Linux is very secure. Google's Linux-based Chrome OS, with its auto-updating and security sandboxing, is even more secure. But, neither is perfect. At Google's own Pwnium hacking contest and HP Zero Day Initiative's (ZDI) annual Pwn2Own hacking contest, three new sets of security problems were found in Chrome OS... and then immediately patched.
Pwnium, which is Google's hacking competition at the CanWestSec practical security company, was dedicated this year to finding security problems in Chrome OS. There was a "total of $2.71828 million USD in the pot (mathematical constant 'e' for the geeks at heart)." The targets for this exercise were a base, Wi-Fi model of the ARM-based HP Chromebook 11 or a 2GB Wi-Fi equipped model of the Acer C720 Intel Chromebook. In both cases, the Chromebooks were running the latest stable version of Chrome OS.
The second hack, with a prize still to be determined, which will be rewarded via Google's Vulnerability Rewards Program, went to the young hacker known only as Pinkie Pie. He'd been winning awards in security hacking competitions since 2012.
This time around Pinkie Pie was able to show off sandboxed code execution and kernel out of bounds (OOB) write. This exploit used two new holes. One, involved memory corruption in the graphics processor unit (GPU) command buffer, while the other invoked a Kernel OOB write in the GPU driver.
Dharani Govindan, a Google Chrome Test Engineer Lead, said of Geohot and Pinkie Pie's exploits, "We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future. We also believe that both Pwnium submissions are works of art and deserve wider sharing and recognition."
The last exploit was revealed during the Pwn2Own Web browser cracking competition. VUPEN, the ace French security company and cracking team, while breaking into Chrome OS, found a bug that left exploitable free memory in Blink bindings. Blink is Google's WebKit Web browser engine fork.
Why did Google encourage hackers to break its prize operating system for real money? Chris Evans, a Google security engineer who has been on the Chrome security team since the start told CNET, "If you want high-quality security, you have to pay for it." Evan also said "The prize is high because the amount we can learn from it is high. We can close whole classes of bugs, while devising new hardening measures."
A Google spokesperson added, "These competitions allow us to patch entire classes of bugs to protect our users from real harm." She concluded, "Google already patched all bugs used for these demonstrated Chrome browser and Chrome OS exploits before the end of day Friday." Clearly, these competitions work.