Chrome OS security holes found, patched

At Google's Pwnium hacking competition, two new security exploits in Chrome OS were demonstrated, while at Pwn2Own a Chrome Web browser problem was found that also impacted Chrome OS. All three problems have now been patched.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Linux is very secure. Google's Linux-based Chrome OS, with its auto-updating and security sandboxing, is even more secure. But, neither is perfect. At Google's own Pwnium hacking contest and HP Zero Day Initiative's (ZDI) annual Pwn2Own hacking contest, three new sets of security problems were found in Chrome OS... and then immediately patched.

Linux-based Chrome OS is very secure, but as three exploits in recent hacking contests showed, it doesn't have perfect security.

Pwnium, which is Google's hacking competition at the CanWestSec practical security company, was dedicated this year to finding security problems in Chrome OS. There was a "total of $2.71828 million USD in the pot (mathematical constant 'e' for the geeks at heart)." The targets for this exercise were a base, Wi-Fi model of the ARM-based HP Chromebook 11 or a 2GB Wi-Fi equipped model of the Acer C720 Intel Chromebook. In both cases, the Chromebooks were running the latest stable version of Chrome OS.

The first exploit, and prize of $150,000, was awarded to a George Hotz, a well-known researcher hacker known as "Geohot" won $150,000 for an exploit chain six deep on the HP Chromebook 11. This hack resulted in a persistent program executing on Chrome OS. It was, by no means, a simple crack. It involved getting four different security holes lined up perfectly. These were: memory corruption in Chrome's V8 JavaScript engine; a command injection in Crosh, Chrome OS's limited shell; a path traversal issue in CrosDisks, the program that mounts and unmounts file systems in Chrome OS; and an issue with file persistence at boot.

The second hack, with a prize still to be determined, which will be rewarded via Google's Vulnerability Rewards Program, went to the young hacker known only as Pinkie Pie. He'd been winning awards in security hacking competitions since 2012.

This time around Pinkie Pie was able to show off sandboxed code execution and kernel out of bounds (OOB) write. This exploit used two new holes. One, involved memory corruption in the graphics processor unit (GPU) command buffer, while the other invoked a Kernel OOB write in the GPU driver.

Dharani Govindan, a Google Chrome Test Engineer Lead, said of Geohot and Pinkie Pie's exploits, "We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future. We also believe that both Pwnium submissions are works of art and deserve wider sharing and recognition."

The last exploit was revealed during the Pwn2Own Web browser cracking competition. VUPEN, the ace French security company and cracking team, while breaking into Chrome OS, found a bug that left exploitable free memory in Blink bindings. Blink is Google's WebKit Web browser engine fork.

Why did Google encourage hackers to break its prize operating system for real money? Chris Evans, a Google security engineer who has been on the Chrome security team since the start told CNET, "If you want high-quality security, you have to pay for it."  Evan also said "The prize is high because the amount we can learn from it is high. We can close whole classes of bugs, while devising new hardening measures."

A Google spokesperson added, "These competitions allow us to patch entire classes of bugs to protect our users from real harm." She concluded, "Google already patched all bugs used for these demonstrated Chrome browser and Chrome OS exploits before the end of day Friday." Clearly, these competitions work.

Related Stories:

Editorial standards