| I wouldn't be so sure that it's an inevitability that things would be caught. The "underhanded C contest" [1] is a good example of this and something I like to point people to. From their about page: >The Underhanded C Contest is an annual contest to write innocent-looking C code implementing malicious behavior. In this contest you must write C code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should perform some specific underhanded task that will not be detected by examining the source code. If you go look around the hall of fame on that site, or just take a look at the contest winners, it's absolutely insane how subtle some of those exploits are. And shockingly (to me anyway) many of the exploits don't require C or use some quirk of C, they would work in many different languages, the first contest winner is a perfect example of that [2]. I can honestly say that for some of them, even if you told me there was an exploit in the code, I wouldn't be able to find them on my own. And the scariest part is that almost all of the submissions to that contest have plausible deniability. They look like innocent bugs, typos, or small logic mistakes. Some even layer multiple small subtle changes which each on their own are completely fine but when all run together reveal big exploits. [1] http://underhanded-c.org/ [2] http://underhanded-c.org/_page_id_14.html |
That is an awesome site, thanks. Sadly the contest seems to have stopped in 2014.