Google is so confident that its Chrome Web browser can’t be hacked that it is willing to put $20,000 cash and a Chrome CR-48 notebook on the line to prove it. At the 2011 Pwn2Own contest, held in conjunction with the CanSecWest security conference in Vancouver next month, Google will put its money where its proverbial mouth is.
Google’s use of Chrome as the name of both its browser and its OS is creating some confusion. There are some false reports that Google is offering the bounty for successfully cracking its Chrome OS-based CR-48 notebook. The Google CR-48 notebook will be awarded along with the $20,000 for a successful attack against the Chrome Web browser, but the Pwn2Own info clearly states that the notebook is merely a prize. There will be no attacks mounted against the Chrome OS, and the target Chrome Web browser will actually be running on the latest 64-bit release of either Windows 7 or Mac OS X.
The Chrome Web browser is the only participating browser with built-in sandbox protection. The sandbox segregates untrusted or potentially malicious scripts so they are unable to impact the core browser, or the underlying PC. Because of the sandbox, it will take some extra effort for an attack against the Chrome Web browser to be considered a success.
According to posted details about the Pwn2Own contest, a successful attack against Chrome will be measured over a few days. “On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.”
Google’s $20k award is the largest ever offered at the annual Pwn2Own contest, and also the first time that a Web browser vendor has stepped up to contribute to the Pwn2Own cash pool. Perhaps the bravado is inspired by the fact that this will be the third year that Chrome will be targeted, yet it has remained un-cracked in years past.
Compare that to Apple’s Safari Web browser, which is perennially cracked in minutes–if not seconds. But, even Firefox and Internet Explorer have fallen prey to Pwn2Own attacks. Only Chrome remains unscathed…so far. We’ll see if $20,000 is enough incentive for an enterprising hacker to find a crack in its armor.