Google Inc. will pay US$20,000 to the first researcher who successfully exploits its Chrome browser at this yearโs Pwn2Own hacking contest.
The award is the largest ever for the annual challenge, which will kick off for the fifth time at the CanSecWest security conference in Vancouver, British Columbia, on March 9.
At this yearโs Pwn2Own, researchers will pit exploits against machines running Windows 7 or Mac OS X as they try to bring down Microsoftโs Internet Explorer, Mozillaโs Firefox, Appleโs Safari and Chrome.
The first researchers to hack IE, Firefox and Safari will receive $15,000 and the machine running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards.
โWeโve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000,โ said Aaron Portnoy, the manager of HP TippingPointโs security research team.
TippingPoint, which is again sponsoring Pwn2Own, set the contestโs rules Wednesday in aย blog post written by Portnoyย .
New this year isย Googleย โs participation. The company is the first browser vendor to put money into the prize kitty. โKudos to the Google security team for taking the initiative to approach us on this,โ Portnoy said.
The rules for Chrome are slightly different than for the other browsers because itโs the only one of the four that uses a โsandbox,โ an anti-exploit defense. A sandbox isolates system processes, preventing or at least seriously hindering malware from escaping an application โ in this case Chrome โ to wreak havoc on the computer.
To exploit a sandboxed program like Chrome, researchers require not one but two vulnerabilities: The first to allow their attack code to escape the sandbox, and a second to exploit a Chrome bug.
Other software developers have followed in Chromeโs footsteps to try to make their applications more secure. Last year, for example,ย Adobe added a sandboxย โ derived in part from Googleโs work โ to its popular Reader program.
To walk off with Googleโs $20,000 on Pwn2Ownโs first day, a researcher must find and exploit two vulnerabilities in Googleโs code. Only on the second and third days of the contest can researchers employ a non-Chrome bug, say one in Windows, to break out of the sandbox. A successful attack on the second and third days will still put $20,000 in the researcherโs pocket, but only $10,000 of that will come from Google; TippingPoint will pony up the other $10,000.
Googleโs participation in this yearโs Pwn2Own may be a mark of its confidence that Chrome canโt be hacked. Although Chrome has been one of the browser targets at Pwn2Own since 2009, no researcher has exploited the browser and grabbed the cash.
IE, Firefox and Safari have fallen to attackers each of the last two years, sometimes in an embarrassingly short amount of time. In 2009, one researcher โ a German computer science major who gave only his first name, Nils โย hit the trifectaย by exploiting all three browsers and taking home $15,000 total, $5,000 for each hack.
Charlie Miller, the only researcher to have won Pwn2Own prizes three consecutive years, wouldnโt commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome.
โPwn2own now offering 20k for attack on Chrome,โ saidย Miller on Twitterย . โMust be hard, glad Mac OS X doesnโt sandbox their browser.โ
Miller is a Mac hacking authority โ he co-authored The Mac Hackerโs Handbook with Dino Dai Zovi, a 2007 Pwn2Own winner โ and has exploited Safari each of the last three years. As he pointed out, Safari is not sandboxed.
TippingPoint will also run a mobile hacking track at Pwn2Own next month that will let researchers try to exploitย smart phonesย runningย Appleย โs iOS, Googleโs Android,ย Microsoftย โsWindows 7ย Phone and RIMโs BlackBerry OS.
Successful smart phone attacks will be awarded $15,000.