Underhanded C Contest

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

The Underhanded C Contest is a yearly programming competition started in 2005 by Dr. Scott Craver of Binghamton University. The goal is to write C code that performs a given task but contains hidden, malicious behavior that looks like a harmless mistake when inspected. Participants may use C-like languages, and the contest is designed so the malice passes scrutiny while the program still accomplishes the task.

The contest ran 2005–2009 and 2013–2015. Prizes were gift certificates, usually around $100 in the early years and $200 for some later years.

What makes it interesting is that each year defines a task and allows a covert twist. Here are brief snapshots from several years:

- 2005: The task was basic image processing (resampling or smoothing) with hidden fingerprint data embedded in the image. Winners used tricks like uninitialized data, pointer reuse, and embedding machine code in constants.

- 2006: The task was to count word occurrences but in a way that behaved very differently across platforms. Submissions exploited fork errors, optimization quirks, endianness, and API differences; the winning entry used a slow loop that a Linux compiler could optimize away but Windows could not.

- 2007: The task was to encrypt and decrypt files with a strong algorithm, but only a tiny fraction of files could be cracked quickly. Submissions misused API calls and prototypes to create subtle weaknesses.

- 2008: The task was to redact a rectangle in a PPM image so the original pixels could be reconstructed imperfectly. Programs could block out the area in various ways; the winning approach involved manipulating pixel values in a less common text format.

- 2009: The task involved processing routing directives and redirecting luggage based on a harmless-looking comment in the data. The contest then paused for several years, with winners announced later.

- 2013: The scenario was a fictional social site called ObsessBook. The task was to write a function that computes a distance metric between users but unintentionally favors a specific user.

- 2014: The objective was to write surveillance code for a Twitter-like service that complies with a secret government request, yet subtly leaks the act of surveillance to the user. The winning solution obfuscated writes to user data by disguising them as writes to surveillance data.

- 2015: The setting involved a nuclear disarmament process and a test function to compare materials. Some submissions used NaN poisoning to skew results; the winner relied on a tricky mix-up of floating-point types to distort outcomes.

The Underhanded C Contest highlights how tricky code can hide intent, and it’s remembered for showing how easy it is to disguise malice in ordinary-looking programs. The most recent contest was in 2015, and the official site is underhanded-c.org.