As alleged hackers from LulzSec and Anonymous contemplate the possibility of a life behind bars, other hackers are limbering up in Canada this week to vie for more than $1 million in prize money for their hacking prowess.
The annual Pwn2Own contest at the CanSecWest security conference is in its sixth year and aims to improve the security of the internet by challenging researchers to find zero-day vulnerabilities and develop exploits to attack them, while disclosing the findings to vendors to allow the companies to patch their products before the vulnerabilities can be exploited in the wild. The contest provides the makers of browser software and other applications with valuable information about security flaws in their products, without having to spend the time and resources to uncover the vulnerabilities themselves.
The targets this year are four browsers — Microsoft’s Internet Explorer, Apple Safari, Mozilla Firefox and Google Chrome. Contestants aim to own a browser — or “pwn” in hackerspeak — by using exploits to get the browser to run arbitrary code of the hacker’s choice.
The browsers being targeted will be running on systems with fully patched versions of the Windows 7 or Lion operating systems.
Contestants earn points for various levels of exploits and the amount of time it takes to develop them, with the top three point-earners winning money awards. A working zero-day exploit against the latest version of any of the browsers, for example, earns the hacker or his team 32 points.
The person or team with the most points at the end of the contest will receive $60,000 from Hewlett-Packard, which sponsors the contest. Second place brings $30,000 and third place, $15,000. Additionally, the winners will receive the laptops on which the browsers were running during the contest. This year the laptops include two Asus Zenbooks and a Macbook Air.
The first year the contest was held in 2007, it took a contestant just five hours to discover an exploitable flaw in the Safari browser, and another four hours to write an exploit to attack it.
This year, Google has sweetened the pot with its own parallel contest focusing just on its Chrome browser. Although Chrome was one of the target browsers in last year’s contest, no contestant took aim at it, leaving Google to go home with an empty exploit bag. This year to entice researchers, Google decided to sponsor its own contest, with up to $1 million in cash awards to anyone who can uncover vulnerabilities and develop working exploits for Chrome.
Google has pledged to pay multiple awards in the amounts of $60,000, $40,000 and $20,000, depending on the severity and characteristics of the exploits, up to $1 million. Winners will also receive a Chromebook.
“[W]e have a big learning opportunity when we receive full end-to-end exploits,” Google’s Chrome security team wrote in a blog post last month. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”
The breakdown for Chrome exploit awards is as follows:
$60,000 — “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$40,000 — “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 — “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer. All winners will also receive a Chromebook.
Running parallel to the two contests will be a full schedule of security talks from Wednesday to Friday, focusing on such topics as vulnerabilities in the HDMI (High-Definition Multimedia Interace), bypassing firewall filtering and the legal issues around security research of mobile devices.
How stupid is that? Does this sound like the Golden Arrow offered to Robin Hood if he could win the archery contest?