Pwn2Own 2010: interview with Charlie Miller

di Matteo Campofiorito

scritto il

Pwn2Own is a famous contest held in CansecWest Conference. Every year there is a big reward for researchers who finds exploitable bugs in popular browser and OS and also in mobile devices like iPhone. For the past two years the Pwn2Own contest champion was Charlie Miller (0xcharlie on Twitter), one of the most famous bug hunter and security expert in the world.

Pwn2Own 2010 will will be held over the course of three days starting on March 24th, so, we decided to interview Charlie Miller (italian version here) and here are his anwers:

You won, for two years, Pwn2Own contest hacking Safari on Mac OS X. Will Safari and Mac be your targets for the Pwn2Own 2010 contest as well?

Everything is my target at this point. I’d love to hack one of the mobile devices, but will probably end up on Safari again. I was the first to hack the iPhone and an Android device in the past, so I am comfortable with those two platforms, but its harder to exploit them. This year only one person can win per target, so my biggest obstacle will be making sure nobody beats me to the punch.

Windows 7 or Snow Leopard, which of these two commercial OS will be harder to hack and why?

Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default). Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows.

In Pwn2Own 2010 there is still no trace of Linux as possible target. Is it too harder to find exploits for Linux or a non commercial operating system has no interest for exploit hunters?

No, Linux is no harder, in fact probably easier, although some of this is dependent on the particular flavor of Linux you’re talking about. The organizers don’t choose to use Linux because not that many people use it on the desktop. The other thing is, the vulnerabilities are in the browsers, and mostly, the same browsers that run on Linux, run on Windows.

What is your opinion about Chrome OS? Is it a really secure OS or it could be an easy target in the near future?

I don’t know enough about it to comment.

In your opinion, which is the safer combination OS+browser to use?

That’s a good question. Chrome or IE8 on Windows 7 with no Flash installed. There probably isn’t enough difference between the browsers to get worked up about. The main thing is not to install Flash!

On the mobile side of Pwn2Own 2010, the big targets will be iPhone 3GS/iPhone OS and Android/Motorola Droid. Which one will be more easily exploitable?

They’re both pretty secure. I’d guess the iPhone because its been around a little longer and there has been more research done on it. So, its not that its necessarily less secure, its just researchers understand how it works better.

Next year, one possibile target could be Windows Phone 7, what do you think about this prediction?

I hope so. I really like the pwn2own contest and I think its great how it rewards researchers and gets vulnerabilities in products fixed that otherwise would put users at risk.

The game console world is big business, game consoles are in our living room but there are still few exploits and vulnerabilities discovered. Why only few known security researchers (for example George Hotz) work on exploiting console?

Even though there are lots of game consoles, there are way more computers, for example. Also, game consoles don’t HAVE to connect to the Internet. I’ve had Wii for a year or so and its never been on the Internet. Its hard to remotely attack the box when you can’t get packets to it 🙂 Also, computers, and phones to a lesser extent, are designed to be customized, to download and use/render content from the Internet. This is where vulnerabilities exist and exploits are created. Game consoles don’t do this as much so the attack surface is much smaller. The final reason, is it is hard to do research on them. Its not easy to get a debugger running on an xbox, for example.

Last but not least, can you say something about your work toolbox? Which are the software you use for discovering vulnerabilities?

Check out the Mac hacker’s handbook, most of my secrets are in there. But basically, I use a combination of static and dynamic techniques. I use IDA Pro for reverse engineering and a custom private fuzzing framework I’ve written called Tiamat, and lots of patience and hard work. There is nothing I do that 1000 other people in the world couldn’t do if they felt like it. Its still relatively easy to find and exploit these platforms.