News, news analysis, and commentary on the latest trends in cybersecurity technology.
Google Opens $250K Bug Bounty Contest for VM Hypervisor
If security researchers can execute a guest-to-host attack using a zero-day vulnerability in the KVM open source hypervisor, Google will make it worth their while.
To encourage people to find security holes in the open source Kernel-based Virtual Machine (KVM) hypervisor, Google has launched a vulnerability reward program (VRP), where the top prize is up to a quarter of a million dollars. The VRP is set up as a capture-the-flag contest where the tester logs in as a guest and attempts to find a zero-day vulnerability in the KVM host kernel.
KVM is an open source project, to which Google is an active contributor, that has been included in mainline Linux since 2007. It allows Intel- or AMD-powered devices to run multiple virtual machines (VMs) with hardware emulation that can be customized to support multiple legacy operating systems. Google uses it in its Android and Google Cloud platforms, which is why it has a vested interest in keeping it secure.
First announced last October, the "kvmCTF" contest officially kicked off on June 27. Participants reserve time slots (in UTC format) to log into the guest VM running on a bare metal host, then attempt a guest-to-host attack.
"The goal of the attack must be to exploit a zero-day vulnerability in the KVM subsystem of the host kernel," Google's launch post for the contest stated. Toward that end, vulnerabilities starting in the QEMU emulator or that rely on host-to-KVM techniques are not covered in the contest. The full rules spell out the entire process, from how to download the necessary files to how to properly prove a successful exploit.
This list of rewards appeared on the June 27 Google Security blog entry:
Full VM escape: $250,000
Arbitrary memory write: $100,000
Arbitrary memory read: $50,000
Relative memory write: $50,000
Denial of service: $20,000
Relative memory read: $10,000
Rewards don't stack — ethical hackers only get the end-point reward, not rewards for intermediate steps as well. Also, only the first successful submission earns the reward, but as of press time, no submissions have been received, according to discussion on the kvmCTF Discord channel.
Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals; including how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!
About the Author
You May Also Like