| .. _contest_archive: |
| |
| ######################## |
| Security Contest Archive |
| ######################## |
| |
| .. contents:: |
| :local: |
| :backlinks: none |
| :depth: 2 |
| |
| The Native Client team at Google has gone to exceptional measures to |
| make Native Client a secure system, including holding a public |
| security contest. This page archives information from that contest, |
| including the list of contest winners and the lineup of security |
| experts who served as judges. |
| |
| Although the security contest has ended, the Native Client team |
| welcomes your continued involvement in the project. You can help by |
| submitting bugs and participating in the Native Client discussion |
| group. |
| |
| Contest overview |
| ================ |
| |
| The Native Client team held a contest in 2009 to test the security of |
| Native Client and help make the system more secure. Participants were |
| invited to discover security bugs in Native Client technology in order |
| to compete for cash prizes. |
| |
| Here was the challenge put forth by the Native Client team: |
| |
| Do you think it is impossible to safely run untrusted x86 code on |
| the web? Do you want a chance to impress a panel of some of the top |
| security experts in the world? Then submit an exploit to the Native |
| Client Security contest and you could also win cash prizes, not to |
| mention bragging rights. |
| |
| The contest judges evaluated exploits designed to defeat Native Client |
| security measures based on severity, scope, reliability, and |
| style. The winning teams and entries are listed below. |
| |
| .. _contest_winners: |
| |
| Contest winners |
| =============== |
| |
| The Native Client team thanks everyone who participated in the contest |
| for their contributions to improving the quality and security of the |
| Native Client system. The judges reviewed the submitted exploits and |
| identified the following teams as winners: |
| |
| .. list-table:: |
| |
| * - .. image:: /images/medal-64_1st.png |
| :alt: First place medal |
| |
| - **Team**: Beached As |
| |
| **Members**: Mark Dowd, Ben Hawkes |
| |
| **Submitted issues**: 50, 51, 52, 53, 55, 56, 57, 58, 59, 60, 62, 63 |
| |
| Mark Dowd and Ben Hawkes are application security specialists |
| hailing from Australia and New Zealand, respectively. Mark |
| works for IBM ISS X-Force R&D, whereas Ben currently performs |
| independent research while simultaneously pursuing a |
| mathematics and computing science degree. Both have uncovered |
| major security flaws in ubiquitous Internet software, in terms |
| of both exploitable bugs and weaknesses in system protection |
| mechanisms. Both have spoken at numerous security conferences |
| in recent years, including BlackHat, Ruxcon, KiwiCon, and |
| Cansec West. |
| |
| * - .. image:: /images/medal-64_2nd.png |
| :alt: Second place medal |
| |
| - **Team**: CJETM |
| |
| **Members**: Jason Carpenter, Eric Monti, Chris Rohlf |
| |
| **Submitted issues**: 42, 44, 49, 70 |
| |
| Team CJETM is comprised of security vulnerability researchers |
| Chris Rohlf, Jason Carpenter and Eric Monti. All three have |
| abused software professionally for a long time. |
| |
| * - .. image:: /images/medal-64_3rd.png |
| :alt: Third place medal |
| |
| - **Team**: 0xdead |
| |
| **Members**: Gabriel Campana |
| |
| **Submitted issues**: 45 |
| |
| Gabriel Campana is a security researcher working at Sogeti ESEC |
| R&D labs. His research interests are mainly focused on |
| vulnerability research, exploitation methods, and Linux kernel |
| security. Lately he has been working on automated vulnerability |
| research, especially fuzzing. In his spare time, he plays with |
| embedded network devices. |
| |
| * - .. image:: /images/medal-64_4th.png |
| :alt: Fourth place medal |
| |
| (tie) |
| |
| - **Team**: teamfkmr |
| |
| **Members**: Daiki Fukumori |
| |
| **Submitted issues**: 66, 67 |
| |
| Daiki Fukumori is a web security researcher. He has given talks |
| at POC Korea and AVTokyo on Web 2.0 Hacking, and he introduced |
| Native Client security at Shibuya.pm. He currently has an |
| interest in cloud security. |
| |
| * - .. image:: /images/medal-64_4th.png |
| :alt: Fourth place medal |
| |
| (tie) |
| |
| - **Team**: Alex Rad |
| |
| **Members**: Alex Radocea |
| |
| **Submitted issues**: 81 |
| |
| Alex Radocea is a 20-year old student at Rensselaer Polytechnic |
| Institute. In the realm of computer security he is really |
| excited about proactively designed technology which can help |
| wipe out entire bug classes. Currently he is helping improve |
| Native Client through Google Summer of Code. |
| |
| .. _contest_judges: |
| |
| Panel of judges |
| =============== |
| |
| Google recruited the following group of distinguished security experts |
| to serve as judges for the Native Client security contest: |
| |
| Chair |
| ----- |
| |
| +----------------------------------------+ |
| | Edward Felten | |
| +----------------------------------------+ |
| | Princeton University | |
| +----------------------------------------+ |
| | http://www.cs.princeton.edu/~felten/ | |
| +----------------------------------------+ |
| |
| Judges |
| ------ |
| |
| .. list-table:: |
| |
| * - Alex Halderman |
| - Niels Provos |
| - Bennet Yee |
| |
| * - University of Michigan |
| - Google |
| - Google |
| |
| * - http://www.cse.umich.edu/~jhalderm/ |
| - http://www.citi.umich.edu/u/provos/ |
| - http://www.bennetyee.org/ |
| |
| * - Brad Karp |
| - Stefan Savage |
| - Nickolai Zeldovich |
| |
| * - University of College London |
| - University of California San Diego |
| - MIT |
| |
| * - http://www.cs.ucl.ac.uk/staff/B.Karp/ |
| - http://www.cs.ucsd.edu/~savage |
| - http://people.csail.mit.edu/nickolai/ |
| |
| * - Greg Morrisett |
| - Dan Wallach |
| - .. raw:: html |
| |
| |
| |
| * - Harvard University |
| - Rice University |
| - .. raw:: html |
| |
| |
| |
| * - http://www.eecs.harvard.edu/~greg/ |
| - http://www.cs.rice.edu/~dwallach/ |
| - .. raw:: html |
| |
| |
| |
| |
| Additional information |
| ====================== |
| |
| For additional information about the Native Client security contest, |
| see the archived |
| :doc:`Contest Announcement <contest-announcement>`, |
| :doc:`FAQ <contest-faq>` and |
| :doc:`Terms & Conditions <contest-terms>`. |
| |
| If you'd like to get involved with Native Client, you can: |
| |
| * Use the |
| `Native Client SDK <https://developers.google.com/native-client/sdk>`_ |
| to build Native Client web applications. |
| * Submit `bugs <http://code.google.com/p/nativeclient/issues/list>`_ |
| and participate in the Native Client |
| `discussion group <http://groups.google.com/group/native-client-discuss>`_. |
| * Contribute to the |
| `Native Client open-source project <http://code.google.com/p/nativeclient/>`_. |