TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Kubernetes / Linux / Security

Google Ups Its Linux Security Awards

Google is expanding its Kubernetes-based Capture-the-Flag (kCTF) project and kCTF Vulnerability Rewards Program (VRP) to pay more attention to hunting down Linux kernel bugs.
Aug 15th, 2022 6:33am by
Featued image for: Google Ups Its Linux Security Awards
Featured image by FLY:D on Unsplash.

How did they get from Kubernetes to Linux? It was the next logical move. Via kCTF, researchers could use Google Kubernetes Engine (GKE) instances. If they could hack it successfully, they got a flag, and potentially some cash. But, while all way back in 1995, the Mozilla Foundation was the first organization to offer bug bounties. Now, everyone’s who anyone offers them. Google, which uses Linux in pretty much everything, is expanding its Kubernetes-based Capture-the-Flag (kCTF) project and kCTF Vulnerability Rewards Program (VRP) to pay more attention to hunting down Linux kernel bugs.

Whoops!

Linux Kernel Hacker Community

In particular, the discovered bugs tended to be heap memory corruption vulnerabilities Google’s plan had been to build a Linux kernel hacker community. Mission accomplished!

Moving forward, Google is extending the kCTF VRP with bigger rewards until Dec. 31, 2022. These awards now pay from $20,000 to $91,337 for vulnerabilities on Google’s lab kCTF deployment. This is in addition to Google’s existing Bug Hunter patch rewards.

Mitigations

To help swat Linux kernel security bugs, Google is also launching new instances with additional rewards. In these instances, research hackers will check out the latest Linux kernel stable image as well as new experimental mitigations in a custom Google kernel. In other words, rather than simply investigating the stable Linux kernels, the hackers will also be checking out Google’s own latest and more experimental Linux security mitigations.

Specifically, Google is checking out mitigations that should — should — make it harder to exploit recently discovered vulnerabilities. If you’re successful, in breaking out through these new Linux kernel fixes, Google will pay you a cool, additional $21,000.

These Linux kernel hardening mitigations are designed to block attacks on the following exploit primitives:

Get the Money

For attacks, which compromise Google’s custom Linux kernel with its experimental mitigations, the reward will be another $21,000. For this, you must clearly bypass the test mitigations. Altogether you can make as much as $133,337.

The immediate goal is to create a pipeline to analyze, experiment, measure, and build Linux kernel security mitigations. Eventually, the hope is to make exploiting Linux kernel vulnerabilities as hard as possible.

As for me? For this kind of money, it’s time to bring out my Linux static analysis tools and see if I can find any clues to getting some of those sweet, sweet bug bounty bucks.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.