Native Client Security Contest: The results are in!
A few months ago, we
challenged you to discover exploits in the
Native
Client system and more than 600 of you decided to take us up on our invitation.
We're very pleased with the results: participants found bugs that enabled some really clever
exploits, but nothing that pointed to a fundamental flaw in the design of Native Client. Our
judges reviewed all entries very carefully and have selected five
teams as the winners of the Native Client Security Contest.
The big winner of
the contest was the team "Beached As", consisting of IBM researcher Mark Dowd and independent
researcher Ben Hawkes. "Beached As" reported 12 valid issues, including vulnerabilities in the
validator and multiple type-confusion attacks. The team "CJETM" (Chris Rohlf, Jason Carpenter,
Eric Monti — all security professionals with Matasano Security) came in second by reporting
three issues with a common theme of memory related defects, including an uninitialized vtable
entry, an exception condition during new(), and a double delete bug. Gabriel Campana from
Sogeti ESEC R&D Labs was selected as the third place, while for the fourth and fifth place
we had a tie between independent researcher Daiki Fukumori and Rensselaer Polytechnic
Institute student Alex Radocea. You can find a listing of all the issues the teams submitted
at the
Native Client Security Contest site.
The winners of the Native Client Security Contest, Team "Beached As"
Mark Dowd (left) and Ben Hawkes (right)Winning teams were
attracted to the contest by the potential of the Native Client technology. Mark Dowd, member
of the winning team "Beached As", commented, "When I saw the press release announcing the
product, I was intrigued by some of the ideas mentioned in the article. After reviewing the
architecture a little, I thought the project adopted a novel approach to solving the problem
of running native code securely, and was keen to take a closer look." Curiosity about what the
technology could achieve also motivated the CJETM team, according to Chris Rohlf.
The real-world relevance of Native Client made this contest more interesting
and challenging for participants. Contestant Alex Radocea stated, "Unlike most security
challenges out there, the set of problems were not crafted. The tasks at hand were real and
complex, as the real world is. I have no doubt that many unknown people eyed the code or
attacked the applications and, frustratingly, found absolutely nothing wrong." Mark Dowd
agreed: "Our goal was to create a convincing lead, to try and take the victory, and I think we
did that. Having said that, the field was not soft. There were some tough contestants who were
able to uncover a variety of interesting vulnerabilities."
We would like to
thank all the contestants, the jury chair Ed Felten and all the security experts that judged
the contest for helping us improve the security of our system. This contest helped us discover
implementation errors in Native Client and some areas of our codebase we need to spend more
time reviewing. More importantly, that no major architectural flaws were found provides
evidence that Native Client can be made safe enough for widespread use. Toward that end, we're
implementing additional security measures, such as an outer sandbox, but you can help by
continuing to
file bugs in Native Client. Community support and scrutiny has helped and
will continue to help make Native Client more useful and more secure.
By Henry Bridge and Brad
Chen, Native Client Team
The big winner of
the contest was the team "Beached As", consisting of IBM researcher Mark Dowd and independent
researcher Ben Hawkes. "Beached As" reported 12 valid issues, including vulnerabilities in the
validator and multiple type-confusion attacks. The team "CJETM" (Chris Rohlf, Jason Carpenter,
Eric Monti — all security professionals with Matasano Security) came in second by reporting
three issues with a common theme of memory related defects, including an uninitialized vtable
entry, an exception condition during new(), and a double delete bug. Gabriel Campana from
Sogeti ESEC R&D Labs was selected as the third place, while for the fourth and fifth place
we had a tie between independent researcher Daiki Fukumori and Rensselaer Polytechnic
Institute student Alex Radocea. You can find a listing of all the issues the teams submitted
at the Native Client Security Contest site.
We would like to
thank all the contestants, the jury chair Ed Felten and all the security experts that judged
the contest for helping us improve the security of our system. This contest helped us discover
implementation errors in Native Client and some areas of our codebase we need to spend more
time reviewing. More importantly, that no major architectural flaws were found provides
evidence that Native Client can be made safe enough for widespread use. Toward that end, we're
implementing additional security measures, such as an outer sandbox, but you can help by
continuing to file bugs in Native Client. Community support and scrutiny has helped and
will continue to help make Native Client more useful and more secure.