Google enhances Chrome security, increases rewards and announces a contest with a fund of $ 2 million
Somehow completely quiet for Habr was the release of Google Chrome 21, in which the developers of the Chromium project announced the enhancement of the Adobe Flash Player runtime security integrated into the browser distribution. In addition, Google management announced an increase in remuneration to representatives of the Chromium community for the identified vulnerabilities, and also announced the launch of a competition to demonstrate browser hacking. The prize fund is set at $ 2 million bar, and the maximum reward is $ 60 thousand.
In August 2009, Google announced the launch of a new project - the Pepper Plugin API for running plug-ins. This interface was supposed to replace the outdated, according to Google, NPAPI mechanism. The essence of the prospects Google described as a more stable operation due to the separation of processes, and the full cross-platform modules. In Mozilla, this venture was abandoned , and the search giant persistently bent its line. In 2010, support for PPAPI itself was implemented in Chrome, and in August of this year, two modules are fully operational under this interface - Adobe Flash and Pepper PDF Reader.
The biggest problems were caused by Flash. Firstly, the work on the development of the PPAPI-based module itself was to be dealt with by Adobe, but Google was responsible for optimizing and ensuring security. This significantly complicated the development, which resulted in a rather protracted process with a lot of work and compromises. Its main priority, Google has put the execution of the plug-in in the sandbox. And if the Chrome team worked only on one OS, it would not cause any problems, but considering that Chrome works on 3 platforms (GNU / Linux, OS X and MS Windows) and the whole zoo of systems, it gave rise to a lot of pitfalls which were successfully completed: in August all users of all GNU / Linux and Windows systems get a Flash Player sandboxed. Developers are proud to pay attention to the fact that the millions of Chrome users using Windows XP can be sure of the absence of such important security technologies as ASLR and MIC , which were announced only in Windows Vista. Using a sandbox actually eliminates the possibility of an attack through the Flash Player module using the architectural weakness of the system.
In addition, apart from security enhancements, the use of PPAPI allowed:
Google, in its statement on the increase in payments for discovered vulnerabilities, justifies its decision by the fact that the search for holes has recently become complicated, requires a lot of effort from the researcher, so these efforts must be justified and the motivation increased. Therefore, for finding vulnerabilities, Google gives a bonus premium of $ 1,000 to an unnamed limit. In addition, for identifying particularly exotic vulnerabilities, you can get legendary rewards (at the moment such vulnerabilities were marked $ 10 thousand). Such bugs include:
In addition, additional bonuses will be relied upon by those who find vulnerabilities in free libraries, components, demons, etc. If the researcher, having found the vulnerability, not only reported it, but also committed the patch, which is then verified, then this is an additional reward from $ 500 to $ 1000. There are also a number of other bonuses.
As for the Pwnium 2 contest, in October 2012 at the HITB conference , researchers will be able to demonstrate vulnerabilities in Google Chrome, for which they will be able to receive a reward of up to $ 60 thousand. The total prize fund is $ 2 million. Read all the details in a special record .
')
Sources :
1. Chris Evans , The Road to Safer, more stable, and flashier flash .
2. Chris Evans , Chromium Vulnerability Rewards Program: larger rewards .
Adobe Flash Player
In August 2009, Google announced the launch of a new project - the Pepper Plugin API for running plug-ins. This interface was supposed to replace the outdated, according to Google, NPAPI mechanism. The essence of the prospects Google described as a more stable operation due to the separation of processes, and the full cross-platform modules. In Mozilla, this venture was abandoned , and the search giant persistently bent its line. In 2010, support for PPAPI itself was implemented in Chrome, and in August of this year, two modules are fully operational under this interface - Adobe Flash and Pepper PDF Reader.
The biggest problems were caused by Flash. Firstly, the work on the development of the PPAPI-based module itself was to be dealt with by Adobe, but Google was responsible for optimizing and ensuring security. This significantly complicated the development, which resulted in a rather protracted process with a lot of work and compromises. Its main priority, Google has put the execution of the plug-in in the sandbox. And if the Chrome team worked only on one OS, it would not cause any problems, but considering that Chrome works on 3 platforms (GNU / Linux, OS X and MS Windows) and the whole zoo of systems, it gave rise to a lot of pitfalls which were successfully completed: in August all users of all GNU / Linux and Windows systems get a Flash Player sandboxed. Developers are proud to pay attention to the fact that the millions of Chrome users using Windows XP can be sure of the absence of such important security technologies as ASLR and MIC , which were announced only in Windows Vista. Using a sandbox actually eliminates the possibility of an attack through the Flash Player module using the architectural weakness of the system.
In addition, apart from security enhancements, the use of PPAPI allowed:
- Use full hardware acceleration of Flash content on the GPU
- Reduce the number of Flash Player crashes relative to NPAPI implementations by 20% ( although the number of complaints about Flash incidents in forums and profile groups on social networks cannot be said )
- Allows Chrome users in Metro mode ( Modern-mode now? ) Of Windows 8 to use such plug-ins. Other third-party browsers do not know this because of the use of NPAPI.
- GNU / Linux users will receive the latest Flash Player updates. Other browsers will be able to use only the 11.2 version.
Rewards and Competition
Google, in its statement on the increase in payments for discovered vulnerabilities, justifies its decision by the fact that the search for holes has recently become complicated, requires a lot of effort from the researcher, so these efforts must be justified and the motivation increased. Therefore, for finding vulnerabilities, Google gives a bonus premium of $ 1,000 to an unnamed limit. In addition, for identifying particularly exotic vulnerabilities, you can get legendary rewards (at the moment such vulnerabilities were marked $ 10 thousand). Such bugs include:
- Vulnerabilities of NVIDIA, AMD and Intel drivers. Code execution from a web page is required. Considered including applications and on Chrome OS
- Vulnerabilities leading to privilege escalation, which is accomplished by compromising the Linux kernel in Chrome OS. Additional complexity to the researcher is given by use of the cut down and modified Linux kernel
- Vulnerabilities in libjpg library. Developers are unhappy with the fact that for a long time there have not been any harassment attacks through vulnerabilities in this component.
- 64-bit exploits. Any execution of the code, even without leaving the sandbox, falls under increased remuneration.
In addition, additional bonuses will be relied upon by those who find vulnerabilities in free libraries, components, demons, etc. If the researcher, having found the vulnerability, not only reported it, but also committed the patch, which is then verified, then this is an additional reward from $ 500 to $ 1000. There are also a number of other bonuses.
As for the Pwnium 2 contest, in October 2012 at the HITB conference , researchers will be able to demonstrate vulnerabilities in Google Chrome, for which they will be able to receive a reward of up to $ 60 thousand. The total prize fund is $ 2 million. Read all the details in a special record .
')
Sources :
1. Chris Evans , The Road to Safer, more stable, and flashier flash .
2. Chris Evans , Chromium Vulnerability Rewards Program: larger rewards .
Source: https://habr.com/ru/post/149729/
All Articles