1 {{+bindTo:partials.standard_nacl_article}} 2 3 <section id="security-contest-archive"> 4 <span id="contest-archive"></span><h1 id="security-contest-archive"><span id="contest-archive"></span>Security Contest Archive</h1> 5 <div class="contents local" id="contents" style="display: none"> 6 <ul class="small-gap"> 7 <li><a class="reference internal" href="#contest-overview" id="id2">Contest overview</a></li> 8 <li><a class="reference internal" href="#contest-winners" id="id3">Contest winners</a></li> 9 <li><p class="first"><a class="reference internal" href="#panel-of-judges" id="id4">Panel of judges</a></p> 10 <ul class="small-gap"> 11 <li><a class="reference internal" href="#chair" id="id5">Chair</a></li> 12 <li><a class="reference internal" href="#judges" id="id6">Judges</a></li> 13 </ul> 14 </li> 15 <li><a class="reference internal" href="#additional-information" id="id7">Additional information</a></li> 16 </ul> 17 18 </div><p>The Native Client team at Google has gone to exceptional measures to 19 make Native Client a secure system, including holding a public 20 security contest. This page archives information from that contest, 21 including the list of contest winners and the lineup of security 22 experts who served as judges.</p> 23 <p>Although the security contest has ended, the Native Client team 24 welcomes your continued involvement in the project. You can help by 25 submitting bugs and participating in the Native Client discussion 26 group.</p> 27 <section id="contest-overview"> 28 <h2 id="contest-overview">Contest overview</h2> 29 <p>The Native Client team held a contest in 2009 to test the security of 30 Native Client and help make the system more secure. Participants were 31 invited to discover security bugs in Native Client technology in order 32 to compete for cash prizes.</p> 33 <p>Here was the challenge put forth by the Native Client team:</p> 34 <blockquote> 35 <div>Do you think it is impossible to safely run untrusted x86 code on 36 the web? Do you want a chance to impress a panel of some of the top 37 security experts in the world? Then submit an exploit to the Native 38 Client Security contest and you could also win cash prizes, not to 39 mention bragging rights.</div></blockquote> 40 <p>The contest judges evaluated exploits designed to defeat Native Client 41 security measures based on severity, scope, reliability, and 42 style. The winning teams and entries are listed below.</p> 43 </section><section id="contest-winners"> 44 <span id="id1"></span><h2 id="contest-winners"><span id="id1"></span>Contest winners</h2> 45 <p>The Native Client team thanks everyone who participated in the contest 46 for their contributions to improving the quality and security of the 47 Native Client system. The judges reviewed the submitted exploits and 48 identified the following teams as winners:</p> 49 <table border="1" class="docutils"> 50 <colgroup> 51 </colgroup> 52 <tbody valign="top"> 53 <tr class="row-odd"><td><img alt="First place medal" class="first last" src="/native-client/images/medal-64_1st.png" /> 54 </td> 55 <td><p class="first"><strong>Team</strong>: Beached As</p> 56 <p><strong>Members</strong>: Mark Dowd, Ben Hawkes</p> 57 <p><strong>Submitted issues</strong>: 50, 51, 52, 53, 55, 56, 57, 58, 59, 60, 62, 63</p> 58 <p class="last">Mark Dowd and Ben Hawkes are application security specialists 59 hailing from Australia and New Zealand, respectively. Mark 60 works for IBM ISS X-Force R&D, whereas Ben currently performs 61 independent research while simultaneously pursuing a 62 mathematics and computing science degree. Both have uncovered 63 major security flaws in ubiquitous Internet software, in terms 64 of both exploitable bugs and weaknesses in system protection 65 mechanisms. Both have spoken at numerous security conferences 66 in recent years, including BlackHat, Ruxcon, KiwiCon, and 67 Cansec West.</p> 68 </td> 69 </tr> 70 <tr class="row-even"><td><img alt="Second place medal" class="first last" src="/native-client/images/medal-64_2nd.png" /> 71 </td> 72 <td><p class="first"><strong>Team</strong>: CJETM</p> 73 <p><strong>Members</strong>: Jason Carpenter, Eric Monti, Chris Rohlf</p> 74 <p><strong>Submitted issues</strong>: 42, 44, 49, 70</p> 75 <p class="last">Team CJETM is comprised of security vulnerability researchers 76 Chris Rohlf, Jason Carpenter and Eric Monti. All three have 77 abused software professionally for a long time.</p> 78 </td> 79 </tr> 80 <tr class="row-odd"><td><img alt="Third place medal" class="first last" src="/native-client/images/medal-64_3rd.png" /> 81 </td> 82 <td><p class="first"><strong>Team</strong>: 0xdead</p> 83 <p><strong>Members</strong>: Gabriel Campana</p> 84 <p><strong>Submitted issues</strong>: 45</p> 85 <p class="last">Gabriel Campana is a security researcher working at Sogeti ESEC 86 R&D labs. His research interests are mainly focused on 87 vulnerability research, exploitation methods, and Linux kernel 88 security. Lately he has been working on automated vulnerability 89 research, especially fuzzing. In his spare time, he plays with 90 embedded network devices.