Google Enhances Chrome Security, Increases Rewards, and Announces $ 2 Million Fund Competition

Somehow quite quietly for Habr was the release of Google Chrome 21, in which the developers of the Chromium project announced an increase in the security of the Adobe Flash Player runtime integrated into the browser distribution. In addition, Google executives announced an increase in remuneration to representatives of the Chromium community for identified vulnerabilities, and also announced the launch of a contest to demonstrate browser hacking. The prize fund is set at the bar of $ 2 million, and the maximum reward of $ 60 thousand.

Adobe Flash Player


In August 2009, Google announced the launch of a new project - the Pepper Plugin API to enable plug-ins. This interface was supposed to replace the outdated, according to Google, NPAPI mechanism. The essence of the prospects Google described as more stable operation due to the separation of processes, and the full cross-platform modules. Mozilla abandoned this venture , and the search giant persistently bent its line. In 2010, support for PPAPI itself was implemented in Chrome, and in August of this year, two modules fully work under this interface - Adobe Flash and Pepper PDF Reader.

The biggest problems caused Flash. Firstly, the development of the module itself based on PPAPI should have been done by Adobe, but Google would have to optimize and ensure security. This significantly complicated the development, which resulted in a rather lengthy process with a lot of work and compromises. The main priority for Google has been porting the execution of the plug-in to the sandbox. And if the Chrome team worked only on one OS, then this would not cause any problems, but considering that Chrome works on 3 platforms (GNU / Linux, OS X and MS Windows) and the whole zoo of systems, this gave rise to a lot of pitfalls that were successfully completed: in August, all users of all GNU / Linux and Windows systems get Flash Player sandboxed into the framework. Developers are particularly proud of the fact that что миллион пользователей Chrome, использующих Windows XP, могут быть спокойны за отсутствие таких важных технологий безопасности как ASLR and MIC , which were announced only in Windows Vista. Using the sandbox virtually eliminates the possibility of an attack through the Flash Player module using the architectural weaknesses of the system.
In addition, apart from security improvements, the use of PPAPI allowed:
  • Use full hardware acceleration of Flash content on the GPU
  • Reduce the number of Flash Player crashes relative to implementations on NPAPI by 20% ( although the number of complaints about Flash crashes on forums and profile groups on social networks cannot be said )
  • Allows Chrome users in Metro mode ( Modern mode now? ) Windows 8 to use such plug-ins. Other third-party browsers do not know this because of the use of NPAPI.
  • GNU / Linux users will receive the latest Flash Player updates. Other browsers will be able to use only the 11.2 version.


Rewards and Competition


Google, in its statement on increasing payments for detected vulnerabilities, substantiates its decision by the fact that the search for holes has recently become more complicated, requires great efforts from the researcher, therefore these efforts must be justified, and the motivation should be increased. Therefore, for finding vulnerabilities, Google gives a bonus bonus of $ 1,000 to an unnamed limit. In addition, legendary rewards can be obtained for identifying particularly exotic vulnerabilities (at the moment, $ 10 thousand were noted for such vulnerabilities). Such bugs include:
  • Vulnerabilities in NVIDIA, AMD, and Intel Drivers. Code execution from a web page is required. Applications are also being reviewed on Chrome OS.
  • Vulnerabilities leading to privilege escalation by compromising the Linux kernel on Chrome OS. The additional complexity of the researcher gives the use of a stripped down and modified Linux kernel
  • Vulnerabilities in the libjpg library. Developers are unhappy with the fact that for a long time there have been no kernel attacks through vulnerabilities in this component.
  • 64-bit exploits. Any code execution, even without exiting the sandbox, is subject to increased rewards.

In addition, additional bonuses will be awarded to those who find vulnerabilities in free libraries, components, daemons, etc. If a researcher, finding a vulnerability, not only reported it, but also committed a patch, which is then verified, then this is an additional reward from $ 500 to $ 1000. There are also a number of other bonuses.

As for the Pwnium 2 contest , in October 2012, at the HITB conference , researchers will be able to demonstrate vulnerabilities in Google Chrome, for which they can receive rewards of up to $ 60 thousand. The total prize pool is $ 2 million. Read all the details in a special entry .

Sources :
1. Chris Evans , The road to safer, more stable, and flashier Flash .
2. Chris Evans , Chromium Vulnerability Rewards Program: larger rewards .