Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google Security Technology

Chrome OS Remains Undefeated At Pwnium 3 178

hypnosec writes "Google has announced that its Chrome OS has managed to remain undefeated during the Pwnium 3 event that was held alongside Pwn2Own. Announced by Google on January 28, 2013 the Pwnium 3 event carried a prize money of $3.14 million. Researchers were asked to carry out attacks against a base Samsung Series 5 chromebook running the latest stable version of Chrome OS. It turns out security researchers were not able to come up with winning exploits even after the competition's deadline was extended. Google Chrome Team has revealed that partial exploit entries have been filled in but, no other details have been released."
This discussion has been archived. No new comments can be posted.

Chrome OS Remains Undefeated At Pwnium 3

Comments Filter:
  • by Anonymous Coward

    The OS doesn't really do anything. It's a glorified web browser.

    I'd be more impressed with OpenBSD not being hacked, and even that is essentially just an init process and sshd.

    • by DCstewieG ( 824956 ) on Friday March 08, 2013 @08:06PM (#43122845)

      You say that like it's a bad thing. A glorified web browser with incredible security is exactly what a good amount of people should be using. Hell, I know someone who would get along fine if their computer did nothing but Facebook, let alone the rest of the web.

      I find it hard to believe (though it's getting easier) that even geeks who have trouble seeing the world outside their little techy bubble can complain about this. I've seen the idea of an internet "driver's license" come up on these boards but then something that protects people from themselves is shit all over. Well done.

      • Re: (Score:2, Insightful)

        by islisis ( 589694 )

        Maybe because some of us are still proponents of 'computers', not content-sipping machines. Awareness of computing means more than getting work done or being entertained, it also involves some learning about the nature of how we do these things can and should change over time. Combined with ideas of open access this is important issue; we should all at least be aware of our ability to govern our processing needs, whether we enjoy the idea or not.

        • by dreamchaser ( 49529 ) on Friday March 08, 2013 @09:08PM (#43123259) Homepage Journal

          Typical geek-elitist drivel. For some (myself included) sure it's important to understand the nature of how computers do things. What you seem to fail to see, or are in denial about, is that computers have become ubiquitous appliances, and the average user doesn't give a shit about the 'nature of how we do these things.' They just want it to work.

          • by amiga3D ( 567632 ) on Friday March 08, 2013 @09:14PM (#43123287)

            Yes. Most people don't even have a clue how the light in their room comes on when they flip the switch and could care less about electricity as long as when they flip the switch the light comes on. Almost no one knows anything about internal combustion that drives a car daily they just know that when you turn the key it should start. The how and why is beyond them. Computers are even more complex to these people and it's crazy to think they'll ever know or care how they work.

            • by mwvdlee ( 775178 )

              Yet most people understand electicity well enough to not stick bits of wire in the lightbulb socket.
              Should people know what a CPU is? No. Should they understand that giving a program administrative access means you're giving it full control of all your private information? Yes.

              • No, the average user should not have to understand what an administrative user is. No one outside of geekdom cares about different types of users. Compare it to a VCR, would you expect average users to log in as admin to. VCR? No. And computers are going the same route, thet are expected to just work, no fuss.

              • by BasilBrush ( 643681 ) on Saturday March 09, 2013 @08:21AM (#43125187)

                No. Should they understand that giving a program administrative access means you're giving it full control of all your private information? Yes.

                No. That's like saying that anyone who needs to drive a car need to understand how the choke works. The choke. Remember that? Back in the 1980s and earlier when you learned to drive, you had to learn to use it to start your car when the engine was cold. It altered the fuel/air mix by means of a valve in the carburettor. Everyone had to know what you needed to do with the choke, but only a minority knew what it was doing inside the engine. It became automated and then obsoleted when fuel injection replaced carburettors. In the modern car, the computer (engine management system) performs the same action of making a richer air/fuel mix when the engine is cold. And very few people realise that's happening.

                That's the proper use of a computer in a consumer product. To reduce the amount of detail the user has to know about.

