The goal this year was to write a leaky image redaction program. Given an input image in PPM format and a rectangle, it would spit out the image with the rectangle blacked out, perhaps hiding sensitive information. The tricky part was that you had to leak the redacted information. There are more details in the problem specification.

So, before I go on, here is my complete entry. See if you can figure out how the information is leaked before reading further if you like.

/*
 * This is a simple redactor, it accepts a plain text ppm file, a set of
 * coordinates defining a rectangle, and produces a ppm file with said
 * rectangle blacked out.
 *
 * Usage: redact in.ppm x y width height > out.ppm
 */
 
int
main(int argc, char *argv[])
    {
        if(argc != 6) {
            fprintf(stderr, "usage: redact in.ppm x y width height > out.ppm\n");
            exit(1);
        }
 
    // process command line arguments
    int rx = atoi(argv[2]), ry = atoi(argv[3]), rwidth = atoi(argv[4]), rheight = atoi(argv[5]);
 
    FILE *ppm = fopen(argv[1],"r");
    if(!ppm) {
        perror(argv[1]); exit(1);
    }
 
    //read the ppm header
    unsigned width,height,maxdepth;
    fscanf(ppm,"P3\n%u %u\n%u\n", &width, &height, &maxdepth);
    printf("P3\n%u %u\n%u\n", width, height, maxdepth);
 
    //current locations
    int x = 0, y = 0, ws = 0;
 
    //fixed buffer size to avoid overflow
    char buf[BUFSIZE], *c;
 
    while(fgets(buf,BUFSIZE,ppm)) {
        for(c = buf;*c;c++) {
            if(isdigit(*c)) {
                if(!ws) {   // new number, increment location.
                    ws = 1; x++;
                    if(x >= width * 3) {
                        y++; x = 0;
                    }
                }
                if(x > rx * 3 && x <= (rx + rwidth) * 3 && y > ry && y < ry + rheight)
                    putchar('0');
                else
                    putchar(*c);
            }  else {
               ws = 0;
               putchar(*c);
            }
        }
    }
    return 0;
}

The trick involves the format of the P3 style PPM file. The format is a plain text format, it has some basic header info, then a list of whitespace separated numbers, such as 234 2 0 83 255 255 2 43 255 where the numbers represent the magnitude of the red, green, and blue component for each pixel in order. The redactor simply replaced values within the target rectangle with zero. However, due to the way I process the file, character by character, I leak how many digits each value had to begin with. i.e., the above would be redacted to 000 0 0 00 000 000 0 00 000. This is completely invisible when viewing the PPM file, all the values count as zero as far as the format is concerned, but by looking at the original file, you can recover some information about what was in the blanked out area. It is particular effective on black on white text, the most common thing needing to be redacted, where each value is 0 0 0 or 255 255 255, allowing perfect reconstruction of the original.

One of my favorite parts of my entry that isn’t mentioned on the prize page is that it has great plausible deniability as the leak was introduced by properly working around a commonly known and particularly insidious C bug, the improper use of gets and (more subtly) fgets. I can imagine a code review going somewhat like the following:

Spook: “So why did you process the file character by character, rather than doing the more obvious scanf(“%i %i %i”,&r,&g,&b) to read in the values?”

Me: “Well, in order to do that I’d have to read in entire lines of the file. Now there is the gets function in C which does that, but has a well known buffer overflow bug if the line length exceeds your buffer size, so I naturally used the safe fgets variant of the function. Of course, with fgets, you can just assume your buffer size is greater than the maximum line length, but that introduces a subtle bug if it isn’t, you may end up splitting a number across two buffers, so scanf will read something like 234 as the two numbers 23 and 4 if it is split after the second character, hence the need to consider each character independently.”

Spook: “Ah, of course. good job at spotting that.”

Me: *snicker*

It is also a great example of the principle that you can’t protect against intending to write the wrong thing. The code will stand up to any buffer overflow check, code style check, or lint program. The code is correct and proper C code; the bug was not introduced in the code, but much earlier, in my head when I conceived the algorithm. No matter how smart your tools are, if you ultimately intend to write the wrong thing or solve the wrong problem, they can’t protect against that.

Here is the final result:

The basic idea is the bottom servo (bottom is to the left) can bend the straw left and right, and the other servo can rotate the straw in place. the bend in the straw acts as a universal joint so the object held can be rotated somewhat arbitrarily in 3 dimensions.

A simple linkage connects the top servo to the straw. I attempted a couple different things, starting with a pully system, then a gear system. neither worked out too well. The linkage turned out to be quite simple and robust.

Here it is with the attached fan I attempted to use as a vaccum pump. It did not turn out too well, the fan was scavanged from an old CPU and was never meant to be used like this, so I will need an actual vaccum pump at some point.

Everything was controlled for testing with a Wii nunchuck and an arduino microcontroller with custom code. Here is a video of it in action:

So, some stuff I learned

• ShapeLock is wonderful stuff. I was able to form and reform the head a few times, even fairly large changes like making room for a gear involved reheating a part of the project and shaping it by hand. And I can just melt it down again and reuse it for my next prototype.
• The linkage is the way to go. I struggled a long time with gears and pullys. I imagine that if I were precision machining things and could get gears/pullys in the exact right size, things would have been different. But when it comes to the fuzzy world of hand-squished shapelock, the more forgiving linkage worked out great.
• I am gonna stock up on these tiny and cheap servos. They have a very interesting and useful bug. if you try to overextend them, they go into continuously rotating mode with no modification! So you can have the same servo work as a continously rotating one at some points, but also have precise precisioning at others.
• The Wii nunchuck is a great little thing. it took a few dozen lines of arduino code to interface with it and I got a joystick, 3 buttons, and a 3 axis accelerometer.