Google Ups Its Linux Security Awards

Google is expanding its Kubernetes-based Capture-the-Flag (kCTF) project and kCTF Vulnerability Rewards Program (VRP) to pay more attention to hunting down Linux kernel bugs.

Aug 15th, 2022 6:33am by Steven J. Vaughan-Nichols

Featued image for: Google Ups Its Linux Security Awards

Featured image by FLY:D on Unsplash.

How did they get from Kubernetes to Linux? It was the next logical move. Via kCTF, researchers could use Google Kubernetes Engine (GKE) instances. If they could hack it successfully, they got a flag, and potentially some cash. But, while all way back in 1995, the Mozilla Foundation was the first organization to offer bug bounties. Now, everyone’s who anyone offers them. Google, which uses Linux in pretty much everything, is expanding its Kubernetes-based Capture-the-Flag (kCTF) project and kCTF Vulnerability Rewards Program (VRP) to pay more attention to hunting down Linux kernel bugs.

Whoops!

Linux Kernel Hacker Community

In particular, the discovered bugs tended to be heap memory corruption vulnerabilities Google’s plan had been to build a Linux kernel hacker community. Mission accomplished!

Moving forward, Google is extending the kCTF VRP with bigger rewards until Dec. 31, 2022. These awards now pay from $20,000 to $91,337 for vulnerabilities on Google’s lab kCTF deployment. This is in addition to Google’s existing Bug Hunter patch rewards.

Mitigations

To help swat Linux kernel security bugs, Google is also launching new instances with additional rewards. In these instances, research hackers will check out the latest Linux kernel stable image as well as new experimental mitigations in a custom Google kernel. In other words, rather than simply investigating the stable Linux kernels, the hackers will also be checking out Google’s own latest and more experimental Linux security mitigations.

Specifically, Google is checking out mitigations that should — should — make it harder to exploit recently discovered vulnerabilities. If you’re successful, in breaking out through these new Linux kernel fixes, Google will pay you a cool, additional $21,000.

These Linux kernel hardening mitigations are designed to block attacks on the following exploit primitives:

Out-of-bounds write on the slab memory management mechanism.
Cross-cache attacks
Elastic objects
Freelist corruption

Get the Money

For attacks, which compromise Google’s custom Linux kernel with its experimental mitigations, the reward will be another $21,000. For this, you must clearly bypass the test mitigations. Altogether you can make as much as $133,337.

The immediate goal is to create a pipeline to analyze, experiment, measure, and build Linux kernel security mitigations. Eventually, the hope is to make exploiting Linux kernel vulnerabilities as hard as possible.

As for me? For this kind of money, it’s time to bring out my Linux static analysis tools and see if I can find any clues to getting some of those sweet, sweet bug bounty bucks.

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast internet connection, WordStar was the state-of-the-art word processor, and we liked it.