                Consumers should not be expected to know about types of users. Ideally they shouldn't need to know the concept of user accounts at. The computer should just know who's operating them, and what they should have access to in the same way that a human clerk would. For the moment that may require credentials (bank card/username and pin/password) but biometrics that are more secure than that are probably not so far away.

        • No-one's saying that all computers should be "content-sipping machines", just that such machines should be available to those who only ever sip content and want to remain absolutely clueless about how they work, rather than them get their shit exploited because they don't (and probably never will) know how to secure something themselves. "Proper" computers and operating systems should still be available to those of us who want them and can handle the responsibility.

        • Use the right tool for the right job you idiot.

        • by stretch0611 ( 603238 ) on Saturday March 09, 2013 @12:08AM (#43123983) Journal

          Maybe because some of us are still proponents of 'computers', not content-sipping machines. Awareness of computing means more than getting work done or being entertained, it also involves some learning about the nature of how we do these things can and should change over time.

          So my mother who does nothing but play games and email should have a general purpose computer because you think a device should do more than just suck content?

          we should all at least be aware of our ability to govern our processing needs, whether we enjoy the idea or not.

          Yet you just said that everyone needs more than just content machines. My mom is aware of her needs, yet you want to force something more on her...

          I am a developer. Unlike the masses, I need a general purpose computer. There will always be a market for them no matter how much we flood the market will less versatile devices like tablets and smartphones (which is where I believe the market is heading.)

          For personal use, many people do not need a full computer, lets give them something simpler that better fits their needs. Even some business purposes can be done on a tablet now. Why should we force them to buy something more?

          25 years ago would you have suggested that we all continue to use dumb terminals hooked up to mainframes? The modern computer decimated the market for mainframes, supercomputers, and minicomputers. Today, the market share of these large and powerful machines is significantly diminished, yet they still exist for the people have a need for them that a normal computer can not fulfill.

          Plain and simple, not everyone needs a "computer" just because you think that they do. There will be a need for them and computers will not go extinct, but fewer and fewer people (as a percentage) will have that need and smaller devices will displace computers in the market.

        • The problem is 'computers' are far too complex devices for the average end user, it is irresponsible to let most people connect such a complex device to a public resource when they have no idea how it works.
          Content-sipping machines managed by a third party are what the average user should have, 'computers' should be reserved for geeks who understand how to use them.

          • by Nimey ( 114278 )

            The trouble with that attitude is that, taken to its logical conclusion, you'll end up with a permanent underclass of users who'll never know how to operate a Real Computer because they will never be exposed to one.

            • by Bert64 ( 520050 )

              Just like you have a permanent underclass of people who don't know how to service cars, or build houses, or etc etc.
              Back in the days this "underclass" as you call it simply didn't use computers at all.

              Kids can be exposed to proper computers in school, and decide for themselves if they want to learn anything about them or not. There will always be a few geeks who actually are interested.

        • Maybe because some of us are still proponents of 'computers', not content-sipping machines.

          Well, there's always the programmer switch on the devices; however, I have to say I know some Russian and Chinese hackers who really, really like everyone having general purpose computers with poor security so they can run their botnets.

        • We can do what we want, but other people do not have those needs or desires.

          Most people only want to consume content. If they have a machine for that which is less likely to be taken over and used in botnets etc, the better for the rest of us. That sort of end user cannot be improved, but they can be sold equipment which suits them.

      • by kangsterizer ( 1698322 ) on Friday March 08, 2013 @09:12PM (#43123275)

        I think what's important to note is that "nobody" uses ChromeOS. This means "nobody" researches bugs for it very hard (even thus its relatively well secured, actually).
        All that too say, "nobody pwned haiku either"

        • by Bert64 ( 520050 )

          ChromeOS shares enough similarities with Linux and the Chrome browser that people will already have a decent level of familiarity with it... And $3.14 million is a pretty decent incentive to try.

        • "Nobody" uses ChromeOS? Perhaps this [zdnet.com] will make you should rethink your conclusion...
          • Right, because that story wasn't completely full of out of context bullshit that made it look like it was far more impressive than it was, when in reality it wasn't even a little bit.

            Combined Chromebook sales beat sales of SOME single models of other laptops ... of course those other models where in a completely different class and price range, but you know, totally truthful article!

