At the Pwn2Own contest next month, Google will offer $20,000 to the
first security researcher who can gain full control of a laptop
running its Chrome Browser.
The "hacking" contest will be taking place on the 9th, 10th, and 11th
of March, 2011 in Vancouver, BC during the CanSecWest conference.
HP TippingPoint is funding $105,000 of prizes and Google has offered
up $20,000 to the researcher who can best their Chrome browser.
Similarly to last year the competition will focus on two main
technologies: web browsers and mobile devices.
This year's web browser targets will be the latest release candidate
(at the time of the contest) of Microsoft's Internet Explorer,
Apple's Safari, Mozilla's Firefox and Google's Chrome browsers.
Each browser will be installed on a 64-bit system running the latest
version of either OS X or Windows 7.
The laptop prizes include a Sony Vaio running Windows 7, an Alienware
m11x running Windows 7, an Apple MacBook Air 13" running Mac OS X
Snow Leopard and a Google CR-48 running ChromeOS.
As for Chrome, the contest will be a two-part one. On day 1, Google
will offer $20,000 USD and the CR-48 if a contestant can pop the
browser and escape the sandbox using vulnerabilities purely present
in Google-written code. If competitors are unsuccessful, on day 2 and
3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google
code and Google will offer $10,000 USD for the Chrome bug. Either
way, plugins other than the built-in PDF support are out of scope.
A successful hack of IE, Safari, or Firefox will net the competitor a
$15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward
points which immediately qualifies them for Silver standing. Benefits
of ZDI Silver standing include a one-time $5,000 USD cash payment,
15% monetary bonus on all ZDI submissions in 2011, 25% reward point
bonus on all ZDI submissions in 2011 and paid travel and registration
to attend the DEFCON Conference in Las Vegas.
This year's competition is also focusing on hacks against mobile
phone targets. A base station will be available on-site so that
competitors will be able to perform attacks against the cell phone
The following are the target mobile devices for the contest:
* Dell Venue Pro running Windows 7
* iPhone 4 running iOS
* Blackberry Torch 9800 running Blackberry 6 OS
* Nexus S running Android
A successful attack against these devices must require little to no
user interaction and must compromise useful data from the phone. Any
attack that can incur cost upon the owner of the device (such as
silently calling long-distance numbers, eavesdropping on
conversations, and so forth) is within scope.
A successful compromise of any of these targets will win the
contestant a cash prize of $15,000 USD, the device itself, and 20,000
ZDI reward points which immediately qualifies them for Silver
standing. Benefits of ZDI Silver standing include a one-time $5,000
USD cash payment, 15% monetary bonus on all ZDI submissions in 2011,
25% reward point bonus on all ZDI submissions in 2011 and paid travel
and registration to attend the DEFCON Conference in Las Vegas.
Last year the contest was a great success, with three of the four
browsers successfully compromised as well as the Apple iPhone.