Update, March 27: Macbook Air pwned and owned — in two minutes!
Update, March 28: Vista laptop pwned via an Adobe Flash vulnerability.
Update, April 16: Apple issues Safari patch.
Props to the winners — and to Ubuntu Linux, which emerged unpwned!
(originally posted March 26)
SecurityFocus’ Robert Lemos reports:
On Monday, security firm Tipping Point agreed to offer up to $20,000 as a prize to the first person to compromise each of three laptops running popular operating systems in the second annual PWN2OWN Competition at the CanSecWest conference, which takes place in Vancouver this week. The boost in the bounties came after researchers criticized the company for the more modest prizes announced last week. The first person to compromise any of three laptop computers — running the latest versions of Apple’s Mac OS X, Microsoft Windows Vista and Ubuntu Linux — will receive the prize money and the laptop.
The winner has to find a previously-undisclosed vulnerability on real-world systems running the latest patches. As conference organizer Dragos Ruiu’s announcement says, “Any exploit successfully used in this contest would also compromise a significant percentage of the internet connected hosts.” Tipping Point’s Terri Forslof gives more context — and history, too, with an acknowledgement of the controversy around winner Dino Dai Zovi’s exploit of an Apple QuickTime flaw.
A lot of attention will be on Apple this year as well: they’ve just released a monster security update (80+ CVEs) along with another 13 fixes for cross-site scripting flaws in Safari. On top of that they’ve antagonized the open-source community by distributing a new version of Safari to people who had signed up for iTunes security updates … and of course Dino’s the defending winner ….
Then again with the release of Vista SP1 having garnered so much attention due to driver reliability problems, attention will be on Microsoft as well — and deservedly so: while they’ve made major progress on security, they’re the biggest target out there. My friend Sarah Blankinship is the Microsoft person-of-spoke for pwn2own, and I was talking with her right after she burned the CD with Vista Ultimate for the contest. In addition to an exploit lab and Vulnerability Discovery Demystified, the CanSecWest Security Masters Dojo of masterclasses before the conference featured a two-day “defend the flag” event on attacking and defending Windows systems; will this make people more or less likely to focus on Vista? We shall see.
[By the way, I certainly don’t mean to single out Apple and Microsoft. The current list of ten most recentUS-CERT advisories has updates from Mozilla, Cisco, Novell, VLC, MIT (for Kerberos), and VMWare as well, and their cyber security alerts for this year also include Abobe and Sun. If you’re looking for vulnerabilities, it’s a target-rich environment on all platforms.]
Especially at a time when entire countries and subcontinents vanish from the Internet for days at a time due to cyberattacks and cuts in fiber-optic cables, and human rights organizations are under attack by malicious hackers, computer security’s a serious business. Fun contests like pwn2own play an important role by harnessing security researchers’ and software vendors’ natural competitiveness in a win/win way. Vulnerabilities found here get reported back to the vendors and fixed; and while the prizes are less than researchers might get on the public or grey markets, there’s also major cred — and of course bragging rights.
Dan Goodin adds in The Register:
CanSecWest’s Pwn2Own contests are useful because they allow us to isolate the technical strengths and weaknesses of a given platform from its popularity. Acrimonious debate has fomented for years about whether the high number of real-world Windows exploits – compared to those of OS X, Linux and other operating systems – is a natural consequence of having a 90-percent chunk of the market or the result of sloppy and insecure coding practices at Microsoft.
There’s at least some merit to the argument that organized cyber crime gangs – just like makers of popular games Half-Life 2 and Crysis – don’t write for the Mac and Linux because the smaller market shares make it impossible to get a return on the investment. The Pwn2Own contest, by offering a considerable incentive for exploits of these platforms, helps to neutralize the economic variable.
Of course it’s important not to generalize from the result of any one contest. Still, it’s an interesting data point that’s very complementary to other indications like the number of US-CERT advisories issued, number of vulnerabilities patched, price for vulnerabilities on the markets, and industry opinion.
Another valuable contribution from pwn2own, the Security Dojo, and other activities around CanSecWest including the parties: the connections that get created and knowledge that’s shared between security researchers, software vendors, IT admins, and the rest of the ecosystem. And it’s not just here. A lot of these people will be making at other stops on the “conference circuit”: RSA in a couple of weeks, and Blue Hat, EUSecWest, phNeutral over the next few months. One way to think of this is in terms of the “organizing without organizations” lens from Here Comes Everybody; others might prefer to see it as adding new arcs and strengthening weights in the “social graph” of the security community. In the end, the result is more people working steadily more effectively together towards the shared goal of making our computer-based systems more secure.
So let the games begin!
jon
PS: for those of you keeping score at home: disciplines this essay touches on include economics (vulnerability markets), pedagogy (participative learning), sociology, geopolitics, and ludology — as well as graph theory. When it comes to security, computer science is indeed a social science.
Adam | 27-Mar-08 at 9:09 pm | Permalink
I wish the market was more efficient. It would reveal a lot more.
jon | 27-Mar-08 at 9:23 pm | Permalink
indeed — and more transparent, too, so that more of the information would be revealed to everybody. still, even with imperfections, the markets are interesting and valuable.
a related topic that would be really cool for future pwn2own’s is to run a “prediction market” in parallel. it would be revealing both of expectations and potential gaps between expectations and reality.
