Hewlett-Packard’s Zero Day Initiative (ZDI) is putting up $645,000 in cash prizes for researchers involved in this year’s Pwn2Own contest, including $150,000 for anyone who can circumvent the protections of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
The annual contest, which will take place at the CanSecWest conference in Vancouver, awards white hat hackers who are able to takedown popular browsers and browser plugins. But this is the first time a specific prize has been offered for defeating EMET.
“The latest versions of Internet Explorer run in a special, isolated area of the computer’s memory,” explained Angela Gunn, senior security content developer at HP, in a blog post. “Tech folk call that a “sandbox,” but you can think of it as a padded room where an application can spend time without hurting itself or others. The first step in the contest is to break out of IE’s padded room – using a fault in the construction of the padded room itself.”
“Once that’s done, the contestant must gain control over the rest of the computer,” she blogged. “The second challenge is for the contestant to locate and use more faults in the system to read its information, change its data, and eventually control its behavior as he pleases; the newest 64-bit computers make that tough, but a successful contestant will prevail.”
“But there’s one more hurdle,” she added. “Microsoft has software called the Enhanced Mitigation Experience Toolkit (EMET). It essentially builds more padded rooms inside Windows and protects against many kinds of attack techniques – including payloads installed by attackers seeking the Exploit Unicorn. The third and ultimate test for our contestants is to break through EMET protections and truly control the computer.”
The hack must be done on a machine running Windows 8.1 x64 and Internet Explorer 11. Just exploiting IE 11 on Windows 8.1 x64 without beating EMET will garner a $100,000 prize. Other targets in the contest include the Google Chrome browser, Apple Safari and Mozilla Firefox, as well as the Oracle Java and Adobe Flash Player and Adobe Reader plug-ins.
Vulnerabilities and exploit techniques revealed at the contest will be disclosed to the affected vendors, and the proof-of-concept will become the property of HP.
The contest will run from March 12 to March 13. Interested researchers can register here at zdi@hp.com.