Charlie Miller skipping Pwn2Own as new rules change hacking game

Charlie Miller skipping Pwn2Own as new rules change hacking game

Summary: The annual Pwn2Own hacker contest kicks off today with new rules, controversy over disclosure and the absence of a regular participant.

SHARE:
TOPICS: Security, CXO
10

VANCOUVER -- Charlie Miller won't be defending his Pwn2Own hacking crown this year.

Miller, a Pwn2Own regular who makes headlines every year for his work breaking into fully patched Mac OS X machines, says he is skipping the contest this year because of the new rules that require on-the-spot writing of exploits.

When Pwn2Own kicks off at the CanSecWest security conference here, it will resemble a capture-the-flag (CTF) style competition instead of the random draw that allowed hackers to participate with ready-made vulnerabilities and exploits.

"I understand why they switched, they wanted to remove the whole 'random draw' from the equation, which I [thought] was a necessary move. Last year I had a Safari exploit that I didn't get to use because the Vupen guys got their name drawn before me and I was pretty upset," Miller said in an interview.

"However, the new structure doesn't really suit me. By making you write exploits there, it turns it into more of a capture-the-flag (CTF) style competition. There is no way by myself I can compete against a team of 5 or 6 Vupen guys. It really rewards larger teams/groups," Miller explained.

"The new format is really more of a team competition while in the past it was more of an individual competition. Plus I don't really want to spend CanSec writing exploits," he added.

This year, hackers will be pitted against the four major web browsers -- Microsoft's Internet Explorer, Mozilla Firefox, Apple Safari and Google Chrome -- using a point-based system.  The hacker or hacking team that demonstrates a working zero-day exploit against the latest version of the browser will be awarded 32 points.

A new wrinkle in the rules this year will be the addition of already-patched browser vulnerabilities.  The contest organizers are challenging the hackers to write exploits on the scene.

VUPEN, the controversial French company that sells zero-days vulnerabilities and exploits to global government customers, is planning a major assault on all the browsers this year.

"Yes, we will participate in Pwn2Own. We will be a team of five from VUPEN and we will bring zero-days and work on creating exploits on site," said VUPEN co-founder Chaouki Bekrar.

Bekrar, right, exploited a zero-day bug in Apple's Safari browser to hack into a fully patched MacBook Pro machine and win the contest last year.

Bekrar said the new rules benefit full time exploit writers and full time researchers and VUPEN has already boasted on Twitter that it will be using zero-day vulnerabilites against all four web browsers this year.

Pwn2Own is not without controversy this year.  Google was originally listed as a contest sponsor but withdrew in a disagreement over how exploits would be shared with affected vendors.

Here's the explanation from the Google Chrome security team:

Originally, our plan was to sponsor as part of this year’s Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive -- not least because it stays aligned with user safety by requiring the full exploit to be submitted to us. We guarantee to send non-Chrome bugs to the appropriate vendor immediately.

Google has since launched its own Pwnium contest with big cash prizes for hackers who demonstrate remote code execution attacks -- and sandbox escapes -- against the Chrome browser.

Google plans to pay $60,000 for what is described as a “Full Chrome exploit," an attack against Chrome running on  Windows 7 that exploits a bug in the browser's own code.  For a partial Chrome exploit, the company will pay $40,000 if hackers combine multiple flaws (e.g. a WebKit bug combined with a Windows sandbox bug).  In cases where multiple bugs and components are targeted, Google Pwnium will pay a $20,000 consolation prize.

Google's cash prizes are much higher than the official Pwn2Own contest and could be an attraction for exploit writers but the company's insistence on getting the rights to exploitation techniques could deter participants.

According to Charlie Miller, the controversy over "exploitation techniques" is a bit of a misnomer.

"The contest was always about exploitation. It didn't matter if you could find 100 bugs, if you couldn't turn them into exploits, you couldn't win. The thing that made Pwn2Own cool (and still does) is you have to find a bug, write an exploit, and to some extent weaponize it, because you can only try the exploit a few times before they let someone else try," Miller said.

Miller said Google isn't necessarily interested in exploit techniques. He believes the company wants to buy information on sandbox related vulnerabilities.

"For better or worse, Pwn2Own has never been about that, mostly, I suspect, because when it started, nothing was sandboxed. None of my exploits ever needed to escape the sandbox. The OS X ones weren't in a sandbox and the iOS one grabbed the address book which is allowed by the sandbox. The controversy is whether you should win without escaping the sandbox I guess," Miller said.

Pwn2Own organizers believe Google's alternative contest won't attract many participants.

Pwn2Own has never required that contestants give up such sandbox escapes. We do require that they demonstrate them, in order to verify that they did indeed "hack" the target, but we have never required they disclose the escape to us or the vendor. The reason we do not do so is because our goal is to get as many vulnerabilities fixed through the contest as possible. This may sound contradictory, but it is not. If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome, which means that no Chrome code execution vulnerabilities would be fixed through the contest at all. However, by not requiring that the escape be disclosed, we believe we will have success in getting code execution vulnerabilities fixed and, in the end, providing the details responsibly to vendors (again, for free) so that they may fix their products.

