VANCOUVER, British Columbia — Finding zero-day exploits to win a hacking contest can be really hard work these days. So sometimes the better strategy is just to game the game.
That’s the tactic Team Willem & Vincenzo have taken this year in HP Tipping Point’s annual Pwn2Own contest at the three-day CanSecWest security conference in Canada.
Willem Pinckaers, a reverse engineer for Matasano Security in California, and Vincenzo Iozzo, an independent reverse engineer in Milan, Italy, know they can’t beat the powerhouse five-man team of exploit writers from Vupen Security who seized the lead in the hackfest even before they ever landed in Vancouver by bringing four zero-day exploits with them.
So while the Frenchmen on Team Vupen have been hunched over glowing laptops in the contest room at the Sheraton Hotel, dropping zero-days and other exploits while sporting matching black hoodies, Willem & Vincenzo have been MIA, kicking back with friends, drinking cappuccino and counting the days until their big Friday reveal. That’s when they plan to unleash one zero-day they brought for the contest, as well as a handful of non-zero-day public exploits they created for already patched vulnerabilities. Not bad for a team that appeared until now to be doing nothing.
Unfortunately, their booty won’t be enough to win the $60,000 first-place prize. But they’ll still get the $30,000 second-place bounty, since only two contestants appear to be in the competition at the moment.
“There’s no advantage in giving out zero-days at the start of the competition,” Iozzo says. “So we can just wait until the last day, and then show the zero-days. Because it doesn’t change anything to us.”
That is, unless a phantom third team with the same idea swoops in at the last minute to unseat them. Ever since the Pwn2Own rules changed this year, contestants have been looking for ways to game the game.
Team Vupen brought four zero days, one for each of the browsers that are being targeted in the competition — Microsoft Internet Explorer, Google Chrome, Apple Safari and Mozilla Firefox. But so far the team has dropped only two exploits into the competition.
They dropped the first, a zero-day against Chrome, shortly after the contest began on Wednesday, and followed that up the next day with a zero-day for IE. The team plans to hold the rest of their zero-days in reserve unless an unseen competitor appears to knock them off the winner’s block. There’s no point in disclosing valuable code unless they have to. Vupen sells exploits to government agencies, and any it doesn’t submit to the contest will likely be offered for sale to its clients.
That’s one of the problems with the contest, some say – Vupen is a professional bug hunting and exploit writing company. Other bug hunters, who mainly do it for a hobby, can’t compete with the pro team who do it for a living.
“It’s like playing a soccer game against a professional team. You are bound to lose,” Iozza says.
While Vupen has kept some would-be contestants away from the competition this year, others have been daunted by the new rules.
In previous years, the contest ran on a lottery basis. Several targets were offered for exploit – laptops or mobile devices with various software loaded on them – and most contestants wrote their exploits before coming to the conference. Each contestant was assigned a number in a lottery draw, and would take a turn to demonstrate his zero-day exploit. If the exploit worked against a target, the target device was taken out of the competition and given to the winning contestant. Anyone else who prepared a zero-day only for that target was then out of luck and out of the competition.
To even the playing field and give more contestants a chance to put their zero-days in play, HP Tipping Point split the contest into two parts this year and changed it to a points-based system. The first part is the zero-day contest, in which contestants have to bring at least one zero-day exploit created for any of four targeted browsers. They earn 32 points for each successful exploit.
The second part involves writing on-the-fly exploits for browser vulnerabilities that have already been patched. Contestants are only told which vulnerabilities to exploit after the contest begins, and have to work on them during the contest’s three days. They earn 10 points for every successful exploit submitted in this category on the first day of the contest, and 9 and 8 points for each one submitted over the remaining two days. A $60,000 award goes to the person or team with the most points at the end of the three-day event, followed by $30,000 for second place and $15,000 for third place.
Oddly, instead of opening the game to more people, the new rules seem to have had the opposite effect. Contestants who once competed on their own with one or two pre-written zero-days were turned off by the idea of having to write exploits during the conference and face off against Vupen’s pro team.
Security researcher Charlie Miller, who was a winner in Pwn2Own last year with an iPhone4 exploit, told ZDnet there was no way he could compete by himself against the Vupen guys.
“The new format is really more of a team competition, while in the past it was more of an individual competition,” he said. “Plus I don’t really want to spend CanSec writing exploits.”
Only Team Willem & Vincenzo has been ballsy enough to come back this year after their exploit win last year, with another researcher, against BlackBerry’s WebKit-based browser.
They’ve carefully planned their strategy for second place. They already dropped an exploit for one of the patched vulnerabilities on Thursday, which gave them 10 points, and dropped a second one on Thursday, for 9 points. They plan to submit two or three more exploits for patched vulnerabilities on Friday as well as a zero day they brought for the competition. This will give them more than 64 points. Any surprise contestant that might show up on the last day of the contest will need at least two zero days and some pre-patched exploits to beat them.
“Let’s say on the first day you demonstrate a zero day and then a couple of other competitors show up on the second day and they’re willing to use two zero days . . . that means you’ve given up your zero day and you don’t get anything in return,” Pinckaers says, explaining their strategy. “So it makes sense to use the zero day at the last moment when you know where the actual standing is.”