CanSecWest browser-hacking contests offer bigger bounties, get small results

Contest organizers this year increased sixfold the prizes given out for successful zero-day browser exploits during the CanSecWest security conference, but wound up with just one more exploit to show for it.

The prizes sounded tempting — more than $1 million was available — but the net result was that fewer contestants participated, and those who did produced a total of three exploits that browser makers could then patch to make their products safer. This despite the fact that potential participants had two different contests in which to compete.

MORE HACKS: 10 scariest hacks from Black Hat and Defcon

The fifth annual Pwn2Own competition, sponsored by the Zero Day Initiative (ZDI), yielded one zero-day exploit each against current versions of Google Chrome, Internet Explorer and Firefox.

The contest drew just two teams of competitors.

In the hallway outside Pwn2Own, Google’s first Pwnium contest yielded two zero-days against Chrome, the only browser targeted in the competition. Like Pwn2Own, Pwnium drew just two entrants, both individuals.

In all, the two competitions combined handed out $210,000 in prize money, up from $30,000 last year when Pwn2Own was the only competition.

The dearth of exploits says less about how secure browsers are than it does about gamesmanship involved in the competitions and about the bounty that exploits yield on the open market.

The creation of a competition to rival Pwn2Own was a major part in the dynamic of the contests. Google formed Pwnium after it failed to convince ZDI to require that anyone who managed to break its browser and to execute code against the machine on which the browser was running had to explain how they broke out of the browser’s supposedly secure sandbox.

But because those sandboxes are so well constructed, particularly Google’s, exploits against them are rare and valuable. They can command huge fees on the open market that dwarf the prize purses, says one of this year’s Pwn2Own winners, Vupen CEO Chaouki Bekrar, whose company sent a team of five to the competition. Vupen came out on top and took home the $60,000 first prize.

ZDI turned down Google’s request arguing that requiring contestants to reveal their sandbox escapes would cut the number of competitors and therefore the number of code-execution exploits that would be exposed and blocked. That may be part of what actually happened.

Also affecting Pwn2Own was the imposing presence of the Vupen team, professionals who spend six weeks researching exploits against Firefox, Internet Explorer, Chrome and Safari. The team arrived at the competition saying they had zero-days against all the browsers and that they would only reveal the exploits as necessary to win.

As it turned out the team exposed two zero-days, insuring they had enough to beat a two-man team who are both security professionals but were not paid to prepare. They ceded first place to Vupen and played to win second. As it turned out, nobody else entered.

Read more about wide area network in Network World’s Wide Area Network section.