Google Inc. will pay $20,000 and a Chrome CR-48 notebook to the first hacker who successfully exploits its Chrome browser at this year’s Pwn2Own hacking conference in March this year.
The award is the largest ever for the annual challenge, which will kick off for the 5th time at the CanSecWest security conference in Vancouver, British Columbia, on March 9.
At this year’s Pwn2Own challenge, researchers will pit exploits against machines running Windows 7 or Mac OS X as they try to bring down the latest versions of popular browsers like Microsoft’s Internet Explorer, Mozilla’s Firefox, Apple’s Safari and Chrome.
“Google’s $20,000 reward for a successful Chrome hack might just be a clever and cheap way for the company to find new talents and shore up its Chrome security. It amounts to exploitation,” said Fairfield University publicist Joan Grant.
“Yes, it’s good PR. But it’s also a chance to suck the brains of hungry hackers who want to make a name for themselves, and maybe pay a few bills. $20K is chump change for Google.”
The first researchers to hack IE, Firefox and Safari will receive $15,000 and the machine running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards.
“We’ve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000,” said Aaron Portnoy, the manager of HP TippingPoint’s security research team. TippingPoint DVLabs, which is again sponsoring Pwn2Own, set the contest’s rules on Wednesday in a blog post.
Google is the first browser vendor to put money into the prize kitty. “Kudos to the Google security team for taking the initiative to approach us on this,” DVLabs security research manager Aaron Portnoy said.
Pwn2Own 2011 “will focus on two main technologies: web browsers and mobile devices,” Portnoy explained. “Each contestant will have a 30-minute time slot in which to complete their attempt, not counting time to set up possible network or device prerequisites.”
The rules for Chrome are slightly different than for the other browsers because it’s the only one of the four that uses a “sandbox,” an anti-exploit defense. A sandbox isolates system processes, preventing or at least seriously hindering malware from escaping an application – in this case Chrome – to wreak havoc on the computer.
To exploit a sandboxed program like Chrome, researchers require not one but two vulnerabilities: The first to allow their attack code to escape the sandbox, and a second to exploit a Chrome bug.
Google’s participation in this year’s Pwn2Own may be a mark of its confidence that Chrome can’t be hacked. Although Chrome has been one of the browser targets at Pwn2Own since 2009, no researcher has exploited the browser and grabbed the cash.
IE, Firefox and Safari have fallen to attackers each of the last two years, sometimes in an embarrassingly short amount of time. In 2009, one researcher — a German computer science major who gave only his first name, Nils — hit the trifecta by exploiting all three browsers and taking home $15,000 total, $5,000 for each hack.
Charlie Miller, the only researcher to have won Pwn2Own prizes three consecutive years, wouldn’t commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome. “Pwn2own now offering 20k for attack on Chrome,” Miller wrote on Twitter. “Must be hard, glad Mac OS X doesn’t sandbox their browser.”
Miller is a Mac hacking authority – he co-authored ‘The Mac Hacker’s Handbook’ with Dino Dai Zovi, a 2007 Pwn2Own winner – and has exploited Safari each of the last three years. As he pointed out, Safari is not sandboxed.
“If I knew enough about technology, I’d hack in and tell them to keep their change,”Joan Grant said. “Apple never asks for this kind of thing, but maybe Steve Jobs doesn’t have to. His stuff is just too good.” [Pwn2Ow and Tipping Point via Computer World and Tech News World]