We're just coming up to the annual Pwn2Own competition at the CanSecWest conference in Vancouver, where hackers gather to show their prowess at "owning" patched, up-to-date computers. Or not. To date, Google's Chrome browser has emerged unhacked, so Google is increasing the $20,000 prize it offered last year to $60,000, and it's prepared to give away a maximum of $1 million. (No, you won't get $1m just for hacking Chrome, unless you do it 16.7 times.)
Pwn2Own contests traditionally start with Apple's Safari being hacked in seconds, because it's a desirable prize -- you get to keep the Mac -- and it's such an easy target. Google's Chrome browser is a different matter, and probably not worth the effort. First, you probably need two good exploits, because you also have to get out of Chrome's sandbox. Second, if you have a really exploitable zero-day bug for Chrome, you don't have to divulge it at CanSecWest: you can sell it.
According to its blog post on the contest by Chris Evans and Justin Schuh, Google is offering $60,000 for a "Full Chrome exploit … using only bugs in Chrome itself". I'm guessing that this is roughly twice the market price.
Google is also offering substantial cash prizes for hacks that don't involve only Google code, or any Google code. Google's example is "a WebKit bug combined with a Windows sandbox bug". (If you really wanted to hack someone running Chrome, I'd expect you to take an easier route, ie Hacking Google Chrome Extensions.)
Although great fun for all concerned, Pwn2Own does have a point. As Google says: "Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users."
Or at least, it did have value. This year, Pwn2Own has changed the rules to make it more of a competition. Previously, hackers arrived with their exploits developed in advance, so it was the luck of the draw whether you got first go at Safari. This time it is using a points-scoring system, so you'll need at least one zero-day exploit to have a chance of winning. Of course, you can assume everyone else will have a zero-day exploit too, so you'll probably lose.
HP, which owns the organiser TippingPoint, is offering three prizes of $60,000, $30,000 and $15,000 so divulging zero-day bugs might not be an economic proposition for some contestants. However, Pwn2Own confirmed in a tweet on 23 January:
To clarify, if a team demonstrates 0day at #Pwn2Own2012, but doesn't end up as a winner, the vuln is still theirs and will not be reported.
The change of rules led Google to offer its cash prizes separately. Google says:
Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome.
Pwn2Own also tries to offer desirable hardware to pwn so this year, as well as a MacBook Air, it's using Asus Zenbook UX21 and UX31 Ultrabooks. All the machines have Intel Core i7 processors and 256GB SSDs.
Google is offering Chromebooks, so it might do better with a PwnNot2Own competition.
CanSecWest will be held in Vancouver, Canada, from 7-9 March.