Rival hacking contests kick off today with $1.1M at stake

HP TippingPoint argues Google's 'Pwnium' money is safe because Chrome sandbox-escape exploits are worth more than Google's paying

Two hacking contests kicked off in Canada today, with hundreds of thousands of dollars in prize money up for grabs.

HP TippingPoint's Pwn2Own and Pwnium, Google's offshoot, both begin today at CanSecWest, a security conference that runs March 7-9 in Vancouver, British Columbia.

Just a week ago, there was to be only Pwn2Own, now in its fifth year, with both TippingPoint's Zero Day Initiative (ZDI), the company's bug bounty program, and Google promising to pitch in prize money.

For its part, ZDI committed $105,000 that would award $60,000 for the top score in a three-day event combining zero-day bug exploits with on-site hacking challenges.

Google, meanwhile, said it would pay up to $20,000 for any exploit of its own Chrome browser.

But on Feb. 27, Google withdrew from Pwn2Own, saying the contest did not require participants to hand over their exploits or divulge all the bugs they used to hack Chrome.

Instead, Google announced Pwnium, a separate event that will pay up to $60,000 for any exploit that leverages only bugs in Chrome. Google pledged to pay out as much as $1 million if several researchers stepped forward with Chrome-only "zero-day," or previously unknown, vulnerabilities and their exploits.

"Pwnium" is a play on Chromium, the name of the open-source project that feeds code to Chrome, and like its rival contest, uses "pwn," hacker-speak for "own," as in to seize control of a computer.

In a lengthy blog post last week, ZDI gave its side of the disagreement that had led Google to pull out of Pwn2Own.

ZDI argued that its goal was to get researchers to reveal bugs -- TippingPoint then adds blockers for those vulnerabilities to its enterprise-grade security appliances -- and wasn't necessarily interested in the exploit details.

But exploits are what Google wants to examine, said a pair of its engineers last week.

The dispute over vulnerabilities versus exploits, said ZDI, centered around "sandbox escapes," attacks that let a hacker break out of the isolating anti-exploit sandbox used by Chrome to keep malware in the browser and out of the operating system or other applications.

"Pwn2Own has never required that contestants give up such sandbox escapes. We do require that they demonstrate them, in order to verify that they did indeed 'hack' the target, but we have never required they disclose the escape to us or the vendor," said ZDI [emphasis in original].

It's done that, said ZDI, because it believes that prize money -- even the top $60,000 it will award this year and the identical amount Google plans on paying -- isn't enough to shake loose the very rare sandbox-escape vulnerabilities and ensuing exploits.

"If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome, which means that no Chrome code execution vulnerabilities would be fixed through the contest at all," said ZDI.

Sandbox escapes are simply worth more, much more, than $60,000.

"The fact, though hard to substantiate, is that a sophisticated sandbox-escape exploit could likely fetch a great deal more that $60,000 on the open market," argued ZDI. "Whether or not you agree with that estimation, it is fair to say that a sophisticated sandbox-escape exploit could certainly wreak more than $60,000 worth of damage in the enterprise space."

The bottom line? ZDI doesn't expect Google to pay out a dime for a sandbox escape, necessary to claim the latter's top money of $60,000.

"Such an exploit against Chrome will never see the light of day at CanSecWest," ZDI bet. "Instead, the grand Google prize will go unclaimed and the great takeaway from Pwnium will be that Google Chrome is unhackable, even when $1 million are at stake. Which is a shame, because that kind of sensationalism will not advance the state of browser security at all. In fact, it may just set us back a few years."

One team slated to try its hand at Pwn2Own agreed.

Vupen, a French security firm that took home $15,000 from last year's Pwn2Own for hacking Apple's Safari, said it would participate in Pwn2Own, but not Pwnium.

"Google canceled its sponsorship of #pwn2own and launched its own #pwnium. To win, report your sophisticated exploit. We're not interested!," Vupen said last week on Twitter.

Vupen, which is controversial among some researchers because it does not disclose vulnerabilities to vendors -- it's been accused of selling them to foreign governments -- said it will be ready with zero-day exploits of Chrome, Mozilla's Firefox, Microsoft's Internet Explorer and Safari, the four targeted browsers at Pwn2Own.

In May 2011, Vupen announced it had found a sandbox-escape bug in Chrome, but would not share the details with Google; its plans to hack Chrome at Pwn2Own may be based on that still-unpatched vulnerability.

ZDI will provide Pwn2Own updates during the three-day contest via Twitter.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Copyright © 2012 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon