Google to pay $40,000 “consolation prize” to Pinkie Pie for not-quite breaking into Chrome OS

Pinkie Pie is the name of the renowned Chrome hacker who won Google’s Pwnium competition in 2012.

He unleashed a seven-step exploit chain against Google’s Chrome browser, giving him silent remote code execution, also known as a drive-by-install.

Well, Pinkie Pie was back at this year’s Pwnium, taking a tilt at some of the Pi million dollars Google had put into the prize bucket.

This year’s contest wasn’t quite the same as in 2012: you weren’t attacking the Chrome browser on a general-purpose operating system, but taking on the closed ecosystem of Chrome OS.

Chrome OS is Google’s take on the walled garden approach favoured by Apple for its iOS devices: a locked-down version of Linux, with the Chrome browser layered on top for access to web applications and cloud services.

The main purpose of Chrome OS is control, and whether you like that approach or not, it can (and in Google’s case apparently does) lead to tighter security.

With fewer configuration knobs to twiddle and buttons to press, and with a security setup that’s baked in by Google, there ought to be less to go wrong, and fewer places for escape, either by accident or design.

And escaping by design evaded Pinky Pie this year, which meant that he missed out on any of the official prizes.

Google was offering $110,000 for pwnership (remote code execution with minimal user interaction), and $150,000 for persistent pwnership (also known as “a malware infection that survives between logins or reboots”, or an APT).

However, Google just announced that it would dip into the $π,000,000 dollar prize fund to pay Mr Pie a a $40,000 consolation prize.

As Google’s Chris Evans, who goes by the improbable-sounding job title of Chief Reward Officer (does his payment plan go up as he gives more away, do you think?), pointed out:

In particular, we’d like to thank Pinkie Pie for honoring the spirit of the competition by disclosing a partial exploit at the deadline, rather than holding on to bugs in lieu of an end-to-end exploit. This means that we can find fixes sooner, target new hardening measures and keep users safe.

If you followed the Pwnium/PWN2OWN competitions last year, you’ll no doubt be aware that Google withdrew from PWN2OWN in 2012 because its conditions for winners allowed them to collect their prizes by merely demonstrating their exploits, without any requirement that the exploit be disclosed to the affected software vendor.

Google, quite rightly in my opinion, decided that this would fall foul of the company’s own responsible disclosure policy, which encourages researchers not to go public with exploitable hacks unless they’ve given the hacked product a fair chance to patch the holes first.

→ Proponents of the publish-and-be-done-with-it school, also known as full disclosure, suggest, perhaps a trifle disingenuously, that an aggressive approach is the only way to get the attention of vendors. Even though this puts the good guys and the bad guys on an equal footing, argue the full-disclosurists, that’s better than risking a situation where the bad guys might be a step ahead.

So it’s good to see Google taking the extra step here (and reaching for the chequebook, to boot) in order to encourage researchers to disclose even partial exploits.

This avoids any criticism that Google’s contest might have worked against truly responsible disclosure by rewarding only those attacks which were already fully formed and as-yet unknown.

The value of early and partial disclosure is reinforced by Evans’s observation (and since he’s paying out 40 kilodollars, he’s entitled to gloat a little on this point) that most of the bugs exposed by Pinky Pie’s otherwise-incomplete work have already been fixed.

That means that any cybercrooks who were working along Pinky Pie’s lines towards a zero-day exploit now have to start over.

Which is nice!