Scary programmer

Written By: - Date published: 3:35 am, June 18th, 2015 - 17 comments
Categories: uncategorized - Tags:

As some of you will be aware, I’m a dedicated computer programmer. Contrary to popular opinion in some circles by people who see me on the net, things like blogging and politics are merely minor interests.

I just like writing code across a large number of languages, operating systems, and devices. And my main interest is in C derived languages like C++, C#, Java, and the like.

So reading the results of the underhanded C contest yesterday morning is, for me, fun. I figure that for some of the readers, this will be as well. Even if you don’t follow some of the technical details, the process displays a suitable level of interesting sneakiness.

The goal of the Underhanded C contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil. Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

This years contents was to write code for a twitter like social media system…

The PiuPiu oversharing site allows users to create PiuPiu accounts and post 140-character messages. The federal government wants PiuPiu to surveil user activity on the site, by archiving any posts that match certain patterns outlined in a national security letter. Subject to the nondisclosure constraints of the letter, PiuPiu may not inform anyone of the surveillance request.

And the underhanded programmers were to write the surveillance request function, but the evil part was that…

The underhanded goal is this: write surveil() in such a way that the act of surveillance is subtly leaked to the user or to the outside world. PiuPiu can not reveal the act of surveillance, but your function is technically able to edit the Piu or user structure during scanning. Find a way to alter that data (this alone is a bit of a challenge, since you are not supposed to alter the data, just scan it) in such a way that an informed outsider can tell if someone is being archived. The leakage should be subtle enough that it is not easily noticed.

As always, the code should appear simple, innocent, readable and obvious.

Now a lot of these methods used were pretty standard ranging from data overflows from various techniques to providing timing methods subject to statistical analysis.

I liked the elegance of Seb Grindle’s usage of old still supported K&R C function declarations that don’t check the types of parameter passing. But that would flash warning signs for any programmer who has ever had to deal with fossil code written like that. Domenico Andriole’s avatar solution would be damn hard to pick up and was an interesting way of passing a code review, but should have gotten caught in testing.

But the winner Karen Pease had the sneakiest way that I have ever seen of  logging information to a quarterly audit log! This is the end of the analysis.

Thus the final AUDIT call zeroes out a user’s created time, if the user was surveilled.

That is really freaking underhanded. Here’s what I like about this:

  • It uses a commonly used time macro that is easily mistaken for a function, and exploits the confusion between the declarative appearance of __isleap( dostuff() ) and the actual result from expansion.
  • It exploits the fact that calling localtime() twice overwrites the value from the first invocation, a fact that is more obscure than the widespread use of that function;
  • It plausibly arranges a scenario (computing a time differential) that turns the year into a 0, triggering maximal misbehavior of __isleap();
  • Testing for “clock skew” sounds like the cynical sort of thing you’d find on the BOFH’s excuse calendar;
  • It manages to archive in such a way that we archive over the pointer to the archive;
  • The whole thing is hidden in auditing code, which wins points for sheer spite.

Congratulations Karen Pease, you are a frighteningly Underhanded C programmer.

Bloody hell. I’d totally agree. The end result would be an auditing file used long after the surveillance events. It’d tag all surveillance with what appears to be a minor date reporting bug that’d look seemingly unimportant .

If someone had access to that file they’d have access to complete logs of who was being tracked.

No-one would probably look unless something else went wrong anyway and they needed the audit log to look for a error pattern. Under those circumstances they probably wouldn’t be that interested in simple occasional date reporting problem anyway, they’d be tracking their own disaster. At best they’d probably add a bug into the reporting system.

The cause would be frigging hard to find for anyone else coming into the code because they’d be unlikely to get a trigger in any of their current data (unless the government was doing a awful lot of tracking). It’d look like a simple, unimportant, but complicated and hard to find coding mistake. Other programmers would probably bounce if they had a cursory look for that error.

The person most likely to get/have access to that file would be the person who created the bug in the first place. If only for the purposes of fixing that bug. And if it doesn’t get noticed earlier , they could ‘discover’ it during a review of their code and development logs.

Ouch! This is elegant coding and social engineering rolled into one. Good to see that there are people like this out there.

17 comments on “Scary programmer ”

  1. r0b 1

    K&R C function declarations that don’t check the types of parameter passing

    Did you ever program in PL1?

    Underhand C sounds fun – and much more interesting than Obfuscated C.

    • lprent 1.1

      Did you ever program in PL1?

      Nope I missed that. Mostly because I started on DEC at about 1980, and then on PCs from 1985 onwards. Waikato Uni seemed to have most common and uncommon languages, but not PL/I.

      I started programming in higher level languages (rather than assembler/HP calculators) with Pascal with smatterings of Cobol, Fortran, Basic, and a few others. Went to Modula 2 and Ada, and then to C++ by 1990. Which was about when I flipped into programming as a profession.

      I still seem to pick up a lot of languages and work with them each year. This new job is a doozy for that because instead of doing greenfield coding, I’m maintaining a number of older projects written 7 languages from lua to C#.

