracking information is worth extra points (tho getting caught is worth fewer points.) The print should be extractable from the output image by another program. Realistically, the detector will not have access to the original image for comparison purposes.

    Remember, the object is to make the source look as innocent as possible. Someone examining the source should find no evidence of evil. This means that if you access some external state, for example a persistent sequence number or a config file or the computer's IP, you'd best have a plausible excuse for doing so.

  • Submissions and deadlines

    You must submit by the deadline (July 10th, 2005):

    • Your underhanded program, with instructions for compiling;
    • For this year, a second program for detecting the embedded fingerprint;

    Submit your code to (remove the underscores) XcottCraver@g_m_a_i_l.com.

  • Sample Code

    Here is some really basic code for reading and writing binary PPM images, with corresponding main function. Feel free to use this as a template for your submission, if you don't feel like using a more full-featured library.

  • Judging, and Extra points

    A team of impartial judges will decide the winner based on (A) How simple and innocent the code appears, (B) How sophisticated the malicious behavior is, and (C) Style and humor value. For this year's challenge, you get extra points for the following:

    • Extra points if your fingerprint survives JPEG compression;
    • Extra points if your code looks innocent under syntax coloring;
    • Extra points if your code manages to embed some useful tracking information (although code that doesn't have a good excuse for reading that information is going to appear more conspicuous.)
  • Prize Since we're in Binghamton, NY, the prize will be a gift box from the nearby brewery Ommegang in Cooperstown, NY.
Created with vi