I'm kinda annoyed that the judge completely misread my entry. I had it so that data was leaked out of a function that could not possibly leak data, via a malloc side-channel attack (ala HeartBleed).

Instead it got judged as being a 'simple buffer overflow'.

Grrr.

I'd call that a win. Even the judge was fooled.

I'll post up my complete entry in case anyone's interested to look through it:

http://www.codersnotes.com/files/piupiu.zip

See surveil.txt for notes first.

Someone below asked what makes this different from the Obfuscated C contest. In this contest, the idea is to make code that looks very clean and innocent. Entries that hide their behavior in weird ugly macros or just general C complexity are not really in the spirit of the contest. I tried to make my entry very clean so that there is obviously no malicious code anywhere in it.

Do the judges get to read your explanation before deciding the results, or do they just have to decide based on the code?

I sent an explanation with it, no idea if anyone read it or not.

Edited to remove spoiler.

SPOILERS. If you want to see if you can spot the tricks, do not look at this page; it only contains solutions, it doesn't contain the programs themselves!

>The PiuPiu oversharing site allows users to create PiuPiu accounts and post 140-character messages.

Hah- "Piu-Piu" is the Brazilian-Portuguese name for the Looney Tunes character Tweety:

https://pt.wikipedia.org/wiki/Piu-piu

https://en.wikipedia.org/wiki/Tweety

Yes, and "piu" is the Portuguese onomatopoeia for "tweet".

And in Spanish it is "pio" for tweet. Very close to the portuguese one.

Interesting. I think "pio" is the onomatopoeia for tweet in Japanese too. It's the noise cash registers at Tokyo's Inageya supermarkets make when you use their points card.

And in French "piou piou" can be used colloquially to mean "bird"... Many languages seem to agree on this.

In Hungarian, "pee-pee-pee-pee" is used to at farms to call chicken. :) And sometimes, young woman are called "pee-pee"-s, in a playful way.

They did it backwards this year. A run-of-the-mill evil program that unexpectedly does something heroic.

Is that really backwards? The contest is "underhanded", not evil. Underhandedness can be used for good or evil, and it is good that this year's contest reminds entrant of that.

Sure, but it's explicitly defined as the Evil part.

From the view of the 'Security' Services it's evil. For everybody else it isn't.

Is it possible to view all the entries with no explanation? I want to try to spot the problems.

Yeah, that really spoiled the fun for me. I wanted to read through and see if I could spot the tricks myself, but it keeps giving the answers before even showing the code that the trick is in!

They don't seem available anywhere, maybe try to contact UnderhandedC@gmail.com and ask if they could release the entries?

I'm glad to see that there are more women's names this year - including the winner. A sign of better representation in tech in the future?

Or just more interested in our field of digital sorcery. Either way, I agree it's good to see more women in these things. Having different types of people makes things more interesting. And often more surprising. :)

Incredible mix of evil and genius, congrats to the winners. I'm still astounded at how many obscure ways there are in C to fool a code reviewer.

Definitely makes me feel less safe considering the amount of C code there is in tools we depend on.

haha, the winning entry is pure genius! It was so difficult to follow, and the code that produces the bug is only viewable if you examined the macro expanded source code - and the macro used _all_ look like functions, so a casual code reviewer probably won't recall them being macros in the first place.

> and the macro used _all_ look like functions

AUDIT properly looks like a macro, which makes it even more likely a reviewer wouldn't notice __isleap is one as well.

I'm not a C programmer so I'm wondering, don't the common C editors highlight macros and functions differently?

Yes, all decent C/C++ IDEs (Eclipse, Visual Studio, CodeBlocks) use different syntax highlighting for macros and functions. The problem with nested macros like this is a common bad programming practice, highlighted here in the C/C++ FAQ : https://isocpp.org/wiki/faq/inline-functions#inline-vs-macro...

To do that you need to do quite a bit of what the compiler does. For example, you need to know the include search paths, which can get modified by compiler flags, and you need to know what flags got set on the command line, for example to discriminate debug from release builds or to specify C99 compliance.

So, you basically need an IDE to do robust C syntax coloring.

I have personally never come across this. Moreover, "common" C editors are vanilla vim and emacs, which don't actually know what's a macro and what's a function without customization (ctags &c).

Good idea, though. I'd like it.

Some slightly less common IDE-based ones can, like Eclipse, and probably Kdevelop, QtCreator, and MSVC.

There are likely to be add-ons for Vim and Emacs that actually parse the source instead of just pattern matching for syntax highlighting.

With emacs, this actually an ideological choice.

How so?

For that kind of code analysis one wants more detailed information about the source file, like an AST, but Stallman has forbidden that level of detail to be exportable from gcc, and more recently squashed efforts at deeper emacs/clang integrations, both on ideological grounds.

Interesting.

How can deeper integration between any language and tools then be compatible with rms's and/or GNU's and/or the FSF's ideology?

(Maybe the answer is, "Use Lisp since the syntax is the AST." I'm okay with that. :)

I'd also imagine that since the contest is framed as getting around code reviews the code would be inspected using some other source code display tool. These tools certainly wouldn't do any kind of context-sensitive reasoning.

How is this different from the Obfuscated C contest? http://www.ioccc.org/

In this contest, you are to intentionally insert a difficult-to-detect bug into otherwise legible code. In the obfuscated C contest, you are writing obfuscated code.

https://en.wikipedia.org/wiki/Obfuscation_%28software%29

Speaking of which, anyone knows why the IOCCC results are stalled? Winners were announced but winning source code not yet released.

Why is it underhanded to let a user know that his government is censoring/surveiling his posts? This should be the freedom-c contest.

It's underhanded in that the function should look like it's doing one thing but also do another hidden task as well.

Why someone would use this language for a real project is beyond me.

A real project like writing a Kernel or implementing a programming language?

Yes, real projects like that. Or projects like OpenSSL.