Google’s Chrome will likely survive the first day at next month’s Pwn2Own hacking challenge, but may fall the next when the rules change, the contest organizer predicted Friday.
The other three target browsers—Apple’s Safari, Microsoft’s Internet Explorer and Mozilla’s Firefox—will almost certainly tumble at Pwn2Own again this year, said Aaron Portnoy, the manager of HP TippingPoint’s security research team. But Chrome is the wild card.
“I’m fairly certain that most, if not all, of the browsers will be compromised,” Portnoy said. “I suspect that IE, Firefox and Safari will all be hacked, but Chrome won’t, not on the first day.”
TippingPoint is the sponsor of the fifth annual Pwn2Own contest, which runs March 9-11 at CanSecWest, a Vancouver, British Columbia, security conference.
Chrome will last longer than the other browsers—or maybe make it out of Pwn2Own unscathed for the third year running—because it’s the only one of the four that relies on a “sandbox.” A sandbox isolates system processes, theoretically preventing malware from escaping an application—like Chrome—to infect the computer.
To exploit a sandboxed program like Chrome—another is Adobe Reader X—hackers need not just one vulnerability but a pair: The first to escape the sandbox and a second to exploit the application itself.
“The sandbox in Chrome is the big hurdle,” said Peter Vreugdenhil, a TippingPoint researcher and past winner of Pwn2Own. Vreugdenhil will be one of the contest judges this year.
Researchers have to play under different rules if they take on Chrome. The first day of the contest, hackers can tackle the browser—and walk off with the $20,000 prize if successful—only by exploiting vulnerabilities in Google’s own code.
On the second and third days of the contest, researchers can employ a non-Chrome bug—one in Windows, for instance—to break out of the browser’s sandbox. A successful attack on the second or third day will still put $20,000 in the researcher’s pocket, but Google and TippingPoint will split the check.
“Google didn’t want to pay for a vulnerability in someone else’s code,” Portnoy said.
Google is the first browser vendor to put money into the Pwn2Own prize pool, and will pay out a maximum of $20,000. The company approached TippingPoint with its offer, a move that may have saved Chrome a spot in the challenge, Portnoy said.
“They threw out the number $20,000,” he said. “Actually, we weren’t going to include Chrome, we weren’t going to have it in the contest at all because we already had a WebKit browser.” WebKit is the open-source browser engine that powers not only Chrome but also Safari.
The rest of the cash—$15,000 for the first exploit of each browser, and another $60,000 for Pwn2Own’s mobile hacking track—came from TippingPoint.
Because Google put up its money for the Chrome part of the browser challenge, Portnoy modified the rules after getting feedback from former contest winners and other security researchers, then came up with the first day-second/third days split.
Portnoy and Vreugdenhil maintained that Chrome is hackable.
“Chrome uses WebKit, that’s its major weakness,” said Portnoy. “And the sandbox has to rely on the underlying OS to provide security that [Google] doesn’t have a way to mitigate. That increases the attack surface considerably. We know [Chrome vulnerabilities] are out there.”
And sandbox escape techniques, whether in general or for Chrome specifically, are “fairly well known,” Portnoy said.
“But it’s not trivial to find an underlying vulnerability [to escape the sandbox],” said Vreugdenhil, who is qualified to talk about exploit difficulties.
Last year, Vreugdenhil used two different Windows vulnerabilities at Pwn2Own to bypass Windows 7’s ASLR and DEP defensive technologies so he could hack IE for a $10,000 prize. At the time Portnoy called Vreugdenhil’s work “technically impressive.”
While TippingPoint hopes that the bigger prize for Chrome will convince researchers to take on Google’s browser, Portnoy is expecting that anyone armed with a WebKit vulnerability will aim at Safari first.
“If you’re coming to Pwn2Own [with a WebKit vulnerability], your first target is Safari because it’s running on a weaker OS and you’re not dealing with a sandbox,” said Portnoy.
At last year’s Pwn2Own, Firefox, IE and Safari were compromised on the first day of the contest, but Chrome was untouched throughout. Three-time winner Charlie Miller grabbed $10,000 for hacking Safari on Mac OS X, while a German computer science student, who goes only by his first name of Nils, compromised Firefox on Windows 7. Like Vreugdenhil, Nils had to evade Windows’ ASLR and DEP protections.
TippingPoint’s expecting more hacking fireworks this year.
“Perhaps this year, attackers will decide to capitalize on their Chrome vulnerabilities,” said Portnoy.