{"id":6831,"date":"2017-03-02T06:00:16","date_gmt":"2017-03-02T14:00:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/02\/news-622\/"},"modified":"2017-03-02T06:00:16","modified_gmt":"2017-03-02T14:00:16","slug":"news-622","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/02\/news-622\/","title":{"rendered":"Pwn2Own \u2013 The Root of Research"},"content":{"rendered":"

Credit to Author: Dustin Childs (Zero Day Initiative Communications)| Date: Thu, 02 Mar 2017 13:00:32 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Over the last decade of Pwn2Own\u2122 competitions, different people harbored different emotions towards the contest. It\u2019s been referred to as a blood bath for browsers, although no actual blood has ever been spilt. It has helped launch people\u2019s careers, or at the very least, it has helped increase their notoriety. It\u2019s been accused of crushing souls of fanbois and haters alike. Again, no fanbois or haters were harmed throughout the contest\u2019s history, although we make no claims on their souls.<\/p>\n

There are also more serious claims that Pwn2Own represents nothing more than \u201csecurity theater\u201d \u2013 they call it a good show, but claim it doesn\u2019t really show anything. If anything, the exact opposite is true. Over the past 10 years, Pwn2Own has become the root of security research.<\/p>\n

It\u2019s not just that exploits used during Pwn2Own are complex. They certainly are. Several of the bugs disclosed through program received accolades from the community, such as the Pwnie<\/a> awards. More than that, the bugs that appear during Pwn2Own drive the research of others and ultimately provide mitigations from vendors. For example, several years ago, use-after-free (UAF) vulnerabilities were used to exploit browsers \u2013 especially Internet Explorer. This led to many other researchers finding UAF and reporting them to the ZDI program. The flood of UAF cases resulted in Microsoft introducing mitigations like Isolated Heap and MemoryProtection<\/a> to prevent many of these UAFs from working. These lead ZDI researchers to study the mitigations in depth where they found a few issues. These findings became a submission to the Microsoft Mitigation Bypass Bounty and an award<\/a> of $125,000 (all given to charity).<\/p>\n

Would UAFs have been as popular without Pwn2Own? Perhaps, but their inclusion in the contest certainly drove research in that area, with the result being a more secure browser. Of course, we haven\u2019t just seen UAFs. Various types of bugs have been used throughout the years, all of which became commonplace (or at least more prevalent) after appearing in the contest. Bugs, like sandbox escapes, junction point manipulation, control flow guard (CFG) bypasses, and font abuse have all taken their turns.<\/p>\n

The vendors are responding though. If nothing else, additional defensive measures like the suppression of win32k system calls has made exploitation more difficult. In the first Pwn2Own, a single bug was needed to exploit QuickTime. This past year, a winning submission from 360Vulcan Team<\/a> started with a bug in the Google Chrome renderer. From there, they pivoted to use two Flash UAFs. After that, they targeted the Windows kernel with a kernel object UAF. In other words, it took four bugs in three different products from three different vendors to successfully attack Google Chrome and elevate their permission to the SYSTEM level. That\u2019s progress.<\/p>\n

Another thing setting Pwn2Own apart is the need for a complete exploit chain. Researchers don\u2019t need full, working exploits when submitting bugs to vendors. Even when submitting bugs to the ZDI program, a full proof-of-concept isn\u2019t always required to get paid (although we highly encourage it). The contest is different. Pwn2Own requires researchers to develop exploits from start to finish. And let\u2019s clear something up \u2013 despite what you may have read, it takes significantly longer than 30 seconds to exploit these pieces of software. The exploit itself may only take 30 seconds to execute, but significant time \u2013 often hundreds of hours \u2013 has been spent developing the exploits used during the contest. It just happens quickly during the public phase, which is what everyone sees. Do not discount the substantial amount of time it takes to get to that table at CanSecWest<\/a> ready to run code.<\/p>\n

This year, we\u2019re incorporating targets we haven\u2019t included before in previous Pwn2Owns: Linux, enterprise applications, and server side exploits. Will these lead to a new category of attack similar to UAF? Probably not. It usually takes about a year for researchers to catch up to new targets. In 2014, systems with EMET<\/a> installed were considered \u201cexploit unicorns.\u201d In 2015, every successful exploit had to \u2013 and did \u2013 evade EMET. In 2016, we introduced a category for VMWare escapes.<\/p>\n

Will we see exploits this year that traverse from guest to host? We certainly hope so, and we look forward to seeing everything else that shows up too. Follow us here and on\u00a0Twitter<\/a>\u00a0for the latest information and results from the contest. Better yet, join us in person at CanSecWest to see the contest for yourself. You never know what new research will be unveiled.<\/p>\n

\u00a92017 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.<\/h6>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Dustin Childs (Zero Day Initiative Communications)| Date: Thu, 02 Mar 2017 13:00:32 +0000<\/strong><\/p>\n

\"\"Over the last decade of Pwn2Own\u2122 competitions, different people harbored different emotions towards the contest. It\u2019s been referred to as a blood bath for browsers, although no actual blood has ever been spilt. It has helped launch people\u2019s careers, or at the very least, it has helped increase their notoriety. It\u2019s been accused of crushing…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[714,10752,10415],"class_list":["post-6831","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-security","tag-vulnerabilities","tag-zero-day-initiative"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6831"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6831\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6831"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}