Every year, Google invites enterprising cybersecurity researchers and white-hat hackers set their sights on the Chrome operating system, with the goal of finding hereto undiscovered vulnerabilities and developing corresponding Chrome OS exploits.
“Security is a core tenet of Chromium, which is why we hold regular competitions to learn from security researchers,” said Jorge Lucángeli Obes, security engineer and master of ceremonies for the contest, in announcing Pwnium 4. “Contests like Pwnium help us make Chromium even more secure.”
The awards total this time is $2.71828 million, and will be doled out in two main levels. The search giant will offer $110,000 for a browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page. And, $150,000 will go to compromises with device persistence: guest-to-guest with interim reboot, delivered via a web page.
Obes also added that “New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploits.”
Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process.
For all options, “the deliverable is the full exploit, with explanations for all individual bugs used (which must be unknown); and exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL,” Obes said.
Google is changing up the device options as well. Past Pwnium competitions have focused on Intel-based Chrome OS devices, but this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (Wi-Fi), or the Acer C720 Chromebook (2GB Wi-Fi), which is based on the Intel Haswell microarchitecture. The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS.
“Any software included with the default installation may be used as part of the attack. For those without access to a physical device, the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine, but note that a virtual environment might differ from the physical devices where the attack must be demonstrated,” Obes noted.
Last year’s Pwnium saw no “winning” entries – i.e., no full exploits were developed – but Google did pay out a partial reward to Pinkie Pie, the teen hacker who appears to be making Chrome a bit of a specialty.
Google turned over $40,000 to Pinkie Pie, who, according to Chris Evans, Google’s chief reward officer, submitted a “plausible bug chain involving video parsing, a Linux kernel bug and a config file error. The submission included an unreliable exploit demonstrating one of the bugs.”
Pinkie Pie came to fame during the first Pwnium in May 2012, with a compromise of the Chrome browser using three zero-day vulnerabilities in the closing hours of the hacking competition. Then, last October, Pinkie Pie nabbed a $60,000 prize from Google for launching a full Chrome exploit as part of the Hack in the Box conference.
To make sure everyone has enough time to demonstrate their exploit, Google is requiring participants to register in advance for a timeslot, by the close of business Pacific time, on March 10.