Google strengthens Chrome’s security, increases rewards and announces a $ 2 million fund contest

    Somehow quite quietly for Habr was the release of Google Chrome 21, in which the developers of the Chromium project announced an increase in the security of the Adobe Flash Player runtime integrated into the browser distribution. In addition, Google executives announced an increase in remuneration to representatives of the Chromium community for identified vulnerabilities, and also announced the launch of a contest to demonstrate browser hacking. The prize fund is set on the bar at $ 2 million, and the maximum reward is $ 60 thousand.

    Adobe Flash Player


    In August 2009, Google announced the launch of a new project - the Pepper Plugin API to enable plug-ins. This interface was supposed to replace the outdated, according to Google, NPAPI mechanism. The essence of the prospects Google described as more stable operation due to the separation of processes, and the full cross-platform modules. Mozilla abandoned this venture , and the search giant persistently bent its line. In 2010, support for PPAPI itself was implemented in Chrome, and in August of this year, two modules — Adobe Flash and Pepper PDF Reader — fully work within this interface.

    The biggest problems caused Flash. Firstly, the development of the PPAPI-based module itself should have been done by Adobe, but Google would have to optimize and ensure security. This significantly complicated the development, which resulted in a rather lengthy process with a lot of work and compromises. The main priority of Google has put port plugin execution in the sandbox. And if the Chrome team worked only on one OS, then this would not cause any problems, but considering that Chrome works on 3 platforms (GNU / Linux, OS X and MS Windows) and the whole zoo of systems, this created a lot of pitfalls that have been successfully completed: in August all users of all GNU / Linux and Windows systems get Flash Player sandboxed into the framework. Developers are particularly proud of the fact thatASLR and MIC , which were announced only in Windows Vista. Using the sandbox virtually eliminates the possibility of an attack through the Flash Player module using the architectural weaknesses of the system.
    In addition, apart from security improvements, the use of PPAPI allowed:
    • Use full hardware acceleration of Flash content on the GPU
    • Reduce the number of Flash Player crashes relative to implementations on NPAPI by 20% ( although this cannot be said for the number of complaints about Flash crashes on forums and profile groups on social networks )
    • Allows Chrome users in Metro mode ( Modern mode now? ) Windows 8 to use such plug-ins. Other third-party browsers are not able to do this due to the use of NPAPI.
    • GNU / Linux users will receive the latest Flash Player updates. Other browsers will be able to use only the 11.2 version.


    Rewards and Competition


    Google in its statement on increasing payments for detected vulnerabilities justifies its decision by the fact that the search for holes has recently become more complicated, requires a lot of effort from the researcher, so these efforts need to be justified, and the motivation should be increased. Therefore, for finding vulnerabilities, Google gives a bonus bonus of $ 1,000 to an unnamed limit. In addition, legendary rewards can be obtained for identifying particularly exotic vulnerabilities (currently, $ 10 thousand were noted for such vulnerabilities). Such bugs include:
    • Vulnerabilities in NVIDIA, AMD, and Intel Drivers. Code execution from a web page is required. Examined including applications on Chrome OS
    • Vulnerabilities leading to privilege escalation by compromising the Linux kernel in Chrome OS. The additional complexity of the researcher gives the use of a stripped down and modified Linux kernel
    • Vulnerabilities in the libjpg library. Developers are unhappy with the fact that for a long time there have been no kernel attacks through vulnerabilities in this component.
    • 64-bit exploits. Any code execution, even without exiting the sandbox, is subject to increased rewards.

    In addition, additional bonuses will be awarded to those who find vulnerabilities in free libraries, components, daemons, etc. If a researcher, finding a vulnerability, not only reported it, but also committed a patch, which is then verified, then this is an additional reward from $ 500 to $ 1000. There are also a number of other bonuses.

    As for the Pwnium 2 contest , in October 2012, at the HITB conference , researchers will be able to demonstrate vulnerabilities in Google Chrome, for which they can receive rewards up to $ 60 thousand. The total prize pool is $ 2 million. Read all the details in a special entry .

    Sources :
    1. Chris Evans ,The road to safer, more stable, and flashier Flash .
    2. Chris Evans , Chromium Vulnerability Rewards Program: larger rewards .

    Also popular now: