2006 Underhanded C Contest

The 2006 Contest has finally been judged!
The winner: Bobby Brogan, who will receive a $100 ThinkGeek gift certificate. Details of submissions are on the results page. These include explanatory code snippets from the semifinalists; eventually I will put up all the code.
The 2006 Contest has Officially Started!
This page is live as of April 4, 2006. You have three months.
This page can also be found at http://bingweb.binghamton.edu/~scraver/underhanded/
Introduction
We hereby announce our second annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.
Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.
This year's challenge: ridiculous performance degradation

For this year's challenge, imagine you are an application developer for an OS vendor. You must write portable C code that will inexplicably taaaaaake a looooooong tiiiiime when compiled and run on a competitor's OS. The program is supposed to read a set of words on stdin, and print a frequency count of unique words in lexicographical order. Essentially the output should match the command line
```
tr "[:space:]" "[\n*]" | sort | awk 'length($0)>0' | uniq -c
```
Try to write a simple C program that does this, but produces as wide a disparity as possible between its runtime on one platform and runtime on another (your "competitor.") The program should compile on both platforms without the need to download or install external libraries. Note that you will probably not succeed simply by finding a task that one OS performs slowly; to be competitive you will need to conceal malicious delay-causing behavior within the program.

Today's buzzword: plausible deniability
In deception problems, plausible deniability is the ability to engineer a reasonable doubt about secret behavior. An example is a backdoor that results from intentionally bad coding practice. This is plausibly deniable as an innocent mistake; contrariwise, you will have no excuse if someone finds working shellcode in some hex constants.
The code must not look suspicious, and if ever anyone figures out what you did it best look like bad coding rather than intentional malfeasance.
Submissions and deadlines
You must submit by the deadline (July 4th, 2006):
- Your underhanded program, with instructions for compiling, and which two platforms we should use for comparison purposes.
(A "platform" refers to the OS and, if it is important, the hardware. If you decide to exploit hardware problems, keep in mind that the end result is to make an OS look bad. Feel free to exploit hardware if an OS is often tied to that platform.)
Submit your code to (remove the underscores) XcottCraver@g_m_a_i_l.com. Make sure the title includes the word, "underhanded."
Judging, and Extra points
A team of impartial judges will decide the winner based on (A) How simple and innocent the code appears, (B) How sophisticated the malicious behavior is, and (C) Style and humor value. For this year's challenge, you get extra points for the following:
- Extra points if your code looks innocent under syntax coloring;
- Extra points if your hack, when discovered, is plausibly deniable as an innocent mistake;
- Extra points if your hack is genuinely OS-dependent, rather than hardware-dependent.
Prize This year's prize is a $100 gift certificate from Thinkgeek.com.