VANCOUVER — When the Pwn2Own contest began in 2007, it was dismissed by some in the industry as nothing more than a publicity stunt meant to inflate the egos of researchers while embarrassing software vendors. But as the fifth edition of the hacker challenge gets underway at the CanSecWest conference here this week, it has evolved into a display of some of the few things that are actually good and right with the security community.

The contest began as essentially a timed competition to see who could find and exploit a vulnerability in a fully patched MacBook Pro running the most current version of OS X. Researchers went at the machines for hours, trying to find a new bug and develop a reliable exploit for it. Win, and you got not only the computer that you’d exploited but a nice $10,000 cash prize. There were different thresholds for different machines, but both the 15-inch and 17-inch MacBooks lived through the first day of the contest without being compromised.

Not so the next day. Researcher Dino Dai Zovi, who wasn’t at the conference, found a new flaw in the Java implementation in QuickTime and called his friend Shane Macaulay, who was in Vancouver. Dai Zovi developed a browser-based exploit for the bug and Macaulay implemented it at the conference. The pair took down the 15-inch MacBook and the cash. Dai Zovi stayed up most of the night working on the bug and exploit, but within a few hours he had a reliable exploit, a new MacBook and some nice walking around money. Not a bad night’s work.

Since Macaulay’s and Dai Zovi’s initial victory, Pwn2Own has developed into a high-profile competition in which the researchers draw lots and take turns trying their luck against various browsers and mobile phones such as iPhones, Android devices and BlackBerrys. Researcher Charlie Miller has made the contest his personal revenue stream for the last three years, taking down OS X via the Safari browser each time and winning a pile of cash in the process.

So what’s great about a bunch of guys in a windowless room hammering away at MacBooks and iPhones? The really impressive thing in all of this is the sheer brain power on display. Think about what Dai Zovi and Macaulay did for a minute: With a few hours of work, they pulled apart the security model that the developers of Java, QuickTime and OS X had spent years putting together. Unless you’re one of those developers, that’s a pretty impressive feat.

Although the format has changed in recent years and Miller and others have found their bugs and developed their winning exploits ahead of time, their accomplishments are no less impressive. Microsoft, Mozilla and Google now know that Pwn2Own is a major date on these researchers’ calendars and they often will issue patches for their browsers right before the contest, as they did within the last week. So sitting down in front of a freshly patched MacBook or iPhone or Droid and trying to get your exploit to work still requires a lot of ingenuity.

The kind of raw intelligence, resourcefulness and cleverness that Pwn2Own brings out of the security community is still very cool to see. Consider the 2009 Pwn2Own contest, for example. That year, a researcher named Nils, who many people at the conference didn’t know, walked into the contest and not only exploited both Safari and Firefox on OS X, but also took down Internet Explorer 8 on Vista. Given the presence of DEP and ASLR on the Windows machine, many researchers didn’t think IE 8 would fall.  

Nils’ accomplishment was the security equivalent of virtual unknown Abebe Bikila of Ethiopia showing up at the 1960 Rome Olympics and winning the marathon. Barefoot. On cobblestone streets. In an Olympic-record time. And Nils did it again the next year, exploiting Firefox on Windows 7, bypassing ASLR and DEP in the process.

There are a lot of things in the security industry that are broken or don’t work the way they should — and not just software and hardware. Security itself, in a lot of ways, just doesn’t live up to the promises that everyone has made over the years. But that doesn’t mean people in the research community and the vendor community aren’t trying, aren’t putting in hard work and aren’t getting better. Because they are, and the evidence is here.

Main graphic via sporst‘s Flickr photostream.

Categories: Vulnerabilities, Web Security

Comments (7)

  1. Alex Hutton
    1

     “With a few hours of work, they pulled apart the security model that the
    developers of Java, QuickTime and OS X had spent years putting together.
    Unless you’re one of those developers, that’s a pretty impressive feat.”

    Dennis, you know I have the utmost respect and love for you, but I have to disagree.

    For
    any code base (of some degree of complexity) there exists some number
    of latent, but unknown vulnerabilities.  We shouldn’t be surprised,
    excited, or even impressed when a vuln researcher discovers them. 
    That’s not to say that vuln researchers aren’t clever, useful or that they don’t play
    an important role, just that the past 15 years of experience suggests that their work is,
    well, relatively mundane. 

     

  2. securityskeptic
    3

    Interesting column, but consider the following suggested change:

    “The kind of raw intelligence, resourcefulness and cleverness that Pwn2Own brings out of the security community BELONGS ON THE QUALITY ASSURANCE TEAMS OF COMMERCIAL SOFTWARE DEVELOPERS.”

  3. Rob Lewis
    4

    Nice article, but it epitimizes what is wrong with the industry, starting with glamorizing breaking, which has a suspect contribution to improvement.

    Nobody has to pull apart any security model cause its been broken all by itself for quite a while. Which came first-systems that have a brain aneurism and cough up root when code is used in some unanticipated way, or buggy code? It’s still an “only takes one” world out there, which boils down to all those really smart people having an impossible, useless goal, even if they are being pushed by hacker contests. One only has to look at the decline of AV and now Web application security to realize that the vulnerability-centric security model is pretty crappy, and it is going to stay that way until kernel level controls prevent the exploitation of software vulnerabilities.

     

     

  4. Party Bus DC
    5

    What is Pwn2Own

     

    Pwn2Own is a computer hacking contest held at the annual CanSecWest security conference, beginning in 2007.  Contestants are challenged to exploit specific software (especially web browsers and other web related software) / computing platform targets. Contestant winners receive the device/computer that was successfully exploited and a cash prize.

    For each successful exploit, the contest’s sponsor, TippingPoint, provides a report to the applicable vendor, detailing the vulnerability and how it was exploited. The details are not released to the public until the vendor has corrected the vulnerability.

  5. SH
    6

    To all the naysayers, there is such a thing as vulnerability free real-world software and Dan Bernstein proved that with qmail. The OpenBSD project also has done a great job of keeping vulnerabilities in check with tight QA and control. So vulnerability researchers need to keep attacking bad code till the software vendors (commercial or open source) fix the code base, model or their coding practises.

     

  6. Dennis Fisher
    7

    Thanks Alex.

    I agree that a lot of the grunt work is mundane and is mostly automated. Maybe I didn’t word it as well as I could have, but mainly what i was trying to get across is that there are a lot of really smart people at Apple and Microsoft and Google who are working really hard to make it as difficult as possible for people to exploit any bugs they might find in their products. And I know it’s always easier to break something than to build it, but the larger point is that those guys are being pushed by the researchers, and vice versa, and that’s the way it should be.

Comments are closed.