Native Client

Security Contest Archive

Introduction

The Native Client team at Google has gone to exceptional measures to make Native Client a secure system, including holding a public security contest. This page archives information from that contest, including the list of contest winners and the lineup of security experts who served as judges.

Although the security contest has ended, the Native Client team welcomes your continued involvement in the project. You can help by submitting bugs and participating in the Native Client discussion group.

Contest overview

The Native Client team held a contest in 2009 to test the security of Native Client and help make the system more secure. Participants were invited to discover security bugs in Native Client technology in order to compete for cash prizes.

Here was the challenge put forth by the Native Client team:

Do you think it is impossible to safely run untrusted x86 code on the web? Do you want a chance to impress a panel of some of the top security experts in the world? Then submit an exploit to the Native Client Security contest and you could also win cash prizes, not to mention bragging rights.

The contest judges evaluated exploits designed to defeat Native Client security measures based on severity, scope, reliability, and style. The winning teams and entries are listed below.

Contest winners

The Native Client team thanks everyone who participated in the contest for their contributions to improving the quality and security of the Native Client system. The judges reviewed the submitted exploits and identified the following teams as winners:


First place

Team: Beached As
Members: Mark Dowd, Ben Hawkes
Submitted issues: 50, 51, 52, 53, 55, 56, 57, 58, 59, 60, 62, 63

Mark Dowd and Ben Hawkes are application security specialists hailing from Australia and New Zealand, respectively. Mark works for IBM ISS X-Force R&D, whereas Ben currently performs independent research while simultaneously pursuing a mathematics and computing science degree. Both have uncovered major security flaws in ubiquitous Internet software, in terms of both exploitable bugs and weaknesses in system protection mechanisms. Both have spoken at numerous security conferences in recent years, including BlackHat, Ruxcon, KiwiCon, and Cansec West.

Second place

Team: CJETM
Members: Jason Carpenter, Eric Monti, Chris Rohlf
Submitted issues: 42, 44, 49, 70

Team CJETM is comprised of security vulnerability researchers Chris Rohlf, Jason Carpenter and Eric Monti. All three have abused software professionally for a long time.

Third place

Team: 0xdead
Members: Gabriel Campana
Submitted issues: 45

Gabriel Campana is a security researcher working at Sogeti ESEC R&D labs. His research interests are mainly focused on vulnerability research, exploitation methods, and Linux kernel security. Lately he has been working on automated vulnerability research, especially fuzzing. In his spare time, he plays with embedded network devices.

Fourth place
(tie)

Team: teamfkmr
Members: Daiki Fukumori
Submitted issues: 66, 67

Daiki Fukumori is a web security researcher. He has given talks at POC Korea and AVTokyo on Web 2.0 Hacking, and he introduced Native Client security at Shibuya.pm. He currently has an interest in cloud security.

Fourth place
(tie)

Team: Alex Rad
Members: Alex Radocea
Submitted issues: 81

Alex Radocea is a 20-year old student at Rensselaer Polytechnic Institute. In the realm of computer security he is really excited about proactively designed technology which can help wipe out entire bug classes. Currently he is helping improve Native Client through Google Summer of Code.

Panel of judges

Google recruited the following group of distinguished security experts to serve as judges for the Native Client security contest:

Chair

Edward Felten
Princeton University
http://www.cs.princeton.edu/~felten/

Judges

Alex Halderman
University of Michigan
http://www.cse.umich.edu/~jhalderm/
Niels Provos
Google
http://www.citi.umich.edu/u/provos/
Bennet Yee
Google
http://www.bennetyee.org/
Brad Karp
University College London
http://www.cs.ucl.ac.uk/staff/B.Karp/
Stefan Savage
University of California San Diego
http://www.cs.ucsd.edu/~savage
Nickolai Zeldovich
MIT
http://people.csail.mit.edu/nickolai/
Greg Morrisett
Harvard University
http://www.eecs.harvard.edu/~greg/
Dan Wallach
Rice University
http://www.cs.rice.edu/~dwallach/
 

Additional information

For additional information about the Native Client security contest, see the archived Contest Announcement, FAQ and Terms & Conditions.

If you'd like to get involved with Native Client, you can:

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.