From left to right: Georgi Geshev, Fabi Beterke, Niklas Baumstark , Samuel Groß, Richard Zhu, Alex Plaskett. Credit: Trend Micro
Pwn2Own 2018, the popular browser hacking competition, concluded today. This year’s competition seems to have drastically diminished in number of participants, as China banned its security researchers (who have won multiple times in the past) from participating in Pwn2Own or divulging security vulnerabilities to foreigners.
Absence Of Chinese Teams Is Palpable
Brian Gorenc, director of Trend Micro’s Zero Day Initiative, which has sponsored the Pwn2Own competitions for the past few years, said recently that “some countries” no longer allow their security researchers to participate in global exploit contests. One of Gorenc's colleagues later clarified to Cyberscoop that he was referring to China.
Because of this new change, this year’s Pwn2Own competition seems to have resulted in a much smaller number of successful exploits against the popular browsers. In fact, nobody even attempted to hack Chrome this year, which is likely the result of both Chrome being historically difficult to exploit, as well as too few researchers attending the competition.
How The Browsers Fared This Year
Chrome aside, there were four attempts against Apple's Safari, which looks to be this year’s most exploited browser. Of those four attempts, two were successful. There were three attempts against Microsoft’s Edge browser (by the same researcher, Richard Zhu, a long-time Pwn2Own participant), and only one succeeded.
Zhu also attempted an exploit against Firefox, using a Windows kernel exploit, and succeeded in the first try. Two years ago, Firefox went missing-in-action at the Pwn2Own competition, allegedly because the organizers thought the browser was getting too easy to hack. Last year, Firefox already had partial sandboxing enabled and finished in a better position than Edge, the most hacked browser in that competition.
In 2018, Firefox came even better prepared with its “just right” sandboxing architecture, and an improvement over the partial sandboxing it had last year. However, as there was only one attempt against it, it’s difficult to say just how much the browser’s security has actually improved.
Kernel Exploits, The New “Go-To” For Browser Hackers
Zhu did need to use a Windows kernel exploit to hack Firefox, which tells us that the Firefox sandboxing must be working. Most OS-level sandboxing techniques that browsers use today can be bypassed by kernel exploits. However, Microsoft has been working on more restrictive sandboxing and virtualization modes that should be available in future builds of Windows 10.
Kernel exploits also seems to be the theme at this year’s contest. All the exploits that succeeded in breaking Safari, Edge, and Firefox’s security took advantage of OS kernel flaws or some other kind of sandbox escape. This tells us that there is a higher security bar that malware developers will need to reach in order to hack users through their browsers... and that OS developers need to focus more on kernel security.
OS kernels, whether it’s Linux, the macOS kernel, or the Windows kernel, now count millions of lines of code, so the potential for bugs in them is larger than most people may think. Microsoft has been focusing increasingly more on kernel security lately, as have the Linux developers, in part due to Google’s help. Google has been sponsoring the Linux Kernel Self Protection (KSP) project, which aims to enable more anti-exploit techniques right into the mainstream Linux kernel. Before this, Google had also begun locking down the Linux kernel more and more on Android.
The absence of Chinese teams may have caught the Pwn2Own competition organizers off-guard, this year, but we can probably expect a more intense competition next year. However, rewards may first have to increase for each particular exploit if vendors want to get more researchers to look for bugs in their products. As browsers’ sandboxes have improved, it also seems to have gotten more difficult to bypass browser security, so companies will have to try harder to motivate the researchers.