      I might only speak English, but I’m a polyglot on computers.

      Underhand C sounds fun – and much more interesting than Obfuscated C.

      It does feel that way. I never really saw the point of punctuation as a programming language.

      • Paul Campbell 1.1.1

        (we must have met some time, I do remember going to Waikato for a VMS kernel course in the early 80s)

        I always like the Obfuscated C contest …. but if you’re really worrried about underhanded stuff you can’t go past Ken Thompsons seminal paper “Reflections on Trusting Trust”

        https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

        • lprent 1.1.1.1

          Probably not. I wasn’t CompSci then.

          Back then I was doing BSc in Earth Sciences and some management papers. Programming was something that I was doing as part of the science. But mostly just a hobby where I’d done a couple of papers and kibitized in a pile more. But I had logins to the 1170 and 1120 which I used quite a lot (actually a hell of a lot).

          Problem was in 1978-1981 was that the only computing jobs were on minis and mainframes and heavily batch orientated. I was interested in how computers could be used in small organisation and batched timesharing didn’t really feel interesting.

          So I went off into management. It wasn’t until I did a MBA at Otago in 1985 that I discovered PCs. The MBA course had a small lab of the XTs and a single AT that I colonized.

          That was when I got seriously interested in programming. Got a clone as fast as possible and spent 1985-1988 in Otago (my partner at the time was doing an law commerce degree) devoting all my spare time to bootstrapping myself.

          Did some 3rd & 4th year CompSci papers a few years later when I finally dropped out of management and into programming for a living.

          Been there ever since.

          • Paul Campbell 1.1.1.1.1

            ah I worked at Otago until ’84 then escaped (the day Marylin Waring crossed the loor …) to work in silicon valley for a couple o decades

            • lprent 1.1.1.1.1.1

              I went to do the MBA in Otago because I was just about to escape the stupidity of Muldoon’s economic system and it’s extreme glorification of crony commerce (ie company lobbyists maintaining profit generating tariff barriers). I had wanted a cheap entrance degree that I could use offshore.

              The shift back towards a more rational economic system during the 80s, despite the over extension that Douglas et all did, convinced me to stay. So did the rise of the net in the 90s. It was clear that in a few years I could work here for export markets without needing enormous offshore marketing or having to live offshore (wasn’t quite correct. But close enough – capital remains an issue.).

              The 90s for me were the decade where we started to build a local export software industry despite the government. The 00s were when it started paying off and the government started getting behind it. Right now with National it is in a holding pattern again. The larger companies are expanding, but there is a dearth of interesting startups.

  2. LPtent, we trust that you are really Karen Pease, and have a quarterly audit log ticking along nicely on TS.
    It would make us all feel that much safer!

  3. Charles 3

    Scary is right. The scarier thing is that if Karen Pease has “allowed” this to be made public, for no more than a competition entry, imagine what else she has up her sleeve.

  4. James 4

    Had never heard of it – But I really like the idea / concept. Interesting reading.

  5. infused 5

    Pretty interesting contest.

    C is such a shit stain of a language these days. So easy to hide this sort of stuff.

    • lprent 5.1

      You still can’t beat it for very small embed code, which is mainly why it has hung around for so long. It translates close to assembler for those tight spaces where people are really really concerned about the BOM costs. There is a hell of a lot of active code written in C for devices, and it is robust once it has had a few decades of debugging on it.

      I’d say that about a third to a half of our high tech exports are still based on it because they are doing global vertical market engineering hardware. Which is why there are still a lot of C programmers around the country.

      However those days are passing as the price of memory and CPUs drops. Outside of the smartphone/tablets, most of the engineering places I have been through recently have been for wholly new development been starting to drop bare metal and RTOS coding in favor of ARM/linux/c++ or java, and even the odd few windows/C# (Linux/Mono would be be a better combo..)

  6. adam 6

    Love the sneakness would that wake people up to how much they being spied on or what?

    Slightly off topic – Iprent how do feel about Google chrome dropping Java? I’m not sure how I feel about it – end of my facebook games days – but I only look at a couple of those once every couple of day now – so not really worried. But, apart from security issues involved in java – anything else from a programmer’s view?

    • lprent 6.1

      It is just the plugins being disabled. I gather that there have been security problems with allowing people to put in java apps that are allowed to do some things to Chrome. In other words, while it has a sandbox, that doesn’t count that much when malicious plugins can access your internet access.

      You should still be able to run java applications by themselves in other frames (including for the moment other browsers), or via server side tomcat.

      I rather suspect that we will see a lot of this happening through the browsers over the next few years. IE has been demonstrating how awkward pushing security in for extensions like activeX were. Not to mention Flash.

      HTML5 and server side will take up the burden and do it will a lot less client side exposure.

      BTW: the only java plugins I have ever used have been for server consoles. I suspect that it simply wasn’t worth google maintaining such a minority usuage.

      • adam 6.1.1

        I only ever had it for some games – and like I said, not even sure I’m playing those still. I’ll admit I was somewhat confused over the issue -so thanks for the clarity. One less thing to worry about.