CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover

CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover

Summary: HP Zero Day Initiatives revamps the annual hacker contest to put more zero-day vulnerabilities and exploits in play.

SHARE:
TOPICS: Security
5

The annual Pwn2Own hacker challenge is getting a major makeover.

According to organizers at HP Zero Day Initiative, the contest will be redesigned to allow multiple hackers to go after the same computer targets over a three-day span.

The contest, which forms part of the CanSecWest security conference in Vancouver, will no longer have mobile devices as targets.  Instead, hackers will take aim at fully patched Windows 7 and Mac OS X Lion machines to accumulate points based on zero-day vulnerabilities and exploits used.

[ SEE: Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari ]

Threatpost.com's Dennis Fisher has more on the changes:

follow Ryan Naraine on twitter

The new format will include the assignment of point values for each of the various targets in the contest, which typically are browsers such as Internet Explorer, Firefox and Chrome running on Mac OS X or Windows machines. In order to win the contest, a participant must have at least one zero-day vulnerability in one of the targets. Each successful compromise of a target with a zero-day will be worth 32 points, and unlike in past years, targets will not be removed from the competition once they've been successfully compromised by one researcher.

Also, on the first day of the contest, the organizers from HP's TippingPoint Zero Day Initiative will announce two previously patched vulnerabilities that contestants can use on each target. They will then have three days to write an exploit that works on a given target, although the point awarded for a win will decrease each day. A win on the first day earns 10 points, nine points on the second day and eight on the third. For those "public vulnerabilities", there won't be any requirement for a sandbox escape or bypass of protected mode in the browsers.

[ ALSO SEE: Pwn2Own 2009: Safari/MacBook falls in seconds ]

Google, as Pwn2Own sponsor, will throw in cash prizes for vulnerabilities exposed in its Chrome web browser.  The search engine giant is offering $10,000 bounties for any zero-day vulnerability/exploit combination that launches harmful code that escapes the browser's sandbox.

For HP Zero Day Initiative, the revamped contest will put more zero-day vulnerabilities in play.  In the past, hackers pulled names from a hat to determine who would be allowed to attempt a code execution attack against a target.

This year, with the changes, it means that multiple hacking teams will get a chance to take aim at Microsoft's Windows OS or Apple's Mac OS X, an intriguing move that should showcase the robustness -- or weakness -- of the two platforms.

[ SEE: Ten little things to secure your online presence ]

It's not quite clear what would happen with the vulnerabilities and exploits used by teams that don't finish in the top three.  If the new rules attract lots of researchers, we could find a situation where teams are giving away zero-day vulnerabilities and not winning anything.  It's unlikely any researcher who knows the value of vulnerabilities would participate under those conditions.

This hiccup was also noticed by Chaouki Bekrar, one of last year's Pwn2Own winner:

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Hmmm seems boring without linux and android and ios

    I guess everybody just accepts that they have hundreds and hundreds and arent a challenge. The allowing already patched ones just seems lame.
    Johnny Vegas
    • RE: Hmmm seems boring without linux and android and ios

      @Johnny Vegas From a market share perspective based on web clients, Windows and Mac OS X are still nos. 1 and 2, respectively. And iOS has already surpassed the Linux desktop, while Android has pretty much caught up with (and will grow much more quickly than) the Linux desktop.

      However, given the popularity and rapid growth of mobile devices, it seems like it would make sense to include the iPhone 4s and Samsung Galaxy Nexus in the challenge.
      Rabid Howler Monkey
    • Why No Linux?

      @Johnny Vegas I just find it really odd that there isn't a Linux box there. I guess I understand not including the mobile OS's, maybe, but why would you just flat-out exclude Linux? Is it purely a market share issue? Is it maybe because the sponsor wants to demonstrate that Windows is not as easy to break as it seems? Weird.

      I would love to see this expanded, though, to include servers, too, and database servers. Wouldn't THAT be interesting and eye-opening.
      m0o0o0o0o
      • There used to be.....

        @m0o0o0o0o

        But linux was never "pawned". So I guess they gave up, since no could win the prizes for breaking linux.
        linux for me
  • RE: CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover

    From the article:
    "Google, as Pwn2Own sponsor, will throw in cash prizes for vulnerabilities exposed in its Chrome web browser.

    This will make the challenge more interesting. Hey, Microsoft and Apple! Why don't you match Google's cash prizes for IE9 and Safari vulnerabilities?
    Rabid Howler Monkey