      • I thought that's what iPads were for!

      • You'll change your tune as soon as your (insert relative or friend here) asks you how to play (insert hot new videogame here) on their Chromebook. What will your advice be - 'Buy an XBox'?

        People wanna do stuff on their computers, even the dumb ones...

      • Hell, I know someone who would get along fine if their computer did nothing but Facebook, let alone the rest of the web.

        "Announcing... the Facebookbook!"

      • The point is that, because everything of value is in the web server, on such a machine there is no need for a full client compromise. On my laptop, a web site needs an arbitrary code execution vulnerability and possibly a privilege escalation vulnerability to be able to compromise most of my data. On ChromeOS, it just needs a cross-site scripting vulnerability.
      • Once more than 3 people use Chrome OS it'll be hacked.
    • by chill ( 34294 ) on Friday March 08, 2013 @08:15PM (#43122911) Journal

      Considering how fast the various web browsers fall, it *is* impressive. Chrome OS machines are wonderful for giving to clueless relatives who just browse the web.

      • by Nimey ( 114278 ) on Friday March 08, 2013 @09:02PM (#43123223) Homepage Journal

        Gods yes. My father's Chromebook has probably saved him its price already in visits to the computer shop to get viruses removed.

      • You do realize that they all have large teams of people working on this for a YEAR before the competition come right? Not exactly "fast".

      • by mianne ( 965568 )

        Chrome OS seems geared to those same folks who'd otherwise install trojans, spyware, etc. for the sake of getting an animated cat to chase their cursor. So these users are protected from themselves in not directly hosing their OS from sheer ignorance, and the geeks who purchased these systems might now be lulled into complacency in knowing that they aren't likely to need to LLF the drive and then explain to their relatives where all their funny pictures went...

        The problem I foresee is that a user of Chrome

    • The OS doesn't really do anything. It's a glorified web browser.

      I'd be more impressed with OpenBSD not being hacked, and even that is essentially just an init process and sshd.

      It is a bit more interesting because Chrome, the browser, was among the fallen on Windows(not sure if they tested it on OSX).

      ChromeOS is, indeed, mostly web browser sitting on top of a sparse-but-nowhere-near-as-weird-as-android linux distribution(Incidentally, might Google be the one to follow through on Mark Andresson's 1995 threat concerning reducing the OS to a collection of poorly debugged device drivers, albeit not the OS he was talking about?); but it wouldn't have struck me as obvious that it would

      • Well, there's the fact that Chrome only exists (officially) on devices built for/released with it. I'd wager that vulnerabilities would skyrocket if Chrome were turned into a real distro that could run on any hardware, because that would open the door to closed drivers, third-party repositories, etc, etc.

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Friday March 08, 2013 @09:15PM (#43123291)
      Comment removed based on user account deletion
      • by gman003 ( 1693318 ) on Friday March 08, 2013 @11:21PM (#43123827)

        The difference is that Chrome OS is a consumer-grade "thin client". It is aimed mainly at home and educational use, not the big corporate or government use most other thin clients aim for.

        As such, yes, it makes sense to compare it to other consumer-grade operating systems. The results won't be quite comparable, as many duties normally handled by the OS are done remotely, in "the cloud", but it's still a worthwhile comparison.

      • do they include other thin clients?

        Such as?

        CromeOS is on laptops that ordinary people can walk in, pick up from store shelves, buy and use right now. Of course it should be compared to Windows and OSX - it's competing with them. And those ordinary people want to know if it's a better choice for their purposes.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Look under the hood. Chrome OS is just as capable of running X11 apps as your off the shelf distro. Granted, it's not designed to so it's difficult to make it do so, damn near impossible (as seen in article) without switching developer mode on.

        But, switch developer mode on, turn off rootfs verification, remount as RW, and dump binaries on that it'll happily run. I don't typically categorize thin clients as a system running GNU/Linux w/ X11 support.

        I think the ace in the hole for ChromeOS security is that

      • That is why I don't understand why its included....do they include other thin clients?

