TinyCode competition - trial

User-sourcecode is compiled by janino.

The compiled sourcecode cannot be sent to STDIN, because it only exists in bytecode-form.

I do a
System.out.println(code);
to monitor the submission you guys post.

Unfortunately, to enforce the time-limit of 100ms, I have to call Thread.stop() if the newly created thread running your code, runs out of time.
Now… before I even can call stop(), the System.exit(0) is already executed, so I doubt the problem is in that ‘unsafe’ method.

It feels like this was the actual chain of events:

1. System.out.println(code);
2. new Thread(){public void run(){System.exit(0);}}.start();

Result:
the bytes buffered in STDOUT get flushed to STDIN after termination.

Is it correct that you submitted this full block of code?

com.sun.org.apache.regexp.internal.recompile.main("".split(""));
out.write(str2arr("hello world!"));
int a=0,i=0,b;
while((b=in.read())>0) {
a=a<<4|(b-'0');
if ((i^=1)==0) out.write(a);
}

nope, I only submitted

“com.sun.org.apache.regexp.internal.recompile.main(”".split(""));"

The rest is nothing to do with me, never seen it before in my life.
“byte [] str2arr(String)” is one of your methods isn’t it? declared in TinyCodeAssignment.
Was that just someone attempting to access this method from their own code?

I was thinking more of the source code that is embedded in the html page served back to the client?

It was part of the sourcecode I posted in this thread (many many lines).

Somebody thought he could access the str2arr or arr2str because it was defined in the posted TinyCodeAssignment class.

The code sent back to the client doesn’t have < and >, only < and > to prevent HTML-tags (and scripts!) breaking out of the

Anyway, as you can see in the screenshot, the JVM is shutdown after your one-line submission, yet the next (?) submission is executed in BASH…

I’ll investigate tomorrow, and go to bed now. It’s 02:00, and I got yet another exam tomorrow.

Eagerly awaiting my gold ‘I crashed the server’ badge ;D

Bah, I didn’t go to bed! :-X

I found it…

it wasn’t that spooky. If you type something in Bash, while a program is running, it’s sent to STDIN.
If you type CTRL-C, the bytes in System.in are discarded.
If System.exit(0) is invoked, the bytes in System.in are passed to STDIN of Bash (as in: if the child-process doesn’t handle it, the parent process will)

So… it turned out I probably pasted that code accidently yesterday, and never noticed.

(…working on the badge)

http://www.indiespot.net/badge.png

I’m hosting it again, now allowing uppercase characters, but no unicode.

It only allows a “.” if it is followed by “read(” or “write(”.

I think this should catch all random acts of vandalism

Please report exploits… in private-mail on jgo

mhh, what about floating point numbers? 1.0, 0.34…

Using a sandbox should have done the trick as well, no?

Barcode 64 bytes:

for(int c=1,i=48;c>0;i++)
  if((c=in.read())<99){
    out.write(i);
    i=47;
  }

Sometimes you need to take some time off, to see the simple optimizations

This is fun
But it’s too easy to cheat, ie. optimizing just for the test case while breaking the algorithm.

Tonight I’ll expend the number of testcases from 1 to N (where N >= 1)

I believe there is now a new way of crashing the server - I’ll see if I can verify this @ lunchtime.

If so, I’ll let you know via pm Riven

No joy yet… but I’m very close.

More worryingly, if successful it will give the capability to execute arbitrary code, essentially giving almost complete control over the machine on-which the server is running - limited only by the user level security offered by the OS.

I’m very interested.

I bet it is solvable by removing the support for uppercase characters again…?

Here is what I have so far :-

		final Class c = new ClassLoader() {
			public Class read() {
				
				byte [] classData = 
					new byte[] {-54,-2,-70,-66,0,0,0,46,0,41,7,0,2,1,0,4,66,108,97,104,7,0,4,1,0,16,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,1,0,6,99,104,101,101,115,101,1,0,1,68,1,0,8,60,99,108,105,110,105,116,62,1,0,3,40,41,86,1,0,4,67,111,100,101,9,0,11,0,13,7,0,12,1,0,16,106,97,118,97,47,108,97,110,103,47,83,121,115,116,101,109,12,0,14,0,15,1,0,3,111,117,116,1,0,21,76,106,97,118,97,47,105,111,47,80,114,105,110,116,83,116,114,101,97,109,59,8,0,17,1,0,11,105,110,105,116,105,97,108,105,115,101,100,10,0,19,0,21,7,0,20,1,0,19,106,97,118,97,47,105,111,47,80,114,105,110,116,83,116,114,101,97,109,12,0,22,0,23,1,0,7,112,114,105,110,116,108,110,1,0,21,40,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,41,86,10,0,25,0,27,7,0,26,1,0,14,106,97,118,97,47,108,97,110,103,47,77,97,116,104,12,0,28,0,29,1,0,6,114,97,110,100,111,109,1,0,3,40,41,68,9,0,1,0,31,12,0,5,0,6,1,0,15,76,105,110,101,78,117,109,98,101,114,84,97,98,108,101,1,0,18,76,111,99,97,108,86,97,114,105,97,98,108,101,84,97,98,108,101,1,0,6,60,105,110,105,116,62,10,0,3,0,36,12,0,34,0,8,1,0,4,116,104,105,115,1,0,6,76,66,108,97,104,59,1,0,10,83,111,117,114,99,101,70,105,108,101,1,0,9,66,108,97,104,46,106,97,118,97,0,33,0,1,0,3,0,0,0,1,0,25,0,5,0,6,0,0,0,2,0,8,0,7,0,8,0,1,0,9,0,0,0,55,0,2,0,0,0,0,0,15,-78,0,10,18,16,-74,0,18,-72,0,24,-77,0,30,-79,0,0,0,2,0,32,0,0,0,14,0,3,0,0,0,4,0,8,0,6,0,14,0,2,0,33,0,0,0,2,0,0,0,1,0,34,0,8,0,1,0,9,0,0,0,47,0,1,0,1,0,0,0,5,42,-73,0,35,-79,0,0,0,2,0,32,0,0,0,6,0,1,0,0,0,2,0,33,0,0,0,12,0,1,0,0,0,5,0,37,0,38,0,0,0,1,0,39,0,0,0,2,0,40};					
			
				Class c = defineClass("Blah", classData, 0, classData.length);
				
				resolveClass(c);
				return c;
			}
		}.read();

		// TODO: Find some api operation that causes the static initialiser of Class c to be invoked.
		// Complication:  The api operation must be defined in a public non-final class in the java.lang package.
		// I have yet to find a way of achieving this :-(

I’m hoping java.lang.SecurityManager holds the key… as there is little else of use in the java.lang package.

Thanks for your hack-skills, i bet there is a huge security hole here.

As you posted this here, I’ll take down my server and fix it later tonight.