Google bets $20K that Chrome can't be hacked
Adds prize money to this year's Pwn2Own browser hacking contest
Computerworld - Google will pay $20,000 to the first researcher who successfully exploits its Chrome browser at this year's Pwn2Own hacking contest.
The award is the largest ever for the annual challenge, which will kick off for the fifth time at the CanSecWest security conference in Vancouver, British Columbia, on March 9.
At this year's Pwn2Own, researchers will pit exploits against machines running Windows 7 or Mac OS X as they try to bring down Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari and Chrome.
The first researchers to hack IE, Firefox and Safari will receive $15,000 and the machine running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards.
"We've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000," said Aaron Portnoy, the manager of HP TippingPoint's security research team.
TippingPoint, which is again sponsoring Pwn2Own, set the contest's rules Wednesday in a blog post written by Portnoy.
New this year is Google's participation. The company is the first browser vendor to put money into the prize kitty. "Kudos to the Google security team for taking the initiative to approach us on this," Portnoy said.
The rules for Chrome are slightly different than for the other browsers because it's the only one of the four that uses a "sandbox," an anti-exploit defense. A sandbox isolates system processes, preventing or at least seriously hindering malware from escaping an application -- in this case Chrome -- to wreak havoc on the computer.
To exploit a sandboxed program like Chrome, researchers require not one but two vulnerabilities: The first to allow their attack code to escape the sandbox, and a second to exploit a Chrome bug.
Other software developers have followed in Chrome's footsteps to try to make their applications more secure. Last year, for example, Adobe added a sandbox -- derived in part from Google's work -- to its popular Reader program.
To walk off with Google's $20,000 on Pwn2Own's first day, a researcher must find and exploit two vulnerabilities in Google's code. Only on the second and third days of the contest can researchers employ a non-Chrome bug, say one in Windows, to break out of the sandbox. A successful attack on the second and third days will still put $20,000 in the researcher's pocket, but only $10,000 of that will come from Google; TippingPoint will pony up the other $10,000.
Google's participation in this year's Pwn2Own may be a mark of its confidence that Chrome can't be hacked. Although Chrome has been one of the browser targets at Pwn2Own since 2009, no researcher has exploited the browser and grabbed the cash.
IE, Firefox and Safari have fallen to attackers each of the last two years, sometimes in an embarrassingly short amount of time. In 2009, one researcher -- a German computer science major who gave only his first name, Nils -- hit the trifecta by exploiting all three browsers and taking home $15,000 total, $5,000 for each hack.
Charlie Miller, the only researcher to have won Pwn2Own prizes three consecutive years, wouldn't commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome.
"Pwn2own now offering 20k for attack on Chrome," said Miller on Twitter. "Must be hard, glad Mac OS X doesn't sandbox their browser."
Miller is a Mac hacking authority -- he co-authored The Mac Hacker's Handbook with Dino Dai Zovi, a 2007 Pwn2Own winner -- and has exploited Safari each of the last three years. As he pointed out, Safari is not sandboxed.
TippingPoint will also run a mobile hacking track at Pwn2Own next month that will let researchers try to exploit smartphones running Apple's iOS, Google's Android, Microsoft's Windows 7 Phone and RIM's BlackBerry OS.
Successful smartphone attacks will be awarded $15,000.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Desktop Apps White Papers | Webcasts