Adam | 28-Mar-08 at 8:05 pm | Permalink
Good point! I should have been more transparent in saying that a market in which prices are secret is highly inefficient, because buyers and sellers lack information about the value of their goods.
jon | 29-Mar-08 at 8:52 am | Permalink
Hah, I (and the rest of the known security universe) had that one pegged.
Tipping Point’s Zero Day Initiave blog has more, with yet another spelling of the contest name:
What a coincidence! Note to Apple for future reference: don’t go out of your way to annoy Mozilla fans — or people who believe that security updating services should provide security updates rather than unsolicited new applications — right before a hacking contest, especially when your browser’s so vulnerable.
Discussions on Slashdot and elsewhere, expressing a general lack of surprise.
At 5:45, the contest closed for the day with still no successful hacks to the Vista or Ubuntu laptops. On Friday, they added more targets: attackers could now exploit vulnerabilities in common applications as well as the default install. Late in the afternoon, Shane Macaulay from Security Objectives exploited an Adobe Flash vulnerability to pwn the Windows Vista laptop.
Congratulations to Charlie, Shane … and to Ubuntu Linux, which emerged intact! More info and pics on the Tipping Point blog.
jon | 30-Mar-08 at 2:49 pm | Permalink
I posted this on Facebook, and my friend Ben Smith had some interesting comments; with his permission, here are excerpts from our dialog.
Ben:
Me:
Ben:
Me:
jon | 30-Mar-08 at 3:11 pm | Permalink
Controversy in the blogosphere!
As the title implies, Thom Holwerda’s two-part CanSecWest: Countering Misinformation on OS News doesn’t see eye to eye with most of what Daniel Eran Dilger says in Mac Shot First: 10 Reasons Why CanSecWest Targets Apple. The two do agree on one thing, though; as Thom says:
They draw different conclusions from this, though. Dan argues that because of this, Mac vulnerabilities are essentially irrelevant outside of contests like pwn2own, because nobody’s going to exploit them. Since he also disagrees with the just-published Swiss study showing that Apple patches more slowly than Microsoft, he believes that Mac exploits don’t result in “any catastrophic destruction.” This strikes me as a classic “nobody’s stolen anything yet so it doesn’t matter that the locks don’t work” argument but Dan sees it as evidence of a Microsoft-led plot with assistance from Charlie Miller and the complicit media. The commenters on this thread and his earlier CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security are pretty skeptical too; one of them suggested easing up on the paranoia beans.
Thom by contrast continues
Indeed. Thom’s essay also does a great job of analyzing the Dan’s other “top 10 reasons” and providing an excellent characterization both of the value and limitations of pwn2own.
jon | 30-Mar-08 at 11:01 pm | Permalink
pwn2own has been on Google News’ front page all day. ArsTechnica has a brief update with an excellent comment thread. The Flash vulnerability was described as “in all versions”; was it exploitable on Linux? Unclear … we shall see.
Robert MacMillan’s story for IDG got picked up a bunch of places as well, including here on the New York Times’ site.
jon | 31-Mar-08 at 11:13 am | Permalink
Bruce Byfield has a detailed wrapup on Linux.com, with some great quotes from winner Charlie Miller:
Miller points out that contestants only enter if they think they’ve got a chance, so the contest doesn’t say anything about how many people tried and failed on a given platform. [For that matter, since they only give out one prize per platform, we also don’t know how many other people would have succeeded.] And …
Harnessing competitiveness, indeed 🙂
jon | 01-May-08 at 3:32 pm | Permalink
A detailed post by Rob Hensing on Microsoft’s Blue Hat Blog discusses Shane Macauley and Alexander Sotirov’s challenges in exploiting the Flash vulnerability on day 3:
[Why’s that? Application compatibility, of course; until recently, most ActiveX plugins would crash if you tried to run them in with DEP — so IE disables it. But I digress.]
He speculates that in the end they may have taken advantage of some differences in behavior between Javascript and the Java VM to unleash a “heap spray”* exploit.
There’s lots of other good stuff in the article, including a description of how Mark Dowd of IBM-ISS that Robert says “blew a lot of minds with his pretty impressive work exploiting yet another Flash vulnerability”.
Hmm. There’s currently some gnashing of teeth in a thread on MiniMSFT questioning why people might switch from Flash to Microsoft’s Silverlight. With Flash is becoming such a high-profile target for exploits, Adobe might want to prioritize taking the basic steps like enabling ASLR. In the interim, Rob helpfully posts instructions for any Windows users who want to provide this extra level of protection on their own machine; Not sure whether there are equivalent workarounds on the Mac or Linux.
* One of the cool things about security is that lots of stuff has great names.
Liminal states » Vegas, baby! Black Hat 2008 | 12-Aug-08 at 10:08 pm | Permalink
[…] And pwnies!!!! (Pronounced “ponie”, etymologically linked to pwn2own.) […]
Liminal states » Black Hat part 2: Iron Chef Black Hat (DRAFT) | 14-Aug-08 at 10:33 pm | Permalink
[…] Chef Black Hat is a great idea, tapping into the same competitiveness as Tipping Point’s pwn2own contest, and so it’s great to see it become an annual tradition. Black Hat and Fortify still […]
The “P” Word? — MacBook Air First To Be Compromised In Hacking Contest | 12-Sep-08 at 1:55 pm | Permalink
[…] SlashDot and Liminal states: A MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful […]