Chrome OS security holes found, patched

Chrome OS security holes found, patched

Summary: At Google's Pwnium hacking competition, two new security exploits in Chrome OS were demonstrated, while at Pwn2Own a Chrome Web browser problem was found that also impacted Chrome OS. All three problems have now been patched.

SHARE:
TOPICS: Security, Google, Linux
26

Linux is very secure. Google's Linux-based Chrome OS, with its auto-updating and security sandboxing, is even more secure. But, neither is perfect. At Google's own Pwnium hacking contest and HP Zero Day Initiative's (ZDI) annual Pwn2Own hacking contest, three new sets of security problems were found in Chrome OS... and then immediately patched.

8_HP_Chromebook_11_Color_Stack
Linux-based Chrome OS is very secure, but as three exploits in recent hacking contests showed, it doesn't have perfect security.

Pwnium, which is Google's hacking competition at the CanWestSec practical security company, was dedicated this year to finding security problems in Chrome OS. There was a "total of $2.71828 million USD in the pot (mathematical constant 'e' for the geeks at heart)." The targets for this exercise were a base, Wi-Fi model of the ARM-based HP Chromebook 11 or a 2GB Wi-Fi equipped model of the Acer C720 Intel Chromebook. In both cases, the Chromebooks were running the latest stable version of Chrome OS.

The first exploit, and prize of $150,000, was awarded to a George Hotz, a well-known researcher hacker known as "Geohot" won $150,000 for an exploit chain six deep on the HP Chromebook 11. This hack resulted in a persistent program executing on Chrome OS. It was, by no means, a simple crack. It involved getting four different security holes lined up perfectly. These were: memory corruption in Chrome's V8 JavaScript engine; a command injection in Crosh, Chrome OS's limited shell; a path traversal issue in CrosDisks, the program that mounts and unmounts file systems in Chrome OS; and an issue with file persistence at boot.

The second hack, with a prize still to be determined, which will be rewarded via Google's Vulnerability Rewards Program, went to the young hacker known only as Pinkie Pie. He'd been winning awards in security hacking competitions since 2012.

This time around Pinkie Pie was able to show off sandboxed code execution and kernel out of bounds (OOB) write. This exploit used two new holes. One, involved memory corruption in the graphics processor unit (GPU) command buffer, while the other invoked a Kernel OOB write in the GPU driver.

Dharani Govindan, a Google Chrome Test Engineer Lead, said of Geohot and Pinkie Pie's exploits, "We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future. We also believe that both Pwnium submissions are works of art and deserve wider sharing and recognition."

The last exploit was revealed during the Pwn2Own Web browser cracking competition. VUPEN, the ace French security company and cracking team, while breaking into Chrome OS, found a bug that left exploitable free memory in Blink bindings. Blink is Google's WebKit Web browser engine fork.

Why did Google encourage hackers to break its prize operating system for real money? Chris Evans, a Google security engineer who has been on the Chrome security team since the start told CNET, "If you want high-quality security, you have to pay for it."  Evan also said "The prize is high because the amount we can learn from it is high. We can close whole classes of bugs, while devising new hardening measures."

A Google spokesperson added, "These competitions allow us to patch entire classes of bugs to protect our users from real harm." She concluded, "Google already patched all bugs used for these demonstrated Chrome browser and Chrome OS exploits before the end of day Friday." Clearly, these competitions work.

Related Stories:

Topics: Security, Google, Linux

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • paying for bugs with huge rewards is always nice

    Because a hacker who can find a bug like that would be more tempted to take 150k legit cash then sell it on the black market. That leads to more secure software for everyone.
    Jimster480
  • WOW!

    They did what they were supposed to do - Hold A Parade!
    Mujibahr
    • Get with the program, Mujibahr

      Rah, rah, rah, GNU/Linux!

      Finally, the GNU/Linux is secure FUD has been debunked. Chrome OS was pwn3d by merely visiting a web page.
      Rabid Howler Monkey
      • the GNU/Linux is secure FUD has been debunked

        Why? this is Chrome OS, not a GNU/Linux distro, besides, finding a couple of security holes doesn't make an OS insecure, no OS is 100% secure, but there are OS's that are more secure than others.
        guzz46
        • guzz46: "the GNU/Linux is secure FUD has been debunked"

          "this is Chrome OS, not a GNU/Linux distro"
          Chrome OS is built from Gentoo, which *is* a GNU/Linux distro. Even Richard Stallman has admitted that Chrome OS is GNU/Linux (even though he doesn't like the cloud). I do agree that Chrome OS is not a conventional GNU/Linux distro.

