Charlie Miller skipping Pwn2Own as new rules change hacking game

The annual Pwn2Own hacker contest kicks off today with new rules, controversy over disclosure and the absence of a regular participant.
Written by Ryan Naraine, Contributor

VANCOUVER -- Charlie Miller won't be defending his Pwn2Own hacking crown this year.

Miller, a Pwn2Own regular who makes headlines every year for his work breaking into fully patched Mac OS X machines, says he is skipping the contest this year because of the new rules that require on-the-spot writing of exploits.

When Pwn2Own kicks off at the CanSecWest security conference here, it will resemble a capture-the-flag (CTF) style competition instead of the random draw that allowed hackers to participate with ready-made vulnerabilities and exploits.

"I understand why they switched, they wanted to remove the whole 'random draw' from the equation, which I [thought] was a necessary move. Last year I had a Safari exploit that I didn't get to use because the Vupen guys got their name drawn before me and I was pretty upset," Miller said in an interview.

"However, the new structure doesn't really suit me. By making you write exploits there, it turns it into more of a capture-the-flag (CTF) style competition. There is no way by myself I can compete against a team of 5 or 6 Vupen guys. It really rewards larger teams/groups," Miller explained.

"The new format is really more of a team competition while in the past it was more of an individual competition. Plus I don't really want to spend CanSec writing exploits," he added.

This year, hackers will be pitted against the four major web browsers -- Microsoft's Internet Explorer, Mozilla Firefox, Apple Safari and Google Chrome -- using a point-based system.  The hacker or hacking team that demonstrates a working zero-day exploit against the latest version of the browser will be awarded 32 points.

A new wrinkle in the rules this year will be the addition of already-patched browser vulnerabilities.  The contest organizers are challenging the hackers to write exploits on the scene.

VUPEN, the controversial French company that sells zero-days vulnerabilities and exploits to global government customers, is planning a major assault on all the browsers this year.

"Yes, we will participate in Pwn2Own. We will be a team of five from VUPEN and we will bring zero-days and work on creating exploits on site," said VUPEN co-founder Chaouki Bekrar.

Bekrar, right, exploited a zero-day bug in Apple's Safari browser to hack into a fully patched MacBook Pro machine and win the contest last year.

Bekrar said the new rules benefit full time exploit writers and full time researchers and VUPEN has already boasted on Twitter that it will be using zero-day vulnerabilites against all four web browsers this year.

Pwn2Own is not without controversy this year.  Google was originally listed as a contest sponsor but withdrew in a disagreement over how exploits would be shared with affected vendors.

Here's the explanation from the Google Chrome security team:

Originally, our plan was to sponsor as part of this year’s Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive -- not least because it stays aligned with user safety by requiring the full exploit to be submitted to us. We guarantee to send non-Chrome bugs to the appropriate vendor immediately.

Google has since launched its own Pwnium contest with big cash prizes for hackers who demonstrate remote code execution attacks -- and sandbox escapes -- against the Chrome browser.

Google plans to pay $60,000 for what is described as a “Full Chrome exploit," an attack against Chrome running on  Windows 7 that exploits a bug in the browser's own code.  For a partial Chrome exploit, the company will pay $40,000 if hackers combine multiple flaws (e.g. a WebKit bug combined with a Windows sandbox bug).  In cases where multiple bugs and components are targeted, Google Pwnium will pay a $20,000 consolation prize.

Google's cash prizes are much higher than the official Pwn2Own contest and could be an attraction for exploit writers but the company's insistence on getting the rights to exploitation techniques could deter participants.

According to Charlie Miller, the controversy over "exploitation techniques" is a bit of a misnomer.

"The contest was always about exploitation. It didn't matter if you could find 100 bugs, if you couldn't turn them into exploits, you couldn't win. The thing that made Pwn2Own cool (and still does) is you have to find a bug, write an exploit, and to some extent weaponize it, because you can only try the exploit a few times before they let someone else try," Miller said.

Miller said Google isn't necessarily interested in exploit techniques. He believes the company wants to buy information on sandbox related vulnerabilities.

"For better or worse, Pwn2Own has never been about that, mostly, I suspect, because when it started, nothing was sandboxed. None of my exploits ever needed to escape the sandbox. The OS X ones weren't in a sandbox and the iOS one grabbed the address book which is allowed by the sandbox. The controversy is whether you should win without escaping the sandbox I guess," Miller said.

Pwn2Own organizers believe Google's alternative contest won't attract many participants.

Pwn2Own has never required that contestants give up such sandbox escapes. We do require that they demonstrate them, in order to verify that they did indeed "hack" the target, but we have never required they disclose the escape to us or the vendor. The reason we do not do so is because our goal is to get as many vulnerabilities fixed through the contest as possible. This may sound contradictory, but it is not. If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome, which means that no Chrome code execution vulnerabilities would be fixed through the contest at all. However, by not requiring that the escape be disclosed, we believe we will have success in getting code execution vulnerabilities fixed and, in the end, providing the details responsibly to vendors (again, for free) so that they may fix their products.

Due to our disagreement about the best way to get the most vulnerabilities fixed, Google has withdrawn sponsorship of Pwn2Own. We understand their reasons for doing so: they want to be able to receive the sandbox escape details to improve the security of their product. That is why they launched Pwnium. What we believe they fail to realize is that, for the $60,000 they are offering, it is incredibly unlikely that anyone will participate.

Stephen Fewer, another former Pwn2Own winner,  likes the new rules and format this year.

"I think it provides a fairer platform for competitors to showcase their zero-days and exploit development skills over the previous years which used a lottery system to determine which competitor could go first for a given target, potentially preventing any other competitor from even competing against the same target," Fewer said.

"Although the value of the prizes are relative to the amount of zero-day you have to drop to get placed in the competition so it will be interesting to see how that stacks up, but 60K and all the publicity that goes with it should make for a lucrative first prize," he added.

Editorial standards