Chrome in the Pwn2Own Contest

Google has announced that it will be sponsoring a $20,000 prize at the 2011 CanSecWest Pwn2Own Contest. $20,ooo will be given to the first person to escape Chrome’s sandbox through Google-written code in the first day. If researchers are unsuccessful on the first day, then days two and three will be opened up to non-Google-written code. In addition to the cash, there is also a Google CR-48 running ChromeOS offered as a prize, but it will not be the actual platform used to hack Chrome. We look forward to seeing what comes out of this contest.

[via GearLog]

Comments

  1. Chase says:

    Noob question, but what is meant by “Escape the Sandbox”, is it a play on words or does it mean something.

  2. Fritoeata says:

    @ Chase:
    The goal is to hack outside of just the browser, and control the system(ie: malicious code, etc)

  3. Chris says:

    the sandbox is a restricted space where the code (javascript …) is running. A malicious code would not be able to go out of it.

    http://en.wikipedia.org/wiki/Sandbox_(computer_security)

  4. zool says:

    $20,ooo?
    twenty dollars wooo

  5. gorgos says:

    Noob question, but is it actually easier to hack open source software? You could look for possible buffer overflows right in the source code.

    I know that because many people have their eyes on the code, it will have less security issues. But beside that fact, is that a potential problem with open-source?

  6. Mitch says:

    @zool:
    Yeah I agree. Toss in a case of Mountain Dew and there might be some incentive…oh, wait are those zeros after the comma? Welllll now

  7. jeicrash says:

    @gorgos, your question has been answered many times. Would be easier and faster to do a quick search. Long to short, In many cases Open Source can be more secure since everyone understands how it works and can build upon the holes it may have.

    As for the $20,000 contest, I think its a ploy by google to have their security checked rapidly and cheaper then paying their people to do it. IMHO day 2 and 3 will prove interesting.

  8. Gdogg says:

    @jeicrash:
    A ploy? It’s clearly for that reason, and they’re definitely not the first to do it. It gives people the incentive to:
    -Dive into the good, maybe start contributing
    -Find horrible bugs
    and I would say most importantly:
    -Give incentive to those with an exploit to get it patched, instead of selling it to blackhats.

  9. Lion XL says:

    @Jeicrash, long to short…. you really didn’t answer the question and only served to puff up your chest with a verbatim answer that didn’t add anything to his own observation…

    @Gorgos…no, open source is not easier to hack because you have access to the source. Potentially it can aid in nailing down specifics, but normally packet sniffers, memory dumps, and such are the preferred tools as they give insight on what is actually happening as opposed to what should happen. Once someone finds a potential hole, source can then be of aid but isn’t totally necessary. M$ gets hacked all the time and source code isn’t available.

    Reading 1 mill plus lines of code isnt light reading….

  10. Spork says:

    @Lion XL
    I agree for the most part, but open source IS beneficial to finding bugs/exploits.

    The reason for this is that once you have a possible bug, it is much easier to “find a way out” to an exploit, rather than trial and error type methods.

    @gorgos
    While more people are looking at the source code, they see it in an un-compiled form. As Lion XL said this doesn’t show what is REALLY happening behind the scenes in machine code. Once you “optimize”, link, and compile code you sometimes see a bug that shouldn’t be there according to the source.

  11. Cake says:

    20, leter o leter o letter o dollars?

  12. medwardl says:

    I kind of want to see some no name guy come in and trash it in a minute or 2 so i can get a good laugh. If it were an M$ product I’d say a second or 2.

  13. rop says:

    I crack my knuckles menacingly at this competition.

  14. supershwa says:

    I bet $5 a lone wolf in China gets it in the first day.

  15. holly_smoke says:

    @Chase,

    Just to confuse things slightly there is also another definition of Sandbox that people may be more familiar with:

    http://en.wikipedia.org/wiki/Sandbox_(software_development)

    If you have only ever heard ot this type of sandbox then the article was even more confusing!

  16. Pete says:

    I can’t see it falling on the first day after not falling for the last 2 years. The sandbox approach to security is a very good one as your attack space is limited so much. That’s why Microsoft have been sand boxing a lot of their programs over recent years.

    The only place I can think it could potentially get hacked is the hardware acceleration code. I’m not sure if that was in there last year already but obviously people have had time to look at it now.

    Looking forward to seeing if anyone hacks IE 9 more than Chrome. I know it’s beta but I think the base is pretty solid.

  17. Neo says:

    You can’t see it because you don’t believe it, that you or someone skilled could do it. Not good in web software dev, not trained in Informathics, someone like you (no, no, not you), a Hacker or better a brilliant Cracker.

    Don’t compare IE9, Chrome etc. it’s useless. Anyway, I like my “cage”. Only n00b’s use it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,386 other followers