Linux triumphant: Chrome OS resists cracking attempts

Linux triumphant: Chrome OS resists cracking attempts

Summary: Linux, once again, proved to be far more secure than most other operating systems as Google's Linux-based Chrome OS shrugged off its attackers at the $3.14-million Pwnium cracking competition.


The Chrome web browser on Windows is breakable, but its little brother, the Linux-based Chrome OS, proved to be essentially uncrackable at the CanSecWest conference in Vancouver, Canada,

Google's Linux-based Chrome OS defied attempts to crack it in the Pwnium hacking competition.
(Image: Google)

In a separate security contest from the HP Zero Day Initiative's (ZDI) Pwn2Own competition, Microsoft's IE 10, Google's Chrome, and Mozilla's Firefox web browsers were all cracked. Java was also cracked multiple times.

In addition, Google is offering a total prize package of $3.14159 million in its own Pwnium 3 Chrome OS cracking contest.

Specifically, here are the prizes that Google is proposing:

  • $110,000: Browser- or system-level compromise — in guest mode or as a logged-in user — delivered via a web page.

  • $150,000: Compromise with device persistence — guest to guest with interim reboot — delivered via a web page.

Google is offering multiple prizes for each crack up to a maximum of $3.14 million for all winners.

Winning attacks had to "be demonstrated against a base (wi-fi) model of the Samsung Series 5 550 Chromebook running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc) may be used to attempt the attack".

That's serious money for serious cracking. Google did this, according to Chris Evans, the tech leader of the Google Chrome Security Team, because "Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes. That's why we've continued to engage with the security research community to help us find and fix vulnerabilities".

A few days before the contest, Google pushed out 10 Chrome browser security fixes and then the games were on.

Even with millions of dollars in prizes at stake, no one was truly successful in taking down the Linux-based Chrome OS. The Google Chrome team reported on Google+ that even though the competition deadline had been extended at the would-be crackers' request, "We just closed out the competition. We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits."

Further details are not available at this time, but clearly, given the failure of all browsers on Windows in Pwn2Own and yet another wave of critical Windows vulnerabilities in Chrome OS in specific, and Linux in general, remains the best choice for security-conscious desktop users.

Related stories

Topics: Linux, Browser, Google, Laptops, Operating Systems, Samsung, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Where is everyone?

    We keep hearing how unsecure Linux is but, chrome didn't Falk and yet windows did!
    • FUD

      It's because Windows fanboys bash what they know is more secure :)
      • Oh please. Linux is stuffed full of security holes. Look at all the holes

        they've had to fix over the last decade. It dwarfs the windows security holes. And more will be found in Linux than windows in 2013 too. And 2014 and 2015.
        Johnny Vegas
        • .

          "had to fix" ? or "found and fixed" ?

          see the difference between windows and linux is that they can find and fix security holes much much much faster than any closed operating system - i.e. windows.

          The fact remains, despite what you personally think, that Linux is way more secure of an operating system than windows will ever be. And instead of just ranting back about stuff you clearly don't know anything about... go find me a professional report that states anything to the contrary.
          • SO to be clear...

            If I build a house and the roof leaks, but the people who bought it from me don't mind... I'm a good home builder and you would recommend me to your friends right? I mean sure there's a huge leak in my shoddy roof, but as long as nobody cares, I'm the best right?
          • what ?

            That comment makes absolutely no sense and is in no way even remotely a valid comparison to what i said... and to quote a favorite movie of mine, "Everyone in this room is now dumber for having listened to it"

            Thank you.
          • Linux has plenty of known issues that have very long

            times to fix. You can pretend as hard as you like but that won't change reality. This isn't the 90s anymore. MS upped it's game. It has the most secure desktop os, the most secure mobile os, the most secure server os, the most secure SQL, the most secure browser, etc. etc. Parroting foss fud doesn't make it true.
            Johnny Vegas
          • Re: Linux has plenty of known issues that have very long times to fix.

            And yet, when the rubber hits the road, and somebody is offering actual money to put up or shut up, you can't find a single one.
          • Wonder why

            Google doesn't offer money to find holes in Android ? I know, you will never answer, but rest assured, the minute Chrome OS offers native applications is the minute Google stops offering money to hack the os.

            Come to think of it, why hack an operating system that spies on you anyway, just use wireshark and all your secrets are flying over the wire.
          • Wireshark is open source.

            From the same community as Linux, so you, of course, must despise it. But you use it?
            Why would you? There are a few $30K+ closed source packet sniffers, why aren't you using one of those, as they must be way better than anything the open source could produce.
          • Google does offer rewards

            Google doesn't need a big convention to offer money to find bugs in Chrome. Google has a program where when you find a bug and report it you get a reward.
          • 3rd party analysis does not support your hypothesis

            My opinion on the subject:
            Linux is built around a lot of Unix concepts, 40 years of software development and people beating these boxes to death, it is secure mainly by Unix's trial by fire, and this has helped immensely, lots of lessons were learned and directly applied to Linux. It was a multi-user environment from the beginning and a lot of effort was involved in architecting it to not let one user interupt or gain access to another users data. It was also designed in a very modular fashion which makes fixing the root problem of any found exploits much easier.

