Google has again increased the amount it is prepared to pay out to hackers who find serious holes in the Chrome OS. In Google fashion the headline sum uses a mathematical constant - this time it is e - giving a total prize pot for this year's Pwnium of $2.71828 million.
Pwnium 4 is Google's fourth annual hacking contest and will be held in March at the CanSecWest security conference in Vancouver alongside the longer-established "Pwn2Own".
For anyone mystified by the contensts' names, pwn means to hack and contestant in the Pwn2Own contest get to keep the device they succeed in hacking as well as comppeting for cash prizes. Pwnium is a play on the full name of Google Chrome: Chromium.
Although Google's total prize pot is set at $2.71828 million, the full sum won't necessarily be paid out.
Rewards of $150,000 will be made for any hack via a Web page that let's a hacker control a Chrome OS PC even after it reboots; and $110,000 for similar hacks that don't persist after rebooting.
In addition the Chromium blog states
New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process.
The link in the above paragraph is an article on LWN.net on Kernel address space layout randomization, a technique that has been added to Chrome OS that make exploits harder by placing various objects at random, rather than fixed, addresses.
Whereas previous competitions have been restricted to Intel-based Chrome OS devices, this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (WiFi), or the Acer C720 Chromebook (2GB WiFi) that is based on the Intel Haswell microarchitecture. Although devs can work with virtual machines the attack has to be demonstrated on the physical device running the then current stable version of Chrome.
For the Pwnium contest, the deliverable is the full exploit, with explanations for all individual bugs used (which must be unknown); and exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL.
Participants need to register in advance for a timeslot in which to demonstrate their exploits and only exploits demonstrated in this specifically-arranged window will be eligible for a reward. Registration, which is by e-mail to firstname.lastname@example.org, closes at 5:00 p.m. PST Monday, March 10th, 2014.
Pwn2Own will also take place at CanSecWest between March 12-14 and its PWN2OWN rules for this year will be announced shortly.