The annual Pwn2Own competition has had a bit of an update, and is now ramping up for this year’s competition at CanSecWest, which takes place in Vancouver this March 7th through9th. The competition organizers over at Zero Day Initiative feel that this update will represent a welcome change both competitors and spectators alike.
Here’s what Zero Day Initiative had to say about the 2012 event on the organization’s blog: “As the vulnerability purchasing landscape is a dynamic one, we have decided to re-architect the contest to more closely reflect the value of the exploits demonstrated. As such, there will be only 3 winners this year. That way the 1st, 2nd, and 3rd place finishers will walk away with more cash than ever before. To that end, this year Hewlett-Packard is committing $105,000 USD in cash prizes for the event. We are also proud to announce that Google has once again stepped up to sponsor the event (the only vendor to have ever done so), promising cash prizes for vulnerabilities affecting their Chrome browser.
In the past, the contest has garnered attention worldwide – not only within our information security industry, but with the actual end users. We believe this to be the most valuable aspect of Pwn2Own and continually strive to achieve security awareness to as wide an audience as possible. Announcements regarding the contest will be distributed via the official twitter account @Pwn2Own_Contest as well as being posted here.”
The contest will take place at the CanSecWest conference in Vancouver during the 7th, 8th, and 9th of March.
There will be 4 targets this year, the most popular browsers on the market:
- Microsoft Internet Explorer
- Apple Safari
- Google Chrome
- Mozilla Firefox
The targets will be running on the latest, fully patched version of either Windows 7 or Lion.
The contest will be point-based and the winners will be the top three point-holders at the end of the final day. No team or individual can win without having demonstrated at least one 0day vulnerability.
Any contestant who demonstrates a working 0day exploit against the latest version of the browser will be awarded 32 points. When the contest begins we will be announcing 2 vulnerabilities per target that were patched in recent years. The first contestant (or team) who is able to write an exploit for the announced vulnerabilities will be awarded 10, 9, or 8 points depending on the day the exploit is demonstrated.
Unlike last year, the browsers will be eligible for all attacks (and subsequent points) throughout the contest.
The first place winner will receive a payment from Hewlett-Packard in the amount of $60,000 USD. Second place will be awarded $30,000 and third place, $15,000 USD. Additionally, the laptops themselves will be awarded as prizes to the winners at the end of the contest.
With regard to Chrome, Google is offering the following cash prizes:
Full Chrome pwn: uses only bugs in Chrome itself to gain full unsandboxed code execution. $20,000 USD per fully disjoint bug set.
Partial Chrome pwn: uses bugs in Chrome and bugs in the operating system to gain full unsandboxed code execution. $10,000 USD per fully disjoint bug set.
“Non-Chrome pwn”: uses only OS bugs for the pwn. e.g. Windows kernel font parsing vulns, driver vulns, $0 USD (not eligible).
0 day Vulnerabilities:
The browsers and corresponding operating systems will be fully updated on first day of the contest. Contestants can request to demonstrate a vulnerability at any time during the offical CanSecWest conference hours. A successful compromise of a fully-patched browser will be worth 32 points.
The browsers will be installed on Windows XP (for Firefox, IE, and Chrome) and Snow Leopard (for Safari). That way, the only exploit mitigation that must be overcome is DEP (no ASLR). Also, we will not require a sandbox or protected mode escape for any of the public vulnerability exploits.
To get the competitors started, we will be distributing virtual machine images with the software installed on the proper operating system as well as a proof of concept trigger that will cause the browser to fault.
On the first day (March 7th) a successful compromise using one of the public vulnerabilities will be worth 10 points. On the second day (March 8th) such an attack will be worth 9 points. On the third day, 8 points. This decaying point structure is intended to reduce the likelihood of a tie.
The specific browser versions will be announced on the first day of the contest.
All vulnerabilities demonstrated will be subject to confirmation by the Pwn2Own judges before being officially recognized. This is intended to ensure that duplicate vulnerabilities are not utilized by multiple teams, as well as more complicated situations such as a vulnerability being used against a browser that includes Webkit, but may not be synced with the Webkit nightly trunk (not eligible).