$2.7 Million On Offer For Pwnium 4
Written by Alex Armstrong   
Friday, 31 January 2014

Google has again increased the amount it is prepared to pay out to hackers who find serious holes in the Chrome OS. In Google fashion the headline sum uses a mathematical constant - this time it is e - giving a total prize pot for this year's Pwnium of $2.71828 million.

Pwnium 4 is Google's fourth annual hacking contest and will be held in March at the CanSecWest security conference in Vancouver alongside the longer-established "Pwn2Own".

For anyone mystified by the contensts' names, pwn means to hack and contestant in the Pwn2Own contest get to keep the device they succeed in hacking as well as comppeting for cash prizes. Pwnium is a play on the full name of Google Chrome: Chromium.

Although Google's total prize pot is set at  $2.71828 million, the full sum won't necessarily be paid out. 

Rewards of $150,000 will be made for any hack via a Web page that let's a hacker control a Chrome OS PC even after it reboots; and $110,000 for similar hacks that don't persist after rebooting.

In addition the Chromium blog states

New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process.

The link in the above paragraph is an article on LWN.net on Kernel address space layout randomization, a technique that has been added to Chrome OS that  make exploits harder by placing various objects at random, rather than fixed, addresses.

Whereas previous competitions have been restricted to Intel-based Chrome OS devices, this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (WiFi), or the Acer C720 Chromebook (2GB WiFi) that is based on the Intel Haswell microarchitecture. Although devs can work with virtual machines the attack has to be demonstrated on the physical device running the then current stable version of Chrome.

For the Pwnium contest, the deliverable is the full exploit, with explanations for all individual bugs used (which must be unknown); and exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL.

Participants need to register in advance for a timeslot in which to demonstrate their exploits and only exploits demonstrated in this specifically-arranged window will be eligible for a reward.  Registration, which is by e-mail to pwnium4@chromium.org, closes at 5:00 p.m. PST Monday, March 10th, 2014.

Pwn2Own will also take place at  CanSecWest between March 12-14 and its PWN2OWN rules for this year will be announced  shortly.

 

More Information

Chromium Blog

Kernel address space layout radomization

CanSecWest Vancouver 2014

 

Related Articles

Google Announces More Cash For Security Bugs

Chrome Hacked Twice at CanSecWest

Google Offers $1 million for Chrome Hack

Google Offers Cash For Security Patches

A Short History of Hacking

Chrome, IE and Firefox Hacked

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

 

Banner


Master Large Language Model Ops
20/03/2024

New technology brings with it more career opportunities. You may never have imagined becoming an LLMOps consultant,  but there's now a Coursera Specialization which provides preparation for this  [ ... ]



We Built A Software Engineer
20/03/2024

One of the most worrying things about being a programmer today is the threat from AI. It has gone so far that NVIDA CEO Jensen Huang proclaims that you really shouldn't start training as a programmer  [ ... ]


More News

Last Updated ( Friday, 31 January 2014 )