|  | {{+bindTo:partials.standard_nacl_article}} | 
|  |  | 
|  | <section id="security-contest-archive"> | 
|  | <span id="contest-archive"></span><h1 id="security-contest-archive"><span id="contest-archive"></span>Security Contest Archive</h1> | 
|  | <div class="contents local" id="contents" style="display: none"> | 
|  | <ul class="small-gap"> | 
|  | <li><a class="reference internal" href="#contest-overview" id="id2">Contest overview</a></li> | 
|  | <li><a class="reference internal" href="#contest-winners" id="id3">Contest winners</a></li> | 
|  | <li><p class="first"><a class="reference internal" href="#panel-of-judges" id="id4">Panel of judges</a></p> | 
|  | <ul class="small-gap"> | 
|  | <li><a class="reference internal" href="#chair" id="id5">Chair</a></li> | 
|  | <li><a class="reference internal" href="#judges" id="id6">Judges</a></li> | 
|  | </ul> | 
|  | </li> | 
|  | <li><a class="reference internal" href="#additional-information" id="id7">Additional information</a></li> | 
|  | </ul> | 
|  |  | 
|  | </div><p>The Native Client team at Google has gone to exceptional measures to | 
|  | make Native Client a secure system, including holding a public | 
|  | security contest. This page archives information from that contest, | 
|  | including the list of contest winners and the lineup of security | 
|  | experts who served as judges.</p> | 
|  | <p>Although the security contest has ended, the Native Client team | 
|  | welcomes your continued involvement in the project. You can help by | 
|  | submitting bugs and participating in the Native Client discussion | 
|  | group.</p> | 
|  | <h2 id="contest-overview">Contest overview</h2> | 
|  | <p>The Native Client team held a contest in 2009 to test the security of | 
|  | Native Client and help make the system more secure. Participants were | 
|  | invited to discover security bugs in Native Client technology in order | 
|  | to compete for cash prizes.</p> | 
|  | <p>Here was the challenge put forth by the Native Client team:</p> | 
|  | <blockquote> | 
|  | <div>Do you think it is impossible to safely run untrusted x86 code on | 
|  | the web? Do you want a chance to impress a panel of some of the top | 
|  | security experts in the world? Then submit an exploit to the Native | 
|  | Client Security contest and you could also win cash prizes, not to | 
|  | mention bragging rights.</div></blockquote> | 
|  | <p>The contest judges evaluated exploits designed to defeat Native Client | 
|  | security measures based on severity, scope, reliability, and | 
|  | style. The winning teams and entries are listed below.</p> | 
|  | <h2 id="contest-winners"><span id="id1"></span>Contest winners</h2> | 
|  | <p>The Native Client team thanks everyone who participated in the contest | 
|  | for their contributions to improving the quality and security of the | 
|  | Native Client system. The judges reviewed the submitted exploits and | 
|  | identified the following teams as winners:</p> | 
|  | <table border="1" class="docutils"> | 
|  | <colgroup> | 
|  | </colgroup> | 
|  | <tbody valign="top"> | 
|  | <tr class="row-odd"><td><img alt="First place medal" class="first last" src="/native-client/images/medal-64_1st.png" /> | 
|  | </td> | 
|  | <td><p class="first"><strong>Team</strong>: Beached As</p> | 
|  | <p><strong>Members</strong>: Mark Dowd, Ben Hawkes</p> | 
|  | <p><strong>Submitted issues</strong>: 50, 51, 52, 53, 55, 56, 57, 58, 59, 60, 62, 63</p> | 
|  | <p class="last">Mark Dowd and Ben Hawkes are application security specialists | 
|  | hailing from Australia and New Zealand, respectively. Mark | 
|  | works for IBM ISS X-Force R&D, whereas Ben currently performs | 
|  | independent research while simultaneously pursuing a | 
|  | mathematics and computing science degree. Both have uncovered | 
|  | major security flaws in ubiquitous Internet software, in terms | 
|  | of both exploitable bugs and weaknesses in system protection | 
|  | mechanisms. Both have spoken at numerous security conferences | 
|  | in recent years, including BlackHat, Ruxcon, KiwiCon, and | 
|  | Cansec West.</p> | 
|  | </td> | 
|  | </tr> | 
|  | <tr class="row-even"><td><img alt="Second place medal" class="first last" src="/native-client/images/medal-64_2nd.png" /> | 
|  | </td> | 
|  | <td><p class="first"><strong>Team</strong>: CJETM</p> | 
|  | <p><strong>Members</strong>: Jason Carpenter, Eric Monti, Chris Rohlf</p> | 
|  | <p><strong>Submitted issues</strong>: 42, 44, 49, 70</p> | 
|  | <p class="last">Team CJETM is comprised of security vulnerability researchers | 
|  | Chris Rohlf, Jason Carpenter and Eric Monti. All three have | 
|  | abused software professionally for a long time.</p> | 
|  | </td> | 
|  | </tr> | 
|  | <tr class="row-odd"><td><img alt="Third place medal" class="first last" src="/native-client/images/medal-64_3rd.png" /> | 
|  | </td> | 
|  | <td><p class="first"><strong>Team</strong>: 0xdead</p> | 
|  | <p><strong>Members</strong>: Gabriel Campana</p> | 
|  | <p><strong>Submitted issues</strong>: 45</p> | 
|  | <p class="last">Gabriel Campana is a security researcher working at Sogeti ESEC | 
|  | R&D labs. His research interests are mainly focused on | 
|  | vulnerability research, exploitation methods, and Linux kernel | 
|  | security. Lately he has been working on automated vulnerability | 
|  | research, especially fuzzing. In his spare time, he plays with | 
|  | embedded network devices.</p> | 
|  | </td> | 
|  | </tr> | 
|  | <tr class="row-even"><td><img alt="Fourth place medal" class="first" src="/native-client/images/medal-64_4th.png" /> | 
|  | <p class="last">(tie)</p> | 
|  | </td> | 
|  | <td><p class="first"><strong>Team</strong>: teamfkmr</p> | 
|  | <p><strong>Members</strong>: Daiki Fukumori</p> | 
|  | <p><strong>Submitted issues</strong>: 66, 67</p> | 
|  | <p class="last">Daiki Fukumori is a web security researcher. He has given talks | 
|  | at POC Korea and AVTokyo on Web 2.0 Hacking, and he introduced | 
|  | Native Client security at Shibuya.pm. He currently has an | 
|  | interest in cloud security.</p> | 
|  | </td> | 
|  | </tr> | 
|  | <tr class="row-odd"><td><img alt="Fourth place medal" class="first" src="/native-client/images/medal-64_4th.png" /> | 
|  | <p class="last">(tie)</p> | 
|  | </td> | 
|  | <td><p class="first"><strong>Team</strong>: Alex Rad</p> | 
|  | <p><strong>Members</strong>: Alex Radocea</p> | 
|  | <p><strong>Submitted issues</strong>: 81</p> | 
|  | <p class="last">Alex Radocea is a 20-year old student at Rensselaer Polytechnic | 
|  | Institute. In the realm of computer security he is really | 
|  | excited about proactively designed technology which can help | 
|  | wipe out entire bug classes. Currently he is helping improve | 
|  | Native Client through Google Summer of Code.</p> | 
|  | </td> | 
|  | </tr> | 
|  | </tbody> | 
|  | </table> | 
|  | <h2 id="panel-of-judges"><span id="contest-judges"></span>Panel of judges</h2> | 
|  | <p>Google recruited the following group of distinguished security experts | 
|  | to serve as judges