Last week Google announced the details of the third iteration of Pwnium, Google’s contest where it gives cash to security researches who can demonstrate vulnerabilities in select Google applications. The big news of this announcement was that the amount of money got much bigger (up to 3.14 million dollars in rewards), and the target shifted from the Chrome browser to Chrome OS. This is interesting for a whole host of reasons that directly impact the future of security.
Google Raises the Stakes
From a pure security perspective, vulnerability research is obviously a very good thing – it’s far better for the author of an application to proactively find their weaknesses in a relatively controlled way as opposed to having the bad guys find them in the wild. This is why Google is offering bounties for newly discovered vulns against Chrome OS and the Chrome browser. What’s unique is the amount of money that Google is putting into the pot.
It does create an interesting dynamic however. Google is paying more money, but it is also asking for more from researchers. Unlike previous events, which only required researchers to demonstrate a vulnerability, Google’s Pwnium requires access to the full working exploit. This puts them in a bidding war, not with other companies and vendors, but with the governments and criminal organizations that pay top dollar for that sort of information. One way or another Google is certainly entering the deep part of the pool.
Follow the Money
While the dollar figures will certainly make people take notice, I believe what they are spending that money on is even more interesting. The majority of the π-million dollars of bounties are dedicated to finding vulnerabilities in Chrome OS. Since the Chrome browser is already part of the Pwn2Own contest, Google decided to focus Pwnium on their still relatively new operating system Chrome OS. So not only is Google raising the bar, installing a ladder and raising the bar again in terms of vuln bounties – they are doing so for an operating system that is virtually non-existent in the wild. The choice is even more interesting considering that Google is offering nothing for vulns related to their Android operating system, which oh by the way, happens to be the dominant OS on mobile devices on the planet. If nothing else, this disparity clearly points out how strategic the browser-as-the-OS approach is to Google’s future.
This evolution will continue to force security teams to evolve their definitions of what an application is and how they are controlled. The browser is already the major portion of the attack surface for most end-users. Many highly dynamic applications are tunneled through the browser today, and most any protocol can be tunneled within HTTP. Exploits are served to end-users through the browser using exploit kits such as Black Hole. Java script and a variety of client-side technologies are abused in cross-site scripting attacks, and a variety of browser plugins such as a Flash and Java that are common sources of attack.
A browser-OS model pushes this evolution to its logical extreme. Literally every application becomes a web-application or plugin, and the browser (or something like it) comes to represent virtually all of user-space in an OS sense. And to paraphrase Stan Lee, with that great power comes great responsibility. A responsibility that will require much more than bounties on vulnerabilities. Google seems to be committed to the task thus far, but it will be a very interesting evolution to watch over the coming months and years.