This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: News

Ubuntu machine uncracked in Pwn to Own contest

By Bruce Byfield on March 31, 2008 (5:00:00 PM)

Share    Print    Comments   

At this year's CanSecWest conference, would-be crackers could try their skills on three separate laptops: One running OS X, one running Ubuntu, and one running Vista. At the end of the three-day security conference in Vancouver, Canada, last week, both the Mac OS X Leopard and Vista machines had been cracked, leaving only the Ubuntu box uncompromised.

Sponsored by TippingPoint's Digital Vaccine Laboratories as part of their Zero Day Initiative program for discovering and reporting new bugs, the contest was announced several weeks ago, with clearer rules and increased cash prizes announced just two days before the conference.

Participants had their choice of attacking any of three laptops: a VAIO VGN-TZ37CN running Ubuntu 7.10, a Fujitsu UB810 running Vista Ultimate Service Patch 1, and MacBook Air running OS X 10.5.2. Each operating system was the latest version, and was patched with the latest security updates available.

During the three days of CanSecWest, would-be crackers could sign up to receive a random 30-minute time slot to attempt their exploit. To avoid confusion, only one effort was allowed at a given time. To win, contestants had to use a zero-day attack -- that is, one made through a previously unknown vulnerability -- to read a specific file on the laptop. The first to crack each laptop would receive the laptop and a cash prize.

To add tactical interest to the challenge, the rules progressively made exploits easier -- the cash prize progressively smaller. On the first day of the conference, only remote vulnerabilities that did not require any user interaction were permitted, and winners would receive $20,000. On the second day, attacks could also be made via any applications, and could include phishing attacks in which users followed a link through email, instant messaging, or Web browsing, but the prize was reduced to $10,000. Finally, on the third day, popular third-party applications would be added to each machine that could be used in an attack, and the prize became $5,000. This arrangement encouraged contestants to focus on the most potentially serious vulnerabilities first.

As each machine was cracked, it would be removed from the competition. Winners could turn their attention to the remaining machines, but could not use a cross-platform vulnerability on more than one machine.

The successes

The first success came shortly after noon on the second day of the conference, when a team from Independent Security Evaluators consisting of Charlie Miller, Jake Honoroff, and Mark Daniel used a vulnerability in the Safari Web browser to compromise the MacBook Air and win $10,000.

The second victory was claimed just before the end of CanSecWest at 6 p.m. on the third day when Shane Macaulay of Security Objectives, with help from Derek Callaway and Alexander Sotirov. Macaulay, who was also on the team that won last year's competition, used a defect in Adobe Flash to claim the Vista laptop and $5,000.

Shortly after Macaulay's success, the conference ended, leaving the Ubuntu machine the only one uncracked.

More details about the techniques used are unavailable, because each winner is required to sign a non-disclosure agreement and is limited in what he can say until the vulnerability is patched.

The winner's approach and motivation

Macaulay was unavailable for comment during or after the conference. However, Miller spoke to Linux.com at about the time that Macaulay was attempting his successful exploit.

"On TV and stuff, the hackers sit down and they break into systems in seconds," Miller says. "But in real life what happens is that they announced this contest a month ago, and me and my team of security guys made a conscious decision that we wanted to enter the contest.

"We decided that we would try the Mac, just because it was the easiest target. We've sort of looked at all these guys in the past, and every time we look at the Mac, we find something. When we've look at the other systems, we've usually not been so lucky. So we figured we go with what we've found easiest in the past."

According to Miller, for all the attention that the contest received, the reality is that only a few contestants actually took the challenge. "You don't enter the competition unless you basically have something," Miller says. "All the people like us who decided three weeks ago to enter, if they didn't find a weak point, they didn't enter, so you don't get a sense of how many people tried and failed. All you know is the people who think they could do it."

Miller's says that his motivations for entering Pwn to Own was a mixture of the challenge and the chance to help security. "I like to compete," he says, "and I don't get much of a chance to do so. Also, of course, we have skills that help make things more secure, and here is an opportunity for us to use those skills in a positive manner. If it hadn't been for the competition, we wouldn't have looked for bugs, and this bug wouldn't have got fixed."

