http://www.underhanded-c.org/#winner
This is fucking devious.
[edit] Rereading their list, I think they actually understated the last point. The one malicious line has a comment that comes right out and tells you what it's changing ... it's not just innocent, it's helpful.
Why did we like this one?
- The attack is realistically achievable without triggering some effect in the computer, like tampering with a system clock or a file permission;
- It uses a real-world approach to comparing spectra, rather than something simple or contrived;
- If you miss the type confusion, there is nothing at all about the remaining code that looks the slightest bit suspicious or unusual;
- It gets down to the bitwise representation of floating-point numbers, and causing a confusion of datatypes with usable results is ingenious;
- It exploits the fact that the doubles hold whole number counts, which allows the miscasting of doubles to work;
- The attack is actually transparent to all the filtering and preprocessing, which preserves the whole-number property of the data;
- Despite all this, it's still only 60-odd lines of code, that looks incredibly innocent.
This is fucking devious.
[edit] Rereading their list, I think they actually understated the last point. The one malicious line has a comment that comes right out and tells you what it's changing ... it's not just innocent, it's helpful.