1 .. _contest_archive: 2 3 ######################## 4 Security Contest Archive 5 ######################## 6 7 .. contents:: 8 :local: 9 :backlinks: none 10 :depth: 2 11 12 The Native Client team at Google has gone to exceptional measures to 13 make Native Client a secure system, including holding a public 14 security contest. This page archives information from that contest, 15 including the list of contest winners and the lineup of security 16 experts who served as judges. 17 18 Although the security contest has ended, the Native Client team 19 welcomes your continued involvement in the project. You can help by 20 submitting bugs and participating in the Native Client discussion 21 group. 22 23 Contest overview 24 ================ 25 26 The Native Client team held a contest in 2009 to test the security of 27 Native Client and help make the system more secure. Participants were 28 invited to discover security bugs in Native Client technology in order 29 to compete for cash prizes. 30 31 Here was the challenge put forth by the Native Client team: 32 33 Do you think it is impossible to safely run untrusted x86 code on 34 the web? Do you want a chance to impress a panel of some of the top 35 security experts in the world? Then submit an exploit to the Native 36 Client Security contest and you could also win cash prizes, not to 37 mention bragging rights. 38 39 The contest judges evaluated exploits designed to defeat Native Client 40 security measures based on severity, scope, reliability, and 41 style. The winning teams and entries are listed below. 42 43 .. _contest_winners: 44 45 Contest winners 46 =============== 47 48 The Native Client team thanks everyone who participated in the contest 49 for their contributions to improving the quality and security of the 50 Native Client system. The judges reviewed the submitted exploits and 51 identified the following teams as winners: 52 53 .. list-table:: 54 55 * - .. image:: /images/medal-64_1st.png 56 :alt: First place medal 57 58 - **Team**: Beached As 59 60 **Members**: Mark Dowd, Ben Hawkes 61 62 **Submitted issues**: 50, 51, 52, 53, 55, 56, 57, 58, 59, 60, 62, 63 63 64 Mark Dowd and Ben Hawkes are application security specialists 65 hailing from Australia and New Zealand, respectively. Mark 66 works for IBM ISS X-Force R&D, whereas Ben currently performs 67 independent research while simultaneously pursuing a 68 mathematics and computing science degree. Both have uncovered 69 major security flaws in ubiquitous Internet software, in terms 70 of both exploitable bugs and weaknesses in system protection 71 mechanisms. Both have spoken at numerous security conferences 72 in recent years, including BlackHat, Ruxcon, KiwiCon, and 73 Cansec West. 74 75 * - .. image:: /images/medal-64_2nd.png 76 :alt: Second place medal 77 78 - **Team**: CJETM 79 80 **Members**: Jason Carpenter, Eric Monti, Chris Rohlf 81 82 **Submitted issues**: 42, 44, 49, 70 83 84 Team CJETM is comprised of security vulnerability researchers 85 Chris Rohlf, Jason Carpenter and Eric Monti. All three have 86 abused software professionally for a long time. 87 88 * - .. image:: /images/medal-64_3rd.png 89 :alt: Third place medal 90 91 - **Team**: 0xdead 92 93 **Members**: Gabriel Campana 94 95 **Submitted issues**: 45 96 97 Gabriel Campana is a security researcher working at Sogeti ESEC 98 R&D labs. His research interests are mainly focused on 99 vulnerability research, exploitation methods, and Linux kernel 100 security. Lately he has been working on automated vulnerability 101 research, especially fuzzing. In his spare time, he plays with 102 embedded network devices. 103 104 * - .. image:: /images/medal-64_4th.png 105 :alt: Fourth place medal 106 107 (tie) 108 109 - **Team**: teamfkmr 110 111 **Members**: Daiki Fukumori 112 113 **Submitted issues**: 66, 67 114 115 Daiki Fukumori is a web security researcher. He has given talks 116 at POC Korea and AVTokyo on Web 2.0 Hacking, and he introduced 117 Native Client security at Shibuya.pm. He currently has an 118 interest in cloud security. 119 120 * - .. image:: /images/medal-64_4th.png 121 :alt: Fourth place medal 122 123 (tie) 124 125 - **Team**: Alex Rad 126 127 **Members**: Alex Radocea 128 129 **Submitted issues**: 81 130 131 Alex Radocea is a 20-year old student at Rensselaer Polytechnic 132 Institute. In the realm of computer security he is really 133 excited about proactively designed technology which can help 134 wipe out entire bug classes. Currently he is helping improve 135 Native Client through Google Summer of Code. 136 137 .. _contest_judges: 138 139 Panel of judges 140 =============== 141 142 Google recruited the following group of distinguished security experts 143 to serve as judges for the Native Client security contest: 144 145 Chair 146 ----- 147 148 +----------------------------------------+ 149 | Edward Felten | 150 +----------------------------------------+ 151 | Princeton University | 152 +----------------------------------------+ 153 | http://www.cs.princeton.edu/~felten/ | 154 +----------------------------------------+ 155 156 Judges 157 ------ 158 159 .. list-table:: 160 161 * - Alex Halderman 162 - Niels Provos 163 - Bennet Yee 164 165 * - University of Michigan 166 - Google 167 - Google 168 169 * - http://www.cse.umich.edu/~jhalderm/ 170 - http://www.citi.umich.edu/u/provos/ 171 - http://www.bennetyee.org/ 172 173 * - Brad Karp 174 - Stefan Savage 175 - Nickolai Zeldovich 176 177 * - University of College London 178 - University of California San Diego 179 - MIT 180 181 * - http://www.cs.ucl.ac.uk/staff/B.Karp/ 182 - http://www.cs.ucsd.edu/~savage 183 - http://people.csail.mit.edu/nickolai/ 184 185 * - Greg Morrisett 186 - Dan Wallach 187 - .. raw:: html 188 189 190 191 * - Harvard University 192 - Rice University 193 - .. raw:: html 194 195 196 197 * - http://www.eecs.harvard.edu/~greg/ 198 - http://www.cs.rice.edu/~dwallach/ 199 - .. raw:: html 200 201 202 203 204 Additional information 205 ====================== 206 207 For additional information about the Native Client security contest, 208 see the archived 209 :doc:`Contest Announcement <contest-announcement>`, 210 :doc:`FAQ <contest-faq>` and 211 :doc:`Terms & Conditions <contest-terms>`. 212 213 If you'd like to get involved with Native Client, you can: 214 215 * Use the `Native Client SDK </native-client/sdk/download>`_ to build Native 216 Client web applications. 217 * Submit `bugs <http://code.google.com/p/nativeclient/issues/list>`_ 218 and participate in the Native Client 219 `discussion group <http://groups.google.com/group/native-client-discuss>`_. 220 * Contribute to the 221 `Native Client open-source project <http://code.google.com/p/nativeclient/>`_. 222