At this year's CanSecWest conference, would-be crackers could try their skills on three separate laptops: One running OS X, one running Ubuntu, and one running Vista. At the end of the three-day security conference in Vancouver, Canada, last week, both the Mac OS X Leopard and Vista machines had been cracked, leaving only the Ubuntu box uncompromised.
Sponsored by TippingPoint's Digital Vaccine Laboratories as part of their Zero Day Initiative program for discovering and reporting new bugs, the contest was announced several weeks ago, with clearer rules and increased cash prizes announced just two days before the conference.
Participants had their choice of attacking any of three laptops: a VAIO VGN-TZ37CN running Ubuntu 7.10, a Fujitsu UB810 running Vista Ultimate Service Patch 1, and MacBook Air running OS X 10.5.2. Each operating system was the latest version, and was patched with the latest security updates available.
During the three days of CanSecWest, would-be crackers could sign up to receive a random 30-minute time slot to attempt their exploit. To avoid confusion, only one effort was allowed at a given time. To win, contestants had to use a zero-day attack -- that is, one made through a previously unknown vulnerability -- to read a specific file on the laptop. The first to crack each laptop would receive the laptop and a cash prize.
To add tactical interest to the challenge, the rules progressively made exploits easier -- the cash prize progressively smaller. On the first day of the conference, only remote vulnerabilities that did not require any user interaction were permitted, and winners would receive $20,000. On the second day, attacks could also be made via any applications, and could include phishing attacks in which users followed a link through email, instant messaging, or Web browsing, but the prize was reduced to $10,000. Finally, on the third day, popular third-party applications would be added to each machine that could be used in an attack, and the prize became $5,000. This arrangement encouraged contestants to focus on the most potentially serious vulnerabilities first.
As each machine was cracked, it would be removed from the competition. Winners could turn their attention to the remaining machines, but could not use a cross-platform vulnerability on more than one machine.
The first success came shortly after noon on the second day of the conference, when a team from Independent Security Evaluators consisting of Charlie Miller, Jake Honoroff, and Mark Daniel used a vulnerability in the Safari Web browser to compromise the MacBook Air and win $10,000.
The second victory was claimed just before the end of CanSecWest at 6 p.m. on the third day when Shane Macaulay of Security Objectives, with help from Derek Callaway and Alexander Sotirov. Macaulay, who was also on the team that won last year's competition, used a defect in Adobe Flash to claim the Vista laptop and $5,000.
Shortly after Macaulay's success, the conference ended, leaving the Ubuntu machine the only one uncracked.
More details about the techniques used are unavailable, because each winner is required to sign a non-disclosure agreement and is limited in what he can say until the vulnerability is patched.
The winner's approach and motivation
Macaulay was unavailable for comment during or after the conference. However, Miller spoke to Linux.com at about the time that Macaulay was attempting his successful exploit.
"On TV and stuff, the hackers sit down and they break into systems in seconds," Miller says. "But in real life what happens is that they announced this contest a month ago, and me and my team of security guys made a conscious decision that we wanted to enter the contest.
"We decided that we would try the Mac, just because it was the easiest target. We've sort of looked at all these guys in the past, and every time we look at the Mac, we find something. When we've look at the other systems, we've usually not been so lucky. So we figured we go with what we've found easiest in the past."
According to Miller, for all the attention that the contest received, the reality is that only a few contestants actually took the challenge. "You don't enter the competition unless you basically have something," Miller says. "All the people like us who decided three weeks ago to enter, if they didn't find a weak point, they didn't enter, so you don't get a sense of how many people tried and failed. All you know is the people who think they could do it."
Miller's says that his motivations for entering Pwn to Own was a mixture of the challenge and the chance to help security. "I like to compete," he says, "and I don't get much of a chance to do so. Also, of course, we have skills that help make things more secure, and here is an opportunity for us to use those skills in a positive manner. If it hadn't been for the competition, we wouldn't have looked for bugs, and this bug wouldn't have got fixed."
What do the results mean?
Considering the intense loyalty some users have to their operating systems, the CanSecWest competition results are obvious fuel for flame wars. "Linux is king!" proclaimed one post on the Fedora list while I was writing this article, and other cheerleaders and excuse-makers are starting to post on blogs across the Internet.
Mac OS X and Vista supporters will no doubt try to claim that the Ubuntu system remained uncracked simply because fewer people are familiar with it. In turn, GNU/Linux users insist that the contest shows what they knew all along -- that their operating system of choice is architecturally more secure.
However, neither conclusion seems completely justified, especially from such a small sample of evidence. A simpler explanation may be that Ubuntu 7.10 was released six months ago, and so, presumably, has been extensively tested and patched. By contrast, OS X 10.5.2 and Vista's Service Patch 1 were both released only six weeks ago, so their vulnerabilities have had less time to come to light.
Possibly, too, for those who implement security, the operating system victory is less important than the fact that phishing and third-party applications were the keys to success, rather than general system vulnerabilities.
Despite the temptation to see patterns, the contest remains too small a sample from which to draw any conclusions. What matters is not just that the contest succeeded in pinpointing a couple of bugs, but that it succeeded in focusing people's attention on security -- which was, after all, the subject of the conference.