IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Underhanded C winner
http://www.underhanded-c.org/#winner
Why did we like this one?

  1. The attack is realistically achievable without triggering some effect in the computer, like tampering with a system clock or a file permission;

  2. It uses a real-world approach to comparing spectra, rather than something simple or contrived;

  3. If you miss the type confusion, there is nothing at all about the remaining code that looks the slightest bit suspicious or unusual;

  4. It gets down to the bitwise representation of floating-point numbers, and causing a confusion of datatypes with usable results is ingenious;

  5. It exploits the fact that the doubles hold whole number counts, which allows the miscasting of doubles to work;

  6. The attack is actually transparent to all the filtering and preprocessing, which preserves the whole-number property of the data;

  7. Despite all this, it's still only 60-odd lines of code, that looks incredibly innocent.


This is fucking devious.

[edit] Rereading their list, I think they actually understated the last point. The one malicious line has a comment that comes right out and tells you what it's changing ... it's not just innocent, it's helpful.
--

Drew
Expand Edited by drook Feb. 3, 2016, 03:41:07 PM EST
New Neat. Thanks for the pointer. I Я A Programmer today, also too.
There's some really clever coding there.

I've been derusting my limited Python knowledge today in doing things like trying to have a file picker that allows picking file names of the form:

20151203.abc

and

20160203 (with no extension).

The Winders filepicker doesn't like using "*." as an extension (it doesn't list the expected files with no extension).

How to do it?

Use "*.abc; ????????" as the wildcard. That picks up both types.

I'm rather proud of myself for figuring that out. Small victories. ;-)

Cheers,
Scott.
     Underhanded C winner - (drook) - (1)
         Neat. Thanks for the pointer. I Я A Programmer today, also too. - (Another Scott)

Werd.
82 ms