The Pwn2Own contest at the CanSecWest conference has become one of the landmark events on the calendar each year, as researchers gather with nervous vendors in a tiny room to see who can own which browser on which platform and how quickly. But this year’s contest will have a much different look than past editions, with participants vying for more than $100,000 in cash by amassing points over the course of three days.
The new format will include the assignment of point values for each of the various targets in the contest, which typically are browsers such as Internet Explorer, Firefox and Chrome running on Mac OS X or Windows machines. In order to win the contest, a participant must have at least one zero-day vulnerability in one of the targets. Each successful compromise of a target with a zero-day will be worth 32 points, and unlike in past years, targets will not be removed from the competition once they’ve been successfully compromised by one researcher.
Also, on the first day of the contest, the organizers from HP’s TippingPoint Zero Day Initiative will announce two previously patched vulnerabilities that contestants can use on each target. They will then have three days to write an exploit that works on a given target, although the point awarded for a win will decrease each day. A win on the first day earns 10 points, nine points on the second day and eight on the third. For those “public vulnerabilities”, there won’t be any requirement for a sandbox escape or bypass of protected mode in the browsers.
The changes are the result of a review of past years’ contests and a desire to make the event fairer for everyone involved. In past years, there was a drawing to see which participant would go first on each target, and once it was successfully compromised, it was off the table for everyone else. There also will be first, second and third places this year, with cash rewards of $60,000, $30,000 and $15,000, respectively. The three researchers with the highest point totals at the end of the three-day contest will win the money.
“We basically rearchitected the entire thing this year. We wanted to take our limited budget and spread it over three winners in order to give them more incentive to bring their vulns to Pwn2Own,” said Aaron Portnoy, the manager of the security research team at TippingPoint. “We didn’t think it was fair with the drawing. That opens the door for people having a vulnerability they don’t use at the contest and it doesn’t get fixed.”
In addition to the main cash prizes, contestants also win the laptops that they’re able to successfully compromise targets on. And this year, Google is putting up a prize of $20,000 for every unique set of bugs that can compromise its Chrome browser, without any platform-specific bugs. In order to claim the prize, a participant will have to get full code execution outside of Chrome’s sandbox, but there is no limit to the number of those rewards a researcher can win. So if one participant has three or four of those in his pocket–which seems unlikely–he could earn a serious payday.
Google also will pay $10,000 for Chrome vulnerabilities that get code execution outside of the sandbox but also require some OS-specific vulnerability to work, Portnoy said.
The idea behind all of the changes in this years Pwn2Own is to bring the contest closer to the way it was when it began several years ago. The contest also has dropped mobile devices such as iPhones and Android phones as targets.
“We’re going back to the roots of Pwn2Own,” Portnoy said. “The mobile platforms have been a barrier to entry. We expect to see more competitors.”
All of the new vulnerabilities used in the Pwn2Own contest each year are immediately disclosed to the affected vendors as part of the rules of engagement. The inclusion of the known vulnerabilities in target platforms is a way to test the exploit-writing skills of the researchers, as well as drawing attention to the need for people to patch older bugs.
“We want to show the importance of patching and want to show that the contest will have active participation over three days,” Portnoy said. “We want people to watch.”
Portnoy said the list of targets for this year’s contest would be available soon. CanSecWest is March 7-9 this year in Vancouver.