VANCOUVER — When the Pwn2Own contest began in 2007, it was dismissed by some in the industry as nothing more than a publicity stunt meant to inflate the egos of researchers while embarrassing software vendors. But as the fifth edition of the hacker challenge gets underway at the CanSecWest conference here this week, it has evolved into a display of some of the few things that are actually good and right with the security community.
The contest began as essentially a timed competition to see who could find and exploit a vulnerability in a fully patched MacBook Pro running the most current version of OS X. Researchers went at the machines for hours, trying to find a new bug and develop a reliable exploit for it. Win, and you got not only the computer that you’d exploited but a nice $10,000 cash prize. There were different thresholds for different machines, but both the 15-inch and 17-inch MacBooks lived through the first day of the contest without being compromised.
Not so the next day. Researcher Dino Dai Zovi, who wasn’t at the conference, found a new flaw in the Java implementation in QuickTime and called his friend Shane Macaulay, who was in Vancouver. Dai Zovi developed a browser-based exploit for the bug and Macaulay implemented it at the conference. The pair took down the 15-inch MacBook and the cash. Dai Zovi stayed up most of the night working on the bug and exploit, but within a few hours he had a reliable exploit, a new MacBook and some nice walking around money. Not a bad night’s work.
Since Macaulay’s and Dai Zovi’s initial victory, Pwn2Own has developed into a high-profile competition in which the researchers draw lots and take turns trying their luck against various browsers and mobile phones such as iPhones, Android devices and BlackBerrys. Researcher Charlie Miller has made the contest his personal revenue stream for the last three years, taking down OS X via the Safari browser each time and winning a pile of cash in the process.
So what’s great about a bunch of guys in a windowless room hammering away at MacBooks and iPhones? The really impressive thing in all of this is the sheer brain power on display. Think about what Dai Zovi and Macaulay did for a minute: With a few hours of work, they pulled apart the security model that the developers of Java, QuickTime and OS X had spent years putting together. Unless you’re one of those developers, that’s a pretty impressive feat.
Although the format has changed in recent years and Miller and others have found their bugs and developed their winning exploits ahead of time, their accomplishments are no less impressive. Microsoft, Mozilla and Google now know that Pwn2Own is a major date on these researchers’ calendars and they often will issue patches for their browsers right before the contest, as they did within the last week. So sitting down in front of a freshly patched MacBook or iPhone or Droid and trying to get your exploit to work still requires a lot of ingenuity.
The kind of raw intelligence, resourcefulness and cleverness that Pwn2Own brings out of the security community is still very cool to see. Consider the 2009 Pwn2Own contest, for example. That year, a researcher named Nils, who many people at the conference didn’t know, walked into the contest and not only exploited both Safari and Firefox on OS X, but also took down Internet Explorer 8 on Vista. Given the presence of DEP and ASLR on the Windows machine, many researchers didn’t think IE 8 would fall.
Nils’ accomplishment was the security equivalent of virtual unknown Abebe Bikila of Ethiopia showing up at the 1960 Rome Olympics and winning the marathon. Barefoot. On cobblestone streets. In an Olympic-record time. And Nils did it again the next year, exploiting Firefox on Windows 7, bypassing ASLR and DEP in the process.
There are a lot of things in the security industry that are broken or don’t work the way they should — and not just software and hardware. Security itself, in a lot of ways, just doesn’t live up to the promises that everyone has made over the years. But that doesn’t mean people in the research community and the vendor community aren’t trying, aren’t putting in hard work and aren’t getting better. Because they are, and the evidence is here.
Main graphic via sporst‘s Flickr photostream.