Google Pits Hackers Against Chrome OS At Pwnium 4
This year Pwnium 4, Google's competition that lets the company learn from security researchers, will once again set sights on Chrome OS, and will be hosted in March at the CanSecWest security conference in Vancouver.
With a total of $2.71828 million USD in the pot, Google will issue Pwnium rewards for eligible Chrome OS exploits at the following levels:
- $110,000 USD: browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page.
- $150,000 USD: compromise with device persistence: guest to guest with interim reboot, delivered via a web page.
New this year, Google will also consider bonuses for demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process.
Past Pwnium competitions have focused on Intel-based Chrome OS devices, but this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (WiFi), or the Acer C720 Chromebook (2GB WiFi) that is based on the Intel Haswell microarchitecture. The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS.
Any software included with the default installation may be used as part of the attack. For those without access to a physical device, the Chromium OS developer?s guide offers assistance on getting up and running inside a virtual machine, although a virtual environment might differ from the physical devices where the attack must be demonstrated.
Google will require participants to register in advance for a timeslot. To register, e-mail security@chromium.org. Registration will close at 5:00 p.m. PST Monday, March 10th, 2014. Only exploits demonstrated on time in this specifically-arranged window will be eligible for a reward.
- $110,000 USD: browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page.
- $150,000 USD: compromise with device persistence: guest to guest with interim reboot, delivered via a web page.
New this year, Google will also consider bonuses for demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process.
Past Pwnium competitions have focused on Intel-based Chrome OS devices, but this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (WiFi), or the Acer C720 Chromebook (2GB WiFi) that is based on the Intel Haswell microarchitecture. The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS.
Any software included with the default installation may be used as part of the attack. For those without access to a physical device, the Chromium OS developer?s guide offers assistance on getting up and running inside a virtual machine, although a virtual environment might differ from the physical devices where the attack must be demonstrated.
Google will require participants to register in advance for a timeslot. To register, e-mail security@chromium.org. Registration will close at 5:00 p.m. PST Monday, March 10th, 2014. Only exploits demonstrated on time in this specifically-arranged window will be eligible for a reward.