Building on the success of the last couple of years, Google plans to offer more than $2.7 million in potential rewards in the next iteration of its Pwnium hacking competition at this year’s CanSecWest conference in Vancouver. The company has run the contest in parallel with the older Pwn2Own competition at the conference, with somewhat different rules, and this year plans to allow researchers to go after Chrome OS running on both ARM- and Intel-based Chromebooks,
Pwnium began as Google’s answer to Pwn2Own, the well-known hacking contest that has attracted some of the top researchers in the industry over the course of the last few years, including Dino Dai Zovi, Charlie Miller, Chaouki Bekrar and the Vupen team and many others. Pwn2Own has traditionally not required contestants to submit complete exploit information, but rather the details of the vulnerability and the crash data. Pwnium requires researchers to submit full exploits, something that has kept some of the potential contestants away, notably the Vupen team.
But the money that Google is putting up for new compromises of Chrome OS is far beyond what’s available at Pwn2Own or any of the other major contests and has attracted a small, but elite, group of contestants in past years. The company is promising rewards of as much as $150,000 plus some bonuses, paid at Google’s discretion, for especially innovative or serious exploits.
“New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process,” Google security engineer Jorge Lucángeli Obes said.
“Past Pwnium competitions have focused on Intel-based Chrome OS devices, but this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (WiFi), or the Acer C720 Chromebook (2GB WiFi) that is based on the Intel Haswell microarchitecture. The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS.”
The rules of the Pwnium contest dictate that contestants will have to register in advance and hand over full exploit details, along with information on each individual vulnerability used in the attack. None of the bugs used can be previously known, and the exploits have to be launched from an HTTPS Google App Engine URL.
“Any software included with the default installation may be used as part of the attack. For those without access to a physical device, the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine, but note that a virtual environment might differ from the physical devices where the attack must be demonstrated,” Obes said.