            Windows was cobbled together from an old dos system single user system and though it has gone through several refactors still shows its monolithic design and organic growth from this single user environment. Even after moving to a posix base they still pulled across all their old design and its flaws and exploits. So whenever they release a patch it is more aptly named than perhaps a linux patch as it is just a bandaid over this leviathon of decades of organic growth.
          • The security aspects may be true

            But with Windows I don't have the patching breaks that happen all too often with Linux. At the end of the day, Windows is easier to use and my employer does not pay me to sit around fiddling with the OS. You post does not seem trollish, but to say the modern professional version of Windows was cobbled together from DOS really does not lend you a lot of credibility. Not knowing how to secure a system is different from being able to.
          • @ mneisler

            Not factual at all!
            "40 years of software development" - that is the problem. I do not take sides in the OS wars but Linux kernel is monolithic and the ring-based architecture allows little wayside for modularization. And authentication schemes were added as an afterthought (like PAM) and you will see little to no thought into making login/logout/command access RBAC based or new NAP/NAC schemes based. Linux has a good networking stack but the security/authentication stack is weak. This is also the main reason why Sony PlayStation network, LinkedIn network etc were hacked into - front-end/back-end Linux servers were authentication/authorization compromized. Of course, there is also a network angle to it too - that is - security is actually a network attribute (chip based encryption/decryption of traffic, NAC/NAP schemes, different AAA schemes etc) but Linux OS still has blame to shoulder. It is not enterprise grade except for may be RHEL OS/SUSE and IBM's Yellow Dog Linux. RHEL OS gains enterprise market share and they have steadily improved their OS offerings but they are not used at the major consumer cloud players including Google, Apple, Sony, Facebook, LinkedIn etc.

            Client Windows was derived from DOS kernel till Win2000. The kernels then moved onto the Windows NT kernel which itself saw a major authentication security scheme bump up since 2004. Check out the NAP service feature under msconfig. If you were on Windows XP client prior to SP2, you will have Windows OS security issues. If you were on Windows XP SP3 and beyond and especially Windows 7, there should be no authentication security loopholes anymore due to redesign.

            But I am not so sure about browser or HTTP based security authentication schemes. I think all HTTP client browsers are by nature inclined or prone to vulnerabilities due to the way HTTP protocol is designed. Windows or MAC is not alone in that area. Any browser is suceptible to trojan/malware auto-downloads on visting a webpage and there is little the browser can do other than installing anti-virus/anti-malware software that will prevent the download in process or execution of code after download. That is an application or actually HTTP protocol issue. Not Linux, Windows or MAC issue. Though it does appear that Windows first and MAC second are increasingly being targeted with the download code. Blame the Web Server programmers for using bad Web servers. Not the Client OS only.
          • @calahan

            There isn't any weakness in Linux authentication, and PAM allows multiple different authentication schemes to be used depending on requirements. The most secure and the most exposed devices in the world are Linux servers and Linux firewalls - areas where Linux excels because of its security.

            Most authentication compromises on Linux servers occur because the password was obtained by hacking a Windows desktop and obtaining the Linux server password that way - for example by installing a key logger on a Windows desktop being used to log into the root account on a Linux server. This is the weakness in Linux authentication that you are talking about, the weakness of the Windows client devices they are connected to.
          • @calahan

            #1. On preventing "the download in process or execution of code after download"
            I'm guessing that you have never used Linux and experienced a clickjacking attempt. I actually had to close my browser window, once, because of it.
            Of course, when it happened on my Windows machine at work, the entire hard drive had to be re-imaged.
            I'm still using my Linux hard drive, and as my old boss used to say, "you can't argue with success".
            Heck, I can't even run my own scripts, half the time, because I forget to change the permissions in order to execute them.

            #2. Re: Linux being "not enterprise grade"
            Actually you have used Linux, since over 50% of the servers that you use to communicate over the internet, are running Linux server software.
          • And yet the fact remains

            That hackers couldn't break Chrome OS, a Linux Distro. How do you explain this?
          • @ anothercanuck

            And can they open up the ChromeOS libraries for us to see how the entrypoints to their system look?

            xBSD libs are known. Win libs are known. Even distribution Linux libs are known. MAC OS libs are known. But ChromeOS - is it really an OS? There is no such thing as a sandboxed OS. An OS has to allow a user to run loadable executable programs - not just ones downloaded from a Web store. If they mask off all of the program loading API available to external devices, what use is the device for - other than behaving like a smartphone?

            This is a PC OS masquerading as a Web OS - or the other way around. It is a browser calling itself an OS. And it looks to be good at neither.
          • @calahan - talking out of the wrong end of your anatomy!

            Nah - Windows with a browser installed is a PC OS masquerading as a Web OS. Chrome OS is a Web OS.

            A browser calling itself an OS - no ChromeOS is a full OS. It if wasn't, it wouldn't be able to run a full functional Linux distro as a chrooted app.

            Again, you are talking total and utter crap man!
          • Not really surprising though.

            Linux is very secure compared to Windows which is very insecure - thats obvious to anybody with any common sense, and that's why the NSA chose Linux for its SE Linux security enhanced platform.

            ChromeOS is a hyper secure version of Linux, and it is not difficult to see where this extra security comes from. First of all, no way to install code ChromeOS because it doesn't allow installation of programs - not even drivers. Then if by some fluke you did manage to install some malicious code on it, the code is wiped on the next boot because on boot, the OS checksum is checked against what it should be, and if the checksum doesn't match, a clean copy of the OS is installed automatically.

            A Chromebook is not a pleasant environment for someone trying to break into your computer.