The Pwn2Own 2013 and Pwnium 3 hacking competitions may have both taken place in the same locale last week—specifically, the CanSecWest security conference in Vancouver, B.C.—but the differences in their outcomes could not have been more striking.
Pwn2Own 2013, held by HP’s Zero Day Initiative (ZDI), focused on browsers and browser plug-ins this year, and it was a scene of widespread figurative bloodshed (see results at right) for the software being tested.
In Google's concurrent Pwnium 3, on the other hand, it was the hackers who were defeated, unable as they were to crack Google's Linux-based Chrome OS operating system.
$3.14159 million in prizes
“Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes,” wrote Chris Evans, a member of the Google Chrome Security Team, in a blog post announcing the competition in late January. “That’s why we’ve continued to engage with the security research community to help us find and fix vulnerabilities.”
Entrants were required to demonstrate an attack on a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.
Google offered plenty of motivation, too: a total of $3.14159 million—inspired by the number “pi,” Google said—broken down into $110,000 for a browser or system compromise and $150,000 for a compromise that persists after reboot.
No winning entries
“We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,” Evans explained.
Fortunately for Chromebook users—but unfortunately for the competing hackers—no one succeeded in achieving a full compromise.
“We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits,” read theannouncement of the results last Thursday on Google+.
The Linux advantage
Of course, it should be noted that the discovery of a Chrome exploit two days beforehand allowed Google to patch Chrome OS before Pwnium began, as pointed out in a blog post last week from security firm Sophos.
Still, the fact that nothing else was discovered is largely a testament to the fact that Chrome OS is based on Linux, which is widely considered to be far more secure than its proprietary counterparts.
That's for numerous reasons, including the way permissions are assigned and the software's open source nature, but Chrome OS also adds the advantage of seccomp-bpf, a sandboxing feature that was recently included in the Linux kernel.
The result, in essence, is “a small filter in the kernel that will quickly reject many of the rocks thrown by an attacker,” as Google software engineer Julien Tinnes explained on the Chromium Blog last fall.