What do the results mean?

Considering the intense loyalty some users have to their operating systems, the CanSecWest competition results are obvious fuel for flame wars. "Linux is king!" proclaimed one post on the Fedora list while I was writing this article, and other cheerleaders and excuse-makers are starting to post on blogs across the Internet.

Mac OS X and Vista supporters will no doubt try to claim that the Ubuntu system remained uncracked simply because fewer people are familiar with it. In turn, GNU/Linux users insist that the contest shows what they knew all along -- that their operating system of choice is architecturally more secure.

However, neither conclusion seems completely justified, especially from such a small sample of evidence. A simpler explanation may be that Ubuntu 7.10 was released six months ago, and so, presumably, has been extensively tested and patched. By contrast, OS X 10.5.2 and Vista's Service Patch 1 were both released only six weeks ago, so their vulnerabilities have had less time to come to light.

Possibly, too, for those who implement security, the operating system victory is less important than the fact that phishing and third-party applications were the keys to success, rather than general system vulnerabilities.

Despite the temptation to see patterns, the contest remains too small a sample from which to draw any conclusions. What matters is not just that the contest succeeded in pinpointing a couple of bugs, but that it succeeded in focusing people's attention on security -- which was, after all, the subject of the conference.

Bruce Byfield is a computer journalist who writes regularly for Linux.com.

Share    Print    Comments   

Comments

on Ubuntu machine uncracked in Pwn to Own contest

Note: Comments are owned by the poster. We are not responsible for their content.

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 221.128.180.151] on March 31, 2008 05:45 PM
I am a little bit skeptical. Isn't Flash cross platform? So the flash flaw could affect Ubuntu as well.

#

Re: Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 83.72.129.159] on March 31, 2008 07:53 PM
AFAIK Adobe Flash is the name of the application used to make Flash applets (which is not cross platform) and not the player, but we will only know when the bug is disclosed.

#

Re(1): Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 221.128.181.115] on April 02, 2008 12:57 PM

Re: Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 83.240.230.238] on April 02, 2008 12:44 PM
Probably it could affect Ubuntu if the system allowed that process and user to access the system freely.
On a O.S. a process runs using an access account, on XP if you take a look at taskmanager (Ctrl+Alt+Del) on the process tab you will see the list of processes running and which user responsible for the process. This means that every time a program is active its associated to a user account, it can be a real user or a system account used for that purpose, that program will have access to what the user running it has.
The security of cross platform applications has a lot to do with the way O.S. allows the application to run, its has a lot to do with security implementation on the system. Any Ubuntu user knows that for most of the critical O.S. need to be run trough sudo otherwise system won't allow them to do much.
On my Linux box when I open a browser the aplication is Firefox and the user is wwwrun, the browser is running on a different account probably with more restrictions than my user account. On XP the browser runs with the same restrictions that my user account which is by the away an administrator account. Its all about security implementation on the O.S.

#

Re: Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 165.98.145.124] on April 02, 2008 04:39 PM
linux is the best of the best die Windows!!!

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 204.137.64.112] on March 31, 2008 05:50 PM
That's the theory, apparently you could gain access to the linux box.

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 68.12.20.5] on March 31, 2008 06:08 PM
The implementation details are different since audio and video, among other things, are done quite differently. So it's really an unknown at this time.

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 65.165.96.71] on March 31, 2008 06:11 PM
It's a stupid contest, it does not really tell which platform is better than any other platform in terms of security. News flash, they all have flaws, two were found at the contest. Yawn.

#

Re: Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 208.127.215.14] on March 31, 2008 06:49 PM
Sleepy [ip: 65.165.96.71] must have fallen asleep and missed reading the end of the piece, thereby missing the point of PWN TO OWN altogether.

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 67.128.15.242] on March 31, 2008 08:50 PM
ubuntu ftw

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 72.140.132.124] on March 31, 2008 09:59 PM
According to a report by LinuxWorld:

http://www.linuxworld.com/news/2008/032908-with-vista-breached-linux-unbeaten.html

the main reason why Ubuntu, which I'm using to write this comment on, was because, and I quote,

"Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest."

