10 Lessons From The Pwn2Own Hacker Contest

[mvario]

10 Lessons From The Pwn2Own Hacker Contest
http://threatpost.com/en_us/slidesho...Hacker-Contest

The bit about IE being the safest browser is absolutely false, Chrome also uses sandboxing (and better).

(BTW - I'd be interested to see how Ubuntu's AppArmor profiles for Firefox, or Chrome's SELinux policy, compare to IE/Chrome sandboxing on Windows.)

[dw426]

Quote:

Originally Posted by Gullible Jones

The bit about IE being the safest browser is absolutely false, Chrome also uses sandboxing (and better).

(BTW - I'd be interested to see how Ubuntu's AppArmor profiles for Firefox, or Chrome's SELinux policy, compare to IE/Chrome sandboxing on Windows.)

I'm not sure they meant that it was so much safer as it simply implemented ASLR correctly. Chrome, well, whatever. All I hear is Chrome being the safest in this and that, but where are the full blown attack testing links to show me this? Even some AV vendors have sandboxes now, and none of them mean a thing if they aren't locked down and researchers/hackers haven't put them through torture tests to find out what the deal is. It seems as though some believe sandbox=absolute security these days, probably because it's the "in thing" at the moment.

I truly believe that it isn't going to be all that long before that way of thinking is not only regretted but ridiculed.

[Page42]

Everyone should keep in mind that in this contest, the price wasn't right.
The really "good stuff" hasn't been given up.
The best secrets still remain, the best secrets.

Quote:

The Pwn2Own contest is probably the best theoretical situation to show the damage that can be caused by skilled, dedicated attackers. However, throughout the contest, many researchers say the cash and hardware prizes were not enough to get them to give up "high-value" browser vulnerabilities. The contest sponsors paid $10,000 for every winning browser vulnerability but researchers say a reliable zero-day browser vulnerability/exploit is valued at ten times that amount.

[Dogbiscuit]

Quote:

Despite the survival of Google Chrome and the fall of Internet Explorer 8 (running on Windows 7), all the browser hackers at the contest maintained that Microsoft's browser is by far the most difficult to exploit.

Quote:

Originally Posted by Gullible Jones

The bit about IE being the safest browser is absolutely false, Chrome also uses sandboxing (and better).

Just out of curiosity, why do you think that all the browser hackers at the contest (according to Ryan Naraine) were wrong in their conclusion that IE8 on 64-bit Windows 7 was the most difficult browser in the contest to hack this year?

[chronomatic]

A couple of thoughts:

1) Charlie Miller said himself that he thinks Chrome is harder to crack than the other browsers because of the sandbox. Miller, as you know, has pwned the pwn2own contest in past years.

2) I don't know why these articles keep acting like ASLR/DEP was something M$ invented. They didn't. The technology was invented by the PaX team and they did it for Linux back in 2000. M$ merely copied the technology, as they typically do with any "innovation" they take credit for.

Quote:

BTW - I'd be interested to see how Ubuntu's AppArmor profiles for Firefox, or Chrome's SELinux policy, compare to IE/Chrome sandboxing on Windows.

Unfortunately we may never know because the pwn2own contest has taken Linux away from the contest. However, the last time it was there in 2008, it was the only OS to walk away unscathed.

Now as for the technologies: The Windows sandboxing (i.e. Integrity levels), uses the Biba model for labeling objects. SELinux uses more of a Bell-La Padula model. The two are similar but not exactly the same (Google for more info). They both label objects, processes, and files with certain access control labels and any two objects must have similar labels in order to communicate. That means IE cannot write to a file or directory with a different privilege level (or label) than it. These integrity controls even override ACL's. That's why they are called mandatory integrity controls. From M$'s website:

Quote:

Low integrity processes cannot gain write access to objects at a higher integrity levels, even if the user's SID is granted write access in the discretionary access control list (DACL). Integrity level checks are performed before user access permission checks.

SELinux, as I said, uses more of a Bell-La Padula model. This means it's a more of a traditional MLS and state transition system (which technically is a bit different than sandboxing but can be used to sandbox if need be).

There are 5 MAC systems for Linux that I know of -- Grsecurity, SMACK, TOMOYO, SELinux and AppArmor.

SELinux is a true RBAC and MLS implementation. Grsecurity is a RBAC without MLS. AppArmor and TOMOYO are both more simple and do not do RBAC, MLS or labeling. Their goal is to just confine individual apps, that is, their focus is to only confine individual processes while letting most others run unconfined. This means they aren't as powerful as SElinux and Grsec, but are much easier to implement.

