Mark Dowd and Ben Hawkes, two well-known security researchers, have won a contest put on by Google to find exploitable security flaws in the company’s Native Client system. The pair discovered 12 exploitable issues, seven more than the next most successful team.
Dowd, a researcher in IBM ISS’s Australian office, is known in the security community for his ability to develop exploits and attacks for flaws that are considered particularly difficult to exploit. He worked with Alex Sotirov last year on several attacks that successfully bypassed the memory protections in Windows Vista using browser exploits. Hawkes is an independent security consultant in New Zealand.
From the Google blog post on the winners:
Winning teams were attracted to the contest by the potential of the Native Client technology. Mark Dowd, member of the winning team “Beached As”, commented, “When I saw the press release announcing the product, I was intrigued by some of the ideas mentioned in the article. After reviewing the architecture a little, I thought the project adopted a novel approach to solving the problem of running native code securely, and was keen to take a closer look.”
Native Client is Google’s open-source technology for running native code in Web applications. The Native Client contest attracted quite a bit of attention in the security community, as did the results. Dave Aitel, CTO of Immunity and a well-known security researcher, said in a message to his Daily Dave mailing list that contests like Google’s have somewhat limited value.
“At some point someone senior at any project like this needs to quantify the level of testing that is required to build a secure product. Contests are interesting, but they’re not providing evidence of architectural safety. All we learned here was that with some minor level of effort, lots of bugs can be found. That’s not a good sign,” he wrote.