Due to our disagreement about the best way to get the most vulnerabilities fixed, Google has withdrawn sponsorship of Pwn2Own. We understand their reasons for doing so: they want to be able to receive the sandbox escape details to improve the security of their product. That is why they launched Pwnium. What we believe they fail to realize is that, for the $60,000 they are offering, it is incredibly unlikely that anyone will participate.

Stephen Fewer, another former Pwn2Own winner,  likes the new rules and format this year.

"I think it provides a fairer platform for competitors to showcase their zero-days and exploit development skills over the previous years which used a lottery system to determine which competitor could go first for a given target, potentially preventing any other competitor from even competing against the same target," Fewer said.

"Although the value of the prizes are relative to the amount of zero-day you have to drop to get placed in the competition so it will be interesting to see how that stacks up, but 60K and all the publicity that goes with it should make for a lucrative first prize," he added.

Topics: Security, CXO

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Interesting

    I think this is the best post not written by Mary Jo Foley I've read in a while.

    Two or three years back, Miller, I believe, gave a frank opinion about the skewed economics of pwn2own. How some exploits could be sold for more or cost more in billable time than the prize offered, and so were kept in the pocket.

    It seems that the new rules were set up to find the super-crackers, but I think Miller has a point about how the rules favor teams, and thus companies who can spare some guys for the conference. Well, it's publicity for the winner.

    I think the takeaway is that pwn2own is not exactly the os/browser blesser the partisans make it to be.
    DannyO_0x98
  • Shooting Fish in a Barrel

    Honestly, the ability to fuzz an App doesn't take any special talent. Just a lot of patience and determination to find a c h i n k in the armor.

    But, really, this glamorization is a bit much.
    Let's make it interesting. Put Linux in the competition. And sandbox it.
    You'll never compromise a Linux box for sure.

    Bunch of Amateurs. ^pfffft.
    Dietrich T. Schmitz *Your
    • Guess again

      Linux boxes that are used as servers are compromised on an almost DAILY basis. Linux is simply not as 'compromise proof' as Lintards like you want to believe it is.
      Lerianis10
  • allowing patched ones is stupid. so is not allowing you to bring them in with

    you. The goal should be surfacing as many unpatched ones as possible. However they're surfaced isn't the issue.
    Johnny Vegas
  • www. goshoppingo com

    www. goshoppingo com
    www. goshoppingo com
    www. goshoppingo com
    www. goshoppingo com
    www. goshoppingo com
    www. goshoppingo com
    ujmujmujmaa
  • WTF

    [b]"The reason we do not [require that contestants give up such sandbox escapes] is because our goal is to get as many vulnerabilities fixed through the contest as possible"[/b]

    Sounds 100% contradictory :| if the exploit is given up, why wouldn't the company take advantage of it and fix it in their software? Just saying it's not contradictory doesn't make it so. Or, is their logic the fact that a company knowing that there is such exploit would dig deeper into their software to find that exploit along with several others?.....Isn't that what Google has been doing all this time since Chrome 1.0....sheesh.

    As for Google's big cash give-away, why wouldn't that attract hackers? Is it to small for a piece of code that you can't touch/feel? Gimme a break.
    MrElectrifyer
    • Yeah, I'm still having a hard time with that one

      The goal is to fix them, without knowing what they are.... huh?
      Badgered
    • You are not understanding

      This is 100% NOT contradictory.
      There is not just one exploit involved here, there are at least two. Getting out of the sandbox means NOTHING if you can place code, but not execute. Having a browser flaw means nothing if you can not escape the sandbox. In order to play, you have to have BOTH a browser flaw, and a way to get outside the sandbox. The contest participants are required to disclose the browser flaws, but NOT the sandbox escapes that allow them to take advantage of these flaws.

      BTW, the fact that these people are experts in the field, and admit that it SEEMS contradictory at first glance should at least have HINTED to you that your analysis was superficial.
      .DeusExMachina.
  • And there's the key, Windows fanboys

    [i]Charlie Miller says: "The contest was always about exploitation. It didn't matter if you could find 100 bugs, if you couldn't turn them into exploits, you couldn't win."[/i]

    And that's the big difference between Linux and Windows. Linux has hundreds of bugs but where are the exploits to take advantage of them. That's also another reason why Linux doesn't show up at CanSecWest.

    Ok Windows fanboys, your turn. Let's see the FUD fly...
    ScorpioBlack
  • so cute

    I dont see red hat making billions in profit per quarter yet hell they dont even have a billion in revunue yet!http://www.youtube.com/watch?v=yG5FhCFvjvU
    gladgame