          "there are OS's that are more secure than others"
          Chrome OS is more secure (read 'hardened') than the vast majority of conventional GNU/Linux distros. The Chrome browser is the only local user application allowed in Chrome OS; thus, much less risk for a user to install a trojan via either side-loading or a tainted package in a supported repository. The Chrome browser is sandboxed via a hardened chroot jail, the included Flash Player and PDF Reader plug-ins are sandboxed, seccomp-bpf provides some protection to the Linux kernel from browser-based exploits and Chrome OS attempts to reboot to a fresh state. In addition, Chrome OS does not include Java, with it's much maligned browser plug-in. Consider this a short list of Chrome OS security features.

          Conventional GNU/Linux distros mostly default with the Mozilla Firefox browser, but some have recently started defaulting with the open source Chromium browser. None of these conventional distros sandbox Firefox, by default. None of these distros sandbox the Flash Player plug-in, by default. To my knowledge only Ubuntu and Linux Mint sandbox Evince, the PDF Reader, by default. The Chromium browser itself, is sandboxed with a hardened chroot jail and provides kernel protection via seccomp-bpf. Many, if not most, of these distros default with the OpenDK JRE and the IcedTea web browser (read 'Java') plug-in. And unless one uses a distros' LiveCD/DVD to boot, none attempt to reboot to a fresh state.
          Rabid Howler Monkey
          • Chrome OS is built from Gentoo

            Just because it's built from a GNU/Linux distro doesn't make it the same, Crosh and CrosDisks are software I don't have on my GNU/Linux install.

            "Chrome OS is more secure (read 'hardened') than the vast majority of conventional GNU/Linux distros"

            That's an opinion, not a fact, one of the security benefits Linux has is it's diversity, different distros, different software, different versions of software, etc.
            guzz46
          • No, in fact it's objectively true

            The Chrome OS team went further than any distro in layering in advanced security protections. E.g., look at:

            http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview#OS_Hardening_9194542095065117__9067499944607271

            Those steps go significantly further than any major distro (in part, because to do all these steps for distro with a full userland would be a LOT of work).
            daboochmeister
          • No, in fact it's objectively true

            No, it's an opinion, there are people who think windows is just as secure as Linux, most Linux users disagree of course, but we have no proof, only our opinion.

            At least one of these exploits wouldn't work on a GNU/Linux distro, because Crosh and CrosDisks aren't installed.
            guzz46
      • Makes You Wonder

        if these guys still expect mommy to clap for them when they poop in the potty?

        Sheesh!
        Mujibahr
        • You're just bitter because you haven't won a $150K prize

          GeoHot took on Sony by hacking the Playstation 3 and then donated the money to EFF. He's got mad skillz. Meanwhile, the best you can do is bang away on your keyboard in your mom's basement, unemployed.
          DonRupertBitByte
          • Nope!

            Nothing but admiration for the hacking crews with their crazy skillz! Kudos!
            Mujibahr
        • Yes Dear Muji

          …...
          RickLively
  • Nobody cares about Chrome OS.

    .
    Owl:Net
    • Wrong

      But nobody cares about you nor your "opinions".
      Economister
    • Well, obviously YOU care enough to, yet again, make a comment about it

      "Bahahaha"
      Smalahove
    • Nobody cares about Chrome OS..........

      Nobody cares about Chrome OS.

      Except Owl:Net. He is always around to comment on anything Chrome OS (or Linux). He really should come out of the closet. Linux and Chrome OS users should not hide in the shadows.

      Come out already Owl:Net. Come Out!!!
      tietchen
  • Kudos to Geohot, Pinkie Pie and VUPEN for finding the vulns

    Kudos to the Chromium/Chrome team for the quick fix.
    RickLively
    • Related news, Kudos to Mozilla Firefox team for the patches

      Kudos also to Jüri Aedla, Mariusz Mlynski. VUPEN and George Hotz for finding these vulns.
      RickLively
      • Since you brought it up ...

        The four (4) successful Firefox exploits on Windows which were demonstrated at Pwn2Own harnessed vulnerabilities that are cross-platform. Thus, I now need to download and install a patched Firefox browser for my GNU/Linux systems.

        Better watch for your distros' patched Firefox browser to appear in the updates ...
        Rabid Howler Monkey
  • Its secure but everything breaks

    Even linux/Unix systems can break, like the 25 thousand odd servers posted here.
    http://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/
    JohnnyJammer