The guy who invented AppArmor now works for Microsoft on their security design team. Therefore, I think it's fair to say that Windows' integrity levels were influenced by AppArmor, as the two are pretty similar in that they are targeted and not comprehensive. However, I prefer AppArmor because it is configurable by the user -- a user can write his own profiles. With Windows, you are pretty much left with the default policies M$ gives you (though I hear there are registry hacks which give more control).

An example of true sandboxing on Linux (or other Unixes) would be the built-in chroot() mechanism. This essentially takes access to any part of the filesystem away from a process or user. BSD has an improved version of this called "jails." Again this is different from a MAC policy, even though MAC's can achieve similar results. In both instances, however, if the kernel itself is accessible by an attacker and he can exploit it, he can break out of the sandbox and turn off the MAC. So, not allowing root services access to the network and locking all of them down with strict policies is key.

[Dogbiscuit]

Quote:

Originally Posted by chronomatic

1) Charlie Miller said himself that he thinks Chrome is harder to crack than the other browsers because of the sandbox. Miller, as you know, has pwned the pwn2own contest in past years.

Yes, and Charlie Miller said last year that Firefox on Windows was the hardest target. This year he stated that either IE or Chrome without Flash on 64-bit Windows were both the most secure browsers. This is in addition to saying not too long ago that Chrome because of it's sandbox model was harder to crack than the other browsers. (Personally, I listen carefully to what he has to say, given his experience, but I don't forget that he can be mistaken too.)

He's also said recently that if Pwn2Own offered a million dollars for each Chrome vulnerabliity, there would be a line at least a block long of people wanting to bankrupt the contest. Chrome may be more difficult to exploit, he reasoned, but people would be more likely to invest the time and resources to exploit it if they felt it was worth the extra effort. Browser exploitation and Pwn2Own results are probably as much a matter of economics as anything else.

[Hugger]

Quote:

Originally Posted by Dogbiscuit

Yes, and Charlie Miller said last year that Firefox on Windows was the hardest target. This year he stated that either IE or Chrome without Flash on 64-bit Windows were both the most secure browsers. This is in addition to saying not too long ago that Chrome because of it's sandbox model was harder to crack than the other browsers. (Personally, I listen carefully to what he has to say, given his experience, but I don't forget that he can be mistaken too.)

He's also said recently that if Pwn2Own offered a million dollars for each Chrome vulnerabliity, there would be a line at least a block long of people wanting to bankrupt the contest. Chrome may be more difficult to exploit, he reasoned, but people would be more likely to invest the time and resources to exploit it if they felt it was worth the extra effort. Browser exploitation and Pwn2Own results are probably as much a matter of economics as anything else.

If I'm using a sandboxed browser why do I need to worry about flash?
Thanks.
Hugger

[Watasha]

So IE is the easiest to break but the most secure?

Thanks for reminding me why I don't pay attention to this crap.

[funkydude]

Sigh, the Microsoft troll returns to add no valid input.

[Watasha]

Quote:

Originally Posted by funkydude

Sigh, the Microsoft troll returns to add no valid input.

Troll? Oh, I must remember that I have to hate all products equally. It was an OBSERVATION on a FLAWED and SKEWED RESULTS list, NOT an OBSERVATION or INDICTMENT on IE. Do you understand it now? Just because the only posts that you read of mine are about MS doesn't mean that's all I post on genius.

[funkydude]

Quote:

Originally Posted by Watasha

Troll? Oh, I must remember that I have to hate all products equally. It was an OBSERVATION on a FLAWED and SKEWED RESULTS list, NOT an OBSERVATION or INDICTMENT on IE. Do you understand it now? Just because the only posts that you read of mine are about MS doesn't mean that's all I post on genius.

Simply put, looking at your post history, there's nothing made by Microsoft you like. I WONDER why you use their Operating System..?

The facts are placed in your face but you'd rather trust your instincts, that's fine, just don't spread your instincts as facts on a forum for others to see.

[Watasha]

Quote:

Originally Posted by funkydude

Simply put, looking at your post history, there's nothing made by Microsoft you like. I WONDER why you use their Operating System..?

The facts are placed in your face but you'd rather trust your instincts, that's fine, just don't spread your instincts as facts on a forum for others to see.

What facts? The fact is that IE fell like a house of cards, as did FF. That makes perfect sense for the "most secure browser" doesn't it?

You looked at my post history? C'mon man, are you really that bored?