        I think you're confusing Pwnium with Pwn2own. Chrome OS was the only thing in the former. The latter did not include any thin clients, just Chrome on Windows, which failed along with every other browser offered for testing on Windows.

    • It seems that ChromeOS is based on hardened gentoo (clues can be found here https://sites.google.com/site/chromeoswikisite/home/what-s-new-in-dev-and-beta/shell-acess-with-verified-boot [google.com]), and hardened gentoo is.... hard (grsec + pax + some kind of MAC mechanism). And while I agree that ChromeOS is very basic, just a browser on top of it. But all other browsers were successfully attacked, it means that the OS has protected the browser.

    • I'd be more impressed with OpenBSD not being hacked, and even that is essentially just an init process and sshd.

      At the Pwn2Own 2008 contest Ubuntu was undefeated, and it was thew first and last time a Linux based OS was present at the contest. Well, if you don't include Android and Chrome OS.

  • I mean Does chrome OS runs /have anything of value at all? all the data is kept on the server side. Most of the processing happens through browser. so if session is closed there is nothing of value left on the machine unless you re-login. Is that correct?
    • by ThorGod ( 456163 )

      I played with one at Best Buy a couple days ago. I think it comes down to this: Whatever you can do in Chrome (the browser) you can do on that machine.

      There are "links" on the tab bar that function as shortcuts to places like gmail, google docs, and whatever. I think they just open up a browser window or tab to that respective place, though.

      • by SpectreBlofeld ( 886224 ) on Friday March 08, 2013 @08:03PM (#43122815)

        To anyone who wants to play around with it: there are Chromium OS VM builds out there you can play with in VMWare or Virtualbox (legal, it's all opensource).

        I tried it out a few weeks ago. It really *is* just a web browser. I have trouble understanding why someone would spent $1300 for a Pixel unless they planned to install a real OS on it. Yeah, I get that the display is nice, but for that kind of money I should be able to... I dunno... maybe run the aforementioned VMWare, like I do now on the $599 laptop I virtualized Chrome (and Win7 and PC-BSD) on. And played Portal on, etc.

        • I think that the thought is that with the addition of NaCl apps, WebGL, and WebRTC on a fast enough machine, that you can have most of those apps in a sandboxed environment. And there is merit to that... considering how many people now use their tablet as their primary device.. I agree the price point is way off.. given the touch display, they could have a reduced CPU, and it might be enticing in the $800 price range.. but at $1300, I'd rather have a Macbook.
          • by dgatwood ( 11270 )

            I think that the thought is that with the addition of NaCl apps, WebGL, and WebRTC on a fast enough machine, that you can have most of those apps in a sandboxed environment. And there is merit to that... considering how many people now use their tablet as their primary device.

            Not really. I'm pretty sure there's a graveyard somewhere with the bones of all the companies who thought a browser would make a perfectly good OS and did not realize their mistake in time.

            Odds are good that Chrome OS will fail to gai

            • by Bert64 ( 520050 )

              For a lot of people, the interfaces they use on a daily basis have already been written in HTML and CSS...
              I know many people who use a computer for:

              email (webmail)
              facebook
              twitter
              occasional searches for information via google
              im (usually the one provided by facebook)
              porn

              All of these are usable via chromeos right now, and enable someone to just get on with it without having to worry about malware or keeping their os up to date (or even caring what an os is).

            • Things that take fifteen seconds in Interface Builder can take hours or even days to do correctly with HTML/CSS, assuming you're designing to accommodate variably sized browser windows.

              Not really a fair comparison, considering that there are no authoring tools worth mentioning for HTML5/CCS. Or, to rephrase that: would it still take 15 seconds to do the same things if you'd have to code everything yourself?

              RT.

              • by dgatwood ( 11270 )

                I'm pretty sure it would take less time to programmatically build an Objective-C UI than it does to do HTML/CSS, too, though I'll admit I haven't done much of that. HTML/CSS has more moving parts, but not the right moving parts for building user interfaces.

                With a Cocoa or UIKit UI, you get to define how objects stretch, how they are aligned, etc. Everything is designed under the assumption that element size can change, and the layout must do something sensible.

