Google has announced that it will be sponsoring a $20,000 prize at the 2011 CanSecWest Pwn2Own Contest. $20,ooo will be given to the first person to escape Chrome’s sandbox through Google-written code in the first day. If researchers are unsuccessful on the first day, then days two and three will be opened up to non-Google-written code. In addition to the cash, there is also a Google CR-48 running ChromeOS offered as a prize, but it will not be the actual platform used to hack Chrome. We look forward to seeing what comes out of this contest.
[via GearLog]
Noob question, but what is meant by “Escape the Sandbox”, is it a play on words or does it mean something.
@ Chase:
The goal is to hack outside of just the browser, and control the system(ie: malicious code, etc)
Chase: Aaah, good ol’ Wiki… https://secure.wikimedia.org/wikipedia/en/wiki/Sandbox_%28computer_security%29
the sandbox is a restricted space where the code (javascript …) is running. A malicious code would not be able to go out of it.
http://en.wikipedia.org/wiki/Sandbox_(computer_security)
$20,ooo?
twenty dollars wooo
Noob question, but is it actually easier to hack open source software? You could look for possible buffer overflows right in the source code.
I know that because many people have their eyes on the code, it will have less security issues. But beside that fact, is that a potential problem with open-source?
@zool:
Yeah I agree. Toss in a case of Mountain Dew and there might be some incentive…oh, wait are those zeros after the comma? Welllll now
@gorgos, your question has been answered many times. Would be easier and faster to do a quick search. Long to short, In many cases Open Source can be more secure since everyone understands how it works and can build upon the holes it may have.
As for the $20,000 contest, I think its a ploy by google to have their security checked rapidly and cheaper then paying their people to do it. IMHO day 2 and 3 will prove interesting.
@jeicrash:
A ploy? It’s clearly for that reason, and they’re definitely not the first to do it. It gives people the incentive to:
-Dive into the good, maybe start contributing
-Find horrible bugs
and I would say most importantly:
-Give incentive to those with an exploit to get it patched, instead of selling it to blackhats.
@Jeicrash, long to short…. you really didn’t answer the question and only served to puff up your chest with a verbatim answer that didn’t add anything to his own observation…
@Gorgos…no, open source is not easier to hack because you have access to the source. Potentially it can aid in nailing down specifics, but normally packet sniffers, memory dumps, and such are the preferred tools as they give insight on what is actually happening as opposed to what should happen. Once someone finds a potential hole, source can then be of aid but isn’t totally necessary. M$ gets hacked all the time and source code isn’t available.
Reading 1 mill plus lines of code isnt light reading….
@Lion XL
I agree for the most part, but open source IS beneficial to finding bugs/exploits.
The reason for this is that once you have a possible bug, it is much easier to “find a way out” to an exploit, rather than trial and error type methods.
@gorgos
While more people are looking at the source code, they see it in an un-compiled form. As Lion XL said this doesn’t show what is REALLY happening behind the scenes in machine code. Once you “optimize”, link, and compile code you sometimes see a bug that shouldn’t be there according to the source.
20, leter o leter o letter o dollars?
I kind of want to see some no name guy come in and trash it in a minute or 2 so i can get a good laugh. If it were an M$ product I’d say a second or 2.
I crack my knuckles menacingly at this competition.
I bet $5 a lone wolf in China gets it in the first day.
@Chase,
Just to confuse things slightly there is also another definition of Sandbox that people may be more familiar with:
http://en.wikipedia.org/wiki/Sandbox_(software_development)
If you have only ever heard ot this type of sandbox then the article was even more confusing!
I can’t see it falling on the first day after not falling for the last 2 years. The sandbox approach to security is a very good one as your attack space is limited so much. That’s why Microsoft have been sand boxing a lot of their programs over recent years.
The only place I can think it could potentially get hacked is the hardware acceleration code. I’m not sure if that was in there last year already but obviously people have had time to look at it now.
Looking forward to seeing if anyone hacks IE 9 more than Chrome. I know it’s beta but I think the base is pretty solid.
You can’t see it because you don’t believe it, that you or someone skilled could do it. Not good in web software dev, not trained in Informathics, someone like you (no, no, not you), a Hacker or better a brilliant Cracker.
Don’t compare IE9, Chrome etc. it’s useless. Anyway, I like my “cage”. Only n00b’s use it.