[funkydude]

Quote:

Originally Posted by Watasha

What facts? The fact is that IE fell like a house of cards, as did FF. That makes perfect sense for the "most secure browser" doesn't it?

The facts are stated on the linked paged, you know, what's being discussed in this thread, until you trolled it.

Quote:

Originally Posted by Watasha

You looked at my post history? C'mon man, are you really that bored?

Even a quick glance reveals this information, so please

[Dogbiscuit]

Quote:

Originally Posted by Hugger

If I'm using a sandboxed browser why do I need to worry about flash?
Thanks.
Hugger

See here.

EDIT: Sandboxed as in Chrome browser, not virtualization software like Sandboxie.

[Meriadoc]

My thoughts on IE.

Whether or not IE is the most difficult browser to hack, IE it is the most popular browser giving it the status of most popular to hack.
___________

Any system, software is vulnerable to anyone who has the financial, or any other inclination to go after it.

[funkydude]

Quote:

Originally Posted by Meriadoc

Whether or not IE is the most difficult browser to hack, IE it is the most popular browser giving it the status of most popular to hack.

As far as I can tell, this is really what the article is trying to express. It may be hard to crack and the most secure, but it is it's popularity that makes it a target.

But this is the same with everything thats popular. Whether it be Windows, Internet Explorer, iPhone, XBox or even computer games themselves these days. Anything popular will have exploits discovered and have them patched.

But this can be viewed as positive (e.g. for the software evolution) and negative (e.g. for the user). You have to ask yourself, is it better to run the popular software, knowing it's getting patched frequenly from exploits as they are found, therefore becoming more secure as time goes by. Or, is it better using the unpopular software which could have holes, but not targeted at all.

Only a users choice can answer that question

[mvario]

Quote:

Originally Posted by funkydude

...But this can be viewed as positive (e.g. for the software evolution) and negative (e.g. for the user). You have to ask yourself, is it better to run the popular software, knowing it's getting patched frequenly from exploits as they are found, therefore becoming more secure as time goes by. Or, is it better using the unpopular software which could have holes, but not targeted at all.

There's also the middle ground, lesser but still popular apps that get patched quicker. Two examples... Firefox and IE both had exploits revealed at Pwn2Own. Firefox was patched in half the time. Same with the recent pdf exploit that affected Adobe Reader and Foxit, the Foxit patch was released much faster than the Adobe patch.

[chronomatic]

Quote:

Originally Posted by funkydude

As far as I can tell, this is really what the article is trying to express. It may be hard to crack and the most secure, but it is it's popularity that makes it a target.

But this is the same with everything thats popular. Whether it be Windows, Internet Explorer, iPhone, XBox or even computer games themselves these days. Anything popular will have exploits discovered and have them patched.

But this can be viewed as positive (e.g. for the software evolution) and negative (e.g. for the user). You have to ask yourself, is it better to run the popular software, knowing it's getting patched frequenly from exploits as they are found, therefore becoming more secure as time goes by. Or, is it better using the unpopular software which could have holes, but not targeted at all.

Only a users choice can answer that question

Sorry, but your argument is a non-sequitur. You assume that because Windows/IE have the largest market share it necessarily follows that this is the sole reason they appear to be the most insecure. You do not consider the possibility that they appear to be the most insecure because they actually are.

And I would rather use an open-source OS where everyone can see the code as opposed to a closed-source monster like Windows. It's much easier to improve the codebase and audit the code to find potential vulnerabilities when everyone can see the code. Indeed, being closed-source does not make one immune to vulns (Windows proves this -- vulns are found constantly, so we can only imagine how many would be found if the code was open).

Moreover, the patch time between Linux and Windows is not even close -- Linux patches much faster. The gap between Mozilla and IE is not as great, but you will still find that Mozilla patches faster most of the time.

[funkydude]

Quote:

Originally Posted by chronomatic

most insecure because they actually are.

Your opinion. The article in the original posts states otherwise.

Quote:

Originally Posted by chronomatic

And I would rather use an open-source OS where everyone can see the code as opposed to a closed-source monster like Windows.

Thats great, but it's your opinion.

Quote:

Originally Posted by chronomatic

It's much easier to improve the codebase and audit the code to find potential vulnerabilities when everyone can see the code.

Your opinion. Open source doesn't make thing better, nor does it make it worse. It's a form of publishing.

Sorry for repeating "your opinion" but you're writing a lot in your post which presents itself as fact. Anyway, it brings me back to this:

Quote:

Originally Posted by funkydude

Only a users choice can answer that question