Since its inception in 2007, the Pwn2Own computer hacking contest has been challenging the vulnerability of mobile phones and web-related software.
In 2010, the fruit of two full days of hacking came down to the exploitation of the following web browsers: Safari 4 on Mac OS X, Internet Explorer 8 on Windows 7, and Firefox 3.6 on Windows 7.
The winners walked away with the successfully hacked computer, plus a cash prize, but they left one Godly browser intact: Google Chrome. Even the savviest of web nerds shied away, despite the the hefty $10,000 prize offered to crack Chrome’s sandbox. Nobody even tried.
All heil Google.
This year Google is feeling extra cocky. They’ve upped the ante, offering a large cash prize of $20,000 to anybody who can hack a Windows 7 machine in the Chrome web browser by “popping the browser and escaping the sandbox using vulnerabilities purely present in Google-written code.” Chrome is the only one of the four browsers that uses a “sandbox”, a security mechanism for separating running programs, in order to prevent malware from escaping and contaminating the computer.
Google’s generous offer is likely an indication of their confidence that Chrome can’t be hacked, and they may be right. Even through Chrome has been a target at Pwn2Own for the past two years, not one contestant has successfully exploited the browser. Google fairly states:
“We think the Chrome browser has a strong security architecture, and Chrome has fared well in past years at Pwn2Own. But we know that web browsers from all vendors are very large pieces of software that invariably do have some bugs and complex external dependencies. That’s why the Chromium Security Reward program exists, along with our newer web application reward program.
As a team comprised largely of security researchers, we think it’s important to reward the security community for their work which helps us learn. Naturally, we’ll learn the most from real examples of Chrome exploits.”
Chrome OS, however, isn’t on the table. Since it’s still in “beta”, Google apparently lacks the confidence it could stand up to hackers.
The contest will be taking place on the 9th, 10th, and 11th of March, 2011 in Vancouver, BC during the CanSecWest conference. Pre-registration for the event has closed, but on-site registration is still available if the targets have not yet been compromised.