1.. _contest_archive: 2 3.. include:: /migration/deprecation.inc 4 5######################## 6Security Contest Archive 7######################## 8 9.. contents:: 10 :local: 11 :backlinks: none 12 :depth: 2 13 14The Native Client team at Google has gone to exceptional measures to 15make Native Client a secure system, including holding a public 16security contest. This page archives information from that contest, 17including the list of contest winners and the lineup of security 18experts who served as judges. 19 20Although the security contest has ended, the Native Client team 21welcomes your continued involvement in the project. You can help by 22submitting bugs and participating in the Native Client discussion 23group. 24 25Contest overview 26================ 27 28The Native Client team held a contest in 2009 to test the security of 29Native Client and help make the system more secure. Participants were 30invited to discover security bugs in Native Client technology in order 31to compete for cash prizes. 32 33Here was the challenge put forth by the Native Client team: 34 35 Do you think it is impossible to safely run untrusted x86 code on 36 the web? Do you want a chance to impress a panel of some of the top 37 security experts in the world? Then submit an exploit to the Native 38 Client Security contest and you could also win cash prizes, not to 39 mention bragging rights. 40 41The contest judges evaluated exploits designed to defeat Native Client 42security measures based on severity, scope, reliability, and 43style. The winning teams and entries are listed below. 44 45.. _contest_winners: 46 47Contest winners 48=============== 49 50The Native Client team thanks everyone who participated in the contest 51for their contributions to improving the quality and security of the 52Native Client system. The judges reviewed the submitted exploits and 53identified the following teams as winners: 54 55.. list-table:: 56 57 * - .. image:: /images/medal-64_1st.png 58 :alt: First place medal 59 60 - **Team**: Beached As 61 62 **Members**: Mark Dowd, Ben Hawkes 63 64 **Submitted issues**: 50, 51, 52, 53, 55, 56, 57, 58, 59, 60, 62, 63 65 66 Mark Dowd and Ben Hawkes are application security specialists 67 hailing from Australia and New Zealand, respectively. Mark 68 works for IBM ISS X-Force R&D, whereas Ben currently performs 69 independent research while simultaneously pursuing a 70 mathematics and computing science degree. Both have uncovered 71 major security flaws in ubiquitous Internet software, in terms 72 of both exploitable bugs and weaknesses in system protection 73 mechanisms. Both have spoken at numerous security conferences 74 in recent years, including BlackHat, Ruxcon, KiwiCon, and 75 Cansec West. 76 77 * - .. image:: /images/medal-64_2nd.png 78 :alt: Second place medal 79 80 - **Team**: CJETM 81 82 **Members**: Jason Carpenter, Eric Monti, Chris Rohlf 83 84 **Submitted issues**: 42, 44, 49, 70 85 86 Team CJETM is comprised of security vulnerability researchers 87 Chris Rohlf, Jason Carpenter and Eric Monti. All three have 88 abused software professionally for a long time. 89 90 * - .. image:: /images/medal-64_3rd.png 91 :alt: Third place medal 92 93 - **Team**: 0xdead 94 95 **Members**: Gabriel Campana 96 97 **Submitted issues**: 45 98 99 Gabriel Campana is a security researcher working at Sogeti ESEC 100 R&D labs. His research interests are mainly focused on 101 vulnerability research, exploitation methods, and Linux kernel 102 security. Lately he has been working on automated vulnerability 103 research, especially fuzzing. In his spare time, he plays with 104 embedded network devices. 105 106 * - .. image:: /images/medal-64_4th.png 107 :alt: Fourth place medal 108 109 (tie) 110 111 - **Team**: teamfkmr 112 113 **Members**: Daiki Fukumori 114 115 **Submitted issues**: 66, 67 116 117 Daiki Fukumori is a web security researcher. He has given talks 118 at POC Korea and AVTokyo on Web 2.0 Hacking, and he introduced 119 Native Client security at Shibuya.pm. He currently has an 120 interest in cloud security. 121 122 * - .. image:: /images/medal-64_4th.png 123 :alt: Fourth place medal 124 125 (tie) 126 127 - **Team**: Alex Rad 128 129 **Members**: Alex Radocea 130 131 **Submitted issues**: 81 132 133 Alex Radocea is a 20-year old student at Rensselaer Polytechnic 134 Institute. In the realm of computer security he is really 135 excited about proactively designed technology which can help 136 wipe out entire bug classes. Currently he is helping improve 137 Native Client through Google Summer of Code. 138 139.. _contest_judges: 140 141Panel of judges 142=============== 143 144Google recruited the following group of distinguished security experts 145to serve as judges for the Native Client security contest: 146 147Chair 148----- 149 150+----------------------------------------+ 151| Edward Felten | 152+----------------------------------------+ 153| Princeton University | 154+----------------------------------------+ 155| http://www.cs.princeton.edu/~felten/ | 156+----------------------------------------+ 157 158Judges 159------ 160 161.. list-table:: 162 163 * - Alex Halderman 164 - Niels Provos 165 - Bennet Yee 166 167 * - University of Michigan 168 - Google 169 - Google 170 171 * - http://www.cse.umich.edu/~jhalderm/ 172 - http://www.citi.umich.edu/u/provos/ 173 - http://www.bennetyee.org/ 174 175 * - Brad Karp 176 - Stefan Savage 177 - Nickolai Zeldovich 178 179 * - University of College London 180 - University of California San Diego 181 - MIT 182 183 * - http://www.cs.ucl.ac.uk/staff/B.Karp/ 184 - http://www.cs.ucsd.edu/~savage 185 - http://people.csail.mit.edu/nickolai/ 186 187 * - Greg Morrisett 188 - Dan Wallach 189 - .. raw:: html 190 191 192 193 * - Harvard University 194 - Rice University 195 - .. raw:: html 196 197 198 199 * - http://www.eecs.harvard.edu/~greg/ 200 - http://www.cs.rice.edu/~dwallach/ 201 - .. raw:: html 202 203 204 205 206Additional information 207====================== 208 209For additional information about the Native Client security contest, 210see the archived 211:doc:`Contest Announcement <contest-announcement>`, 212:doc:`FAQ <contest-faq>` and 213:doc:`Terms & Conditions <contest-terms>`. 214 215If you'd like to get involved with Native Client, you can: 216 217* Use the `Native Client SDK </native-client/sdk/download>`_ to build Native 218 Client web applications. 219* Submit `bugs <http://code.google.com/p/nativeclient/issues/list>`_ 220 and participate in the Native Client 221 `discussion group <http://groups.google.com/group/native-client-discuss>`_. 222* Contribute to the 223 `Native Client open-source project <http://code.google.com/p/nativeclient/>`_. 224