En Marzo será nuevamente la fecha para la cuarta edición de su evento Pwnium, en donde Google invita a todo hacker a cumplir algunos retos a cambio de recompensa y reconocimiento de parte de la gigante del internet.
Show off your security skills: announcing Pwnium 4 targeting Chrome OS
Security is a core tenet of Chromium, which is why we hold regular competitions to learn from security researchers. Contests like Pwnium help us make Chromium even more secure. This year Pwnium 4 will once again set sights on Chrome OS, and will be hosted in March at the CanSecWestsecurity conference in Vancouver.
With a total of $2.71828 million USD in the pot (mathematical constant e for the geeks at heart), we’ll issue Pwnium rewards for eligible Chrome OS exploits at the following levels:
- $110,000 USD: browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page.
- $150,000 USD: compromise with device persistence: guest to guest with interim reboot, delivered via a web page.
New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process.
Past Pwnium competitions have focused on Intel-based Chrome OS devices, but this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (WiFi), or the Acer C720 Chromebook (2GB WiFi) that is based on the Intel Haswell microarchitecture. The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS.
Any software included with the default installation may be used as part of the attack. For those without access to a physical device, the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine, but note that a virtual environment might differ from the physical devices where the attack must be demonstrated.
To make sure everyone has enough time to demonstrate their exploit, we will require participants to register in advance for a timeslot. To register, e-mail pwnium4@chromium.org. Registration will close at 5:00 p.m. PST Monday, March 10th, 2014. Only exploits demonstrated on time in this specifically-arranged window will be eligible for a reward.
The official rules contain more details, but standard Pwnium rules apply: the deliverable is the full exploit, with explanations for all individual bugs used (which must be unknown); and exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL.
See you in Vancouver!
Como notaron en el blog oficial de Chronium, Marzo será el mes en donde Google tendrá su Pwnium 4 en donde el plato fuerte que quiere Google mostrar es la seguridad de Chrome OS y ponerlo a pruebas con los posibles hacks creativos que la gente se le pueda ocurrir.
Por cada elemento del sistema operativo o el navegador Chrome que se haya comprometido por una inyección de código por cuenta registrada o un “guest” vía Internet, Google otorgará premios de $110,000 y por cada hardware comprometido persistentemente ya sea por “guest” o usuario registrado, Google dará $150,000 y el pote se espera que llegue a un poco más de $2.7 millones y se nota la confianza que Google tiene a su sistema operativo basado en Linux donde el usuario perfecto es el que use 24/7 servicios de Google y su desempeño depende de la conexión al Internet.
Obviamente, con todo y la confianza, es obvio decir que esto sirve también como Google compensando a que los hackers o en el extremo caso del hacker que logre el pote, contribuya en mencionar como logró el mismo donde Google utilizará estos métodos para mejorar as capacidades de seguridad de Chrome OS.
Google permitirá este año también hacer hacks para equipos Chrome OS con arquitectura ARM, a diferencia de sus ediciones pasadas que solo se usaban versiones con Intel.