</p> 91 </td> 92 </tr> 93 <tr class="row-even"><td><img alt="Fourth place medal" class="first" src="/native-client/images/medal-64_4th.png" /> 94 <p class="last">(tie)</p> 95 </td> 96 <td><p class="first"><strong>Team</strong>: teamfkmr</p> 97 <p><strong>Members</strong>: Daiki Fukumori</p> 98 <p><strong>Submitted issues</strong>: 66, 67</p> 99 <p class="last">Daiki Fukumori is a web security researcher. He has given talks 100 at POC Korea and AVTokyo on Web 2.0 Hacking, and he introduced 101 Native Client security at Shibuya.pm. He currently has an 102 interest in cloud security.</p> 103 </td> 104 </tr> 105 <tr class="row-odd"><td><img alt="Fourth place medal" class="first" src="/native-client/images/medal-64_4th.png" /> 106 <p class="last">(tie)</p> 107 </td> 108 <td><p class="first"><strong>Team</strong>: Alex Rad</p> 109 <p><strong>Members</strong>: Alex Radocea</p> 110 <p><strong>Submitted issues</strong>: 81</p> 111 <p class="last">Alex Radocea is a 20-year old student at Rensselaer Polytechnic 112 Institute. In the realm of computer security he is really 113 excited about proactively designed technology which can help 114 wipe out entire bug classes. Currently he is helping improve 115 Native Client through Google Summer of Code.</p> 116 </td> 117 </tr> 118 </tbody> 119 </table> 120 </section><section id="panel-of-judges"> 121 <span id="contest-judges"></span><h2 id="panel-of-judges"><span id="contest-judges"></span>Panel of judges</h2> 122 <p>Google recruited the following group of distinguished security experts 123 to serve as judges for the Native Client security contest:</p> 124 <section id="chair"> 125 <h3 id="chair">Chair</h3> 126 <table border="1" class="docutils"> 127 <colgroup> 128 </colgroup> 129 <tbody valign="top"> 130 <tr class="row-odd"><td>Edward Felten</td> 131 </tr> 132 <tr class="row-even"><td>Princeton University</td> 133 </tr> 134 <tr class="row-odd"><td><a class="reference external" href="http://www.cs.princeton.edu/~felten/">http://www.cs.princeton.edu/~felten/</a></td> 135 </tr> 136 </tbody> 137 </table> 138 </section><section id="judges"> 139 <h3 id="judges">Judges</h3> 140 <table border="1" class="docutils"> 141 <colgroup> 142 </colgroup> 143 <tbody valign="top"> 144 <tr class="row-odd"><td>Alex Halderman</td> 145 <td>Niels Provos</td> 146 <td>Bennet Yee</td> 147 </tr> 148 <tr class="row-even"><td>University of Michigan</td> 149 <td>Google</td> 150 <td>Google</td> 151 </tr> 152 <tr class="row-odd"><td><a class="reference external" href="http://www.cse.umich.edu/~jhalderm/">http://www.cse.umich.edu/~jhalderm/</a></td> 153 <td><a class="reference external" href="http://www.citi.umich.edu/u/provos/">http://www.citi.umich.edu/u/provos/</a></td> 154 <td><a class="reference external" href="http://www.bennetyee.org/">http://www.bennetyee.org/</a></td> 155 </tr> 156 <tr class="row-even"><td>Brad Karp</td> 157 <td>Stefan Savage</td> 158 <td>Nickolai Zeldovich</td> 159 </tr> 160 <tr class="row-odd"><td>University of College London</td> 161 <td>University of California San Diego</td> 162 <td>MIT</td> 163 </tr> 164 <tr class="row-even"><td><a class="reference external" href="http://www.cs.ucl.ac.uk/staff/B.Karp/">http://www.cs.ucl.ac.uk/staff/B.Karp/</a></td> 165 <td><a class="reference external" href="http://www.cs.ucsd.edu/~savage">http://www.cs.ucsd.edu/~savage</a></td> 166 <td><a class="reference external" href="http://people.csail.mit.edu/nickolai/">http://people.csail.mit.edu/nickolai/</a></td> 167 </tr> 168 <tr class="row-odd"><td>Greg Morrisett</td> 169 <td>Dan Wallach</td> 170 <td><div class="first last"> </div></td> 171 </tr> 172 <tr class="row-even"><td>Harvard University</td> 173 <td>Rice University</td> 174 <td><div class="first last"> </div></td> 175 </tr> 176 <tr class="row-odd"><td><a class="reference external" href="http://www.eecs.harvard.edu/~greg/">http://www.eecs.harvard.edu/~greg/</a></td> 177 <td><a class="reference external" href="http://www.cs.rice.edu/~dwallach/">http://www.cs.rice.edu/~dwallach/</a></td> 178 <td><div class="first last"> </div></td> 179 </tr> 180 </tbody> 181 </table> 182 </section></section><section id="additional-information"> 183 <h2 id="additional-information">Additional information</h2> 184 <p>For additional information about the Native Client security contest, 185 see the archived 186 <a class="reference internal" href="/native-client/community/security-contest/contest-announcement.html"><em>Contest Announcement</em></a>, 187 <a class="reference internal" href="/native-client/community/security-contest/contest-faq.html"><em>FAQ</em></a> and 188 <a class="reference internal" href="/native-client/community/security-contest/contest-terms.html"><em>Terms & Conditions</em></a>.</p> 189 <p>If you’d like to get involved with Native Client, you can:</p> 190 <ul class="small-gap"> 191 <li>Use the <a class="reference external" href="/native-client/sdk/download">Native Client SDK</a> to build Native 192 Client web applications.</li> 193 <li>Submit <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">bugs</a> 194 and participate in the Native Client 195 <a class="reference external" href="http://groups.google.com/group/native-client-discuss">discussion group</a>.</li> 196 <li>Contribute to the 197 <a class="reference external" href="http://code.google.com/p/nativeclient/">Native Client open-source project</a>.</li> 198 </ul> 199 </section></section> 200 201 {{/partials.standard_nacl_article}} 202