I agree with the others and say that this doesn't prove much. All systems have flaws, but as Roughly Drafted posted, there seems something a little fishy going on here:

http://www.roughlydrafted.com/2008/03/31/thom-holwerda-of-osnews-calls-%e2%80%9cmac-shot-first%e2%80%9d-misinformation-and-slander-oops/

and also here:

http://www.roughlydrafted.com/2008/03/31/thom-holwerda-of-osnews-calls-%e2%80%9cmac-shot-first%e2%80%9d-misinformation-and-slander-oops/

I, for one, am a little suspiscious of anything that Microsoft sponsors! They have been known to do do what ever it takes to keep their inferior OS and other software on top - take the legal threats against Linux patents for example.

I will take Linux orevem OS X over Window based 'junk' anyday of the week.

#

Re: Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 129.176.151.6] on April 01, 2008 03:22 AM
"Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest."

My conclusion: Linux bug finders are: 1. too lazy to exploit bugs, 2. too rich to care for $10,000, or 3. Both. OSX and Vista bug finders are: 1. not too lazy to exploit bugs, 2. not too rich that $10,000 is worth passing up, or 3. Both.

#

Re(1): Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 83.240.230.238] on April 02, 2008 01:02 PM
Can't agree with you! You understood it all wrong
First of all this contest is about a 0day bug, this means a bug not revealed in any bug tracker site or official and waiting for patch.
In the FOSS community the list of bugs found is huge, if a bug is found a few hours later is disclosed and everyone know the flaw but most of the people will be committed to find a solution.
The Linux box was kept uncracked because:
A) Possible bugs and flaws that can compromise it are mostly known, or at least disclosed, so can't be used to crack it in this contest.
B) Its already a mature O.S. making it hard to find a knew bug or flaw.
C) Mac OSX and Vista are so mouthfull of defendants telling that they are the best O.S around that they deserve to be cracked.
D) Linux is still most secure O.S, not because it has less bugs or better code, but because of a great community working to make it better. Everyday Linux is tested...

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 68.105.48.3] on April 01, 2008 12:16 AM
"Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest."

This is still significant, though, since it means that it takes more effort to crack Linux than OSX or Vista.

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 217.219.63.10] on April 01, 2008 10:07 AM
Ubuntu utterly crushes vista and osx. Not news. Tell me something I don't know :)

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 204.184.48.113] on April 01, 2008 03:15 PM
Freakin' right! Now developers just need to get games running on Linux and it'll be bye bye Windows.

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 71.85.148.166] on April 01, 2008 03:28 PM
Ubuntu isn't even the best linux has to offer...

I would look at it this way... OSX and Linux are the best os's...windows just happens to be on the most computers

#

FreeBSD

Posted by: Anonymous [ip: 76.110.195.107] on April 01, 2008 06:47 PM
Wish someone would've included FreeBSD or one if its derivatives, such as DesktopBSD or PC-BSD. Or, for the ultimate security challenge, OpenBSD. Maybe next year .......

#

Re: FreeBSD

Posted by: Anonymous [ip: 192.168.2.48] on April 09, 2008 04:35 AM
You can't really call *BSD a good Desktop system.

All three systems there you can buy in a store. BSD isn't exactly Desktop material.

What next, Solaris? ;)

#

Ubuntu machine uncracked in Pwn to Own contest

Posted by: Anonymous [ip: 70.64.155.34] on April 04, 2008 06:26 PM
What is really interesting is that the OS who's guts are exposed for the whole world to see was not able to be Pwned. And yet Vista which has been patching for the last year (which is what SP1 is), was still taken over. Granted it was through a third party but if the OS was really secure it should be able to stop that in an intelligent manner. What really amusing is SteveB at Microsoft.com, where he says in an ENTnews article, "Why should code written randomly by some hacker in China and contributed to some open-source project, why is its pedigree by definition somehow better than the pedigree of something that is written in a controlled fashion?" he asked. "I don't buy that."
Is this 'controlled fashion' really better? It would seem not.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya