Pwn2Own 2018: Focus Changes To Kernel Exploits As Browsers Get Harder To Hack

From left to right: Georgi Geshev, Fabi Beterke, Niklas Baumstark , Samuel Groß, Richard Zhu, Alex Plaskett. (Image credit: Trend Micro)

Pwn2Own 2018, the popular browser hacking competition, concluded today. This year’s competition seems to have drastically diminished in number of participants, as China banned its security researchers (who have won multiple times in the past) from participating in Pwn2Own or divulging security vulnerabilities to foreigners.

Absence Of Chinese Teams Is Palpable

Brian Gorenc, director of Trend Micro’s Zero Day Initiative, which has sponsored the Pwn2Own competitions for the past few years, said recently that “some countries” no longer allow their security researchers to participate in global exploit contests. One of Gorenc's colleagues later clarified to Cyberscoop that he was referring to China.

Because of this new change, this year’s Pwn2Own competition seems to have resulted in a much smaller number of successful exploits against the popular browsers. In fact, nobody even attempted to hack Chrome this year, which is likely the result of both Chrome being historically difficult to exploit, as well as too few researchers attending the competition.

How The Browsers Fared This Year

Chrome aside, there were four attempts against Apple's Safari, which looks to be this year’s most exploited browser. Of those four attempts, two were successful. There were three attempts against Microsoft’s Edge browser (by the same researcher, Richard Zhu, a long-time Pwn2Own participant), and only one succeeded.

Zhu also attempted an exploit against Firefox, using a Windows kernel exploit, and succeeded in the first try. Two years ago, Firefox went missing-in-action at the Pwn2Own competition, allegedly because the organizers thought the browser was getting too easy to hack. Last year, Firefox already had partial sandboxing enabled and finished in a better position than Edge, the most hacked browser in that competition.

In 2018, Firefox came even better prepared with its “just right” sandboxing architecture, and an improvement over the partial sandboxing it had last year. However, as there was only one attempt against it, it’s difficult to say just how much the browser’s security has actually improved.

Kernel Exploits, The New “Go-To” For Browser Hackers

Zhu did need to use a Windows kernel exploit to hack Firefox, which tells us that the Firefox sandboxing must be working. Most OS-level sandboxing techniques that browsers use today can be bypassed by kernel exploits. However, Microsoft has been working on more restrictive sandboxing and virtualization modes that should be available in future builds of Windows 10.

Kernel exploits also seems to be the theme at this year’s contest. All the exploits that succeeded in breaking Safari, Edge, and Firefox’s security took advantage of OS kernel flaws or some other kind of sandbox escape. This tells us that there is a higher security bar that malware developers will need to reach in order to hack users through their browsers... and that OS developers need to focus more on kernel security.

OS kernels, whether it’s Linux, the macOS kernel, or the Windows kernel, now count millions of lines of code, so the potential for bugs in them is larger than most people may think. Microsoft has been focusing increasingly more on kernel security lately, as have the Linux developers, in part due to Google’s help. Google has been sponsoring the Linux Kernel Self Protection (KSP) project, which aims to enable more anti-exploit techniques right into the mainstream Linux kernel. Before this, Google had also begun locking down the Linux kernel more and more on Android.

The absence of Chinese teams may have caught the Pwn2Own competition organizers off-guard, this year, but we can probably expect a more intense competition next year. However, rewards may first have to increase for each particular exploit if vendors want to get more researchers to look for bugs in their products. As browsers’ sandboxes have improved, it also seems to have gotten more difficult to bypass browser security, so companies will have to try harder to motivate the researchers.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • bit_user
    20799426 said:
    OS kernels, whether it’s Linux, the macOS kernel, or the Windows kernel, now count millions of lines of code, so the potential for bugs in them is larger than most people may think.
    The numbers for Linux are skewed by the fact that the gross count includes all of the in-tree device drivers, as well as the architecture-specific parts for all supported CPUs. According to some stats from a couple years back, the non-driver and non-arch parts have only ~140k LOC.

    As for the arch bits, you're only using a very small amount of that, on any given install. The more standard your hardware config, the better tested you can expect the drivers & arch-specific parts to be.
  • alan_rave
    Richard Zhu is not from China?
  • bit_user
    20803899 said:
    Richard Zhu is not from China?
    I think they mean teams based in China, or perhaps even specifically Chinese cyber security professionals.

    Are you just going by the name, or do you know that he currently lives there?

    Either way, he won $120k in two days. Not bad!
  • bit_user
    Overall, we awarded $267,000 over the two-day contest while acquiring five Apple bugs, four Microsoft bugs, two Oracle bugs, and one Mozilla bug.
    Wow, those are some expensive bugs!