                With HTML/CSS, in contrast, you have to eith

                • by dgatwood ( 11270 )

                  Err... a few months ago. This is what happens when you say "couple of" and then decide that five or six months stretches the meaning of that phrase a bit too much. *sigh*

                • Chrome also supports NaCl (Native Client; C/C++) based applications, which are well sandboxed, and can have more comprehensive UI interactions. It doesn't *have* to be HTML based... I wouldn't be surprised to see Go as a supported language for NaCl SDK in the near future.
        • You could build a really nice server with the $1,100 left over after buying a $199 Acer Chromebook. A Pixel in this paradigm is the dick to the balls.

        • I tried it out a few weeks ago. It really *is* just a web browser. I have trouble understanding why someone would spent $1300 for a Pixel unless they planned to install a real OS on it.

          The price of the Chrome Pixel is minus $500 for some people (that's right, it's a negative number for some).

          The people that are already paying $1,800 every three years for Google cloud storage get that three year subscription for free if they buy a Pixel at $1,300. Essentially, the Pixel is a loss leader for CEOs, or CTO, or the tech manager making the purchase decisions. Personally, I don't know anyone else who would use so much cloud storage in the first place except businesses. I suppose they're probably

    • by Kenja ( 541830 )
      In this case, the target was a Samsung Series 5 Chromebook which has 16GB of local storage. In theory, you could in theory get it to run code that could return data to you. However since the OS itself doesn't really run any services to exploit, you would have to do it via the browser.

      Previous pwn2own contests have required someone on the notebook to open a URL emailed to them in order to initiate the attack. It is unclear form this article what the rules where in this case.
    • by Bert64 ( 520050 )

      The keyboard, which you could log if you compromised the host.

  • Have zero surface! (Apologies for the redundancy.. OS that does nothing jokes have already been cracked.. couldn't resist adding my own :P)
  • by gweihir ( 88907 ) on Friday March 08, 2013 @07:45PM (#43122699)

    It only means that Chrome OS is not too badly engineered. As Chrome OS is pretty new, the number of people that had an in-depth look will be smaller. As it is quite a bit different from other OSes and offers a lot less functionality on the application side, other approaches may be required to crack it.

    One could object to that that the kernel is still Linux. True, but the Linux kernel is one tough nut to crack. Even local exploits are in the vast majority not kernel-based, but some application messing up. If they are kernel based, it is typically a specific driver. I do not remember any remote exploits for the kernel at all in the last few years, except one in an exotic network protocol, and Chrome OS has no reason to enable anything in that class.

    So while this is a good initial result, do not overvalue it. It is possible that Chrome OS gets broken in the next few years when people get more experience with it. Die to its limited functionality, it is also possible that it will remain very hard to break into or that nobody manages it. Personally, I would welcome a main-stream secure browsing solution establishing itself, but remember that you cannot do most things with Chrome OS that you can do with other OSes.

  • Or at least the Chrome OS developers could give the Android developers a few pointers...

    http://tech.fortune.cnn.com/2013/03/07/apple-android-malware/ [cnn.com]

  • It's an "OS" (Score:2, Informative)

    by Anonymous Coward

    Chrome OS is more barebones than my phone.

  • I wonder what will happen in another 15 years. When the "win95 generation" moves in to upper management and the "relatively virus free win7/osx generation" starts designing and managing their own pay-software.

    The current crop of software devs dealt with stuxnet, *worm and all that other crap. They probably dealt with it on their parent's computers, their grand parents and neighbors. Designing secure, web connected software is in their interests.

    Will the next generation of developers who ente

    • by tibman ( 623933 )

      I think the kids going through middle school now will be fine. When i was a kid there was no such thing as malware or fishing. It was worms and viruses. Spam was so rare that filters didn't exist. We didn't have wifi and didn't have to worry about wardrivers. The internet wasn't something you could carry in your pocket. We didn't have social media, we had Geocities.

      I agree with you that their concerns will be different. But i don't think it will lead to completely insecure programming.

  • by 140Mandak262Jamuna ( 970587 ) on Friday March 08, 2013 @10:46PM (#43123723) Journal
    Quick review: When there is a network connection, it is a solid browser. It synched with my Chrome browser customizations from my previous use of chrome using windows or linux boxes. Including flashblock and adblock.

    But what about off line? Google docs off line lets you edit documents and presentations off line. They sync when you get the connection. When it first came it had no off line edits. Then they have introduced doc and presentations. Spreadsheets would be next I guess. Or may be not. Gmail offline can be customized to keep last so many days worth of email in the local cache. Google calender works off line, ( I think, need to go back and check.).

    Off line music player works, off line video play back works. Source of the media could be the internal drive or any USB drive, including the USB powered hard disks. Kindle off line reader works, three books cached very quickly. Apps exist like "Read this link later" that works off line.

    So off line, you can watch video, listen to music, read books, cached web pages. You will have read/access to all the google drive docs. And write access to docs and presentations. I think for 200$ it is way more than what I expected.

    • by ThorGod ( 456163 )

      Wow, thank you for your review. You successfully explained what it's like to own. Sounds like a good box for entertainment.

    • I thought I added some minor points yesterday. It is missing. May be posted to some wrong thread.

      Boots very fast, less than 20 sec. Sleeps / wakes up instantly. Battery lasted three hours. No click buttons or scroll bars in the touch mouse pad. Two finger touch and click is "right click". Two finger click and one finger move is click-and-drag. Two finger swipe is scroll. What does one finger swipe do? Highlight maybe. Not sure. Functions keys to cycle through browser windows, full screen/part screen, back

  • Prehacked (Score:4, Insightful)

    by Frankie70 ( 803801 ) on Friday March 08, 2013 @11:36PM (#43123873)

    Chrome OS is prehacked. It comes installed with a trojan/bot which collects all your information and sends it to Google.

  • I read the title as "Chrome OS Remains Undefeated On A Pentium 3".

    That would have been more interesting!

  • by daboochmeister ( 914039 ) <`moc.liamg' `ta' `retsiemhcoobad'> on Saturday March 09, 2013 @12:05AM (#43123971)
    A major theme here is "it doesn't run many apps, that's why it's secure". Yeah, that must be it - it probably has absolutely nothing to do with the way they've implemented Mandatory Access Controls in a rigorous fashion, and the way they isolate resources with heavy use of cgroups, and the read-only root filesystem and tmpfs /tmp, and how they've made every binary use ASLR and NX and DEP, and how they've rewritten several major typically-vulnerable daemons to not run as root, and how they've developed userland daemons to broker access to hardware, and how they don't allow any files in user home dirs to be executables, or how they've started to sandbox device drivers, or the way they implemented separate processing stacks for HTTP and HTTPS, or how they verify not just the boot record but the whole boot stack and partition table and nv ram on every boot and and and ...

    Yeah, all those things probably don't matter. They probably don't play any role in exploits that work on Windows-based Chrome failing on Chrome OS. It's not more inherently secure than any other OS, riiiggghhhhhttttt ...
    • by ThorGod ( 456163 )

      Well, it's a question of "what the end user sees". So far it boils down to:

      -Everything your browser can do (while connected to the web).
      -Ability to play media online and offline (from another commenter).
      -Very strong system security.

      The /. crowd have a problem because they can't fire up actual applications or games like Quake 4 - I'm guessing.

    • by equex ( 747231 )
      if there was a +6...
    • I think the main theme is that it only appears secure since the teams that tried to hack Chrome OS hasn't really had as much time to work on exploits. Compare this to Pwn2Own where they have a year (or even years) to find and torture their targets. Also the recent initiative to run an office suite as a native app within the ChromeOS browser is a very attractive target for an exploit, and I'm sure people will concentrate their efforts on testing the mechanisms that will eventually allow that to work in the r
  • So Chrome will show my what Google wants me to see much faster than Firefox will show me what I want to see.

  • by smash ( 1351 ) on Saturday March 09, 2013 @04:17AM (#43124635) Homepage Journal
    .... did they hold the competition at the same time as pwn2own to ensure that the people who may be able to break it were otherwise engaged at a different event?
  • Let's see how well Chrome OS does next year after it's been released to the public for a while.

No spitting on the Bus! Thank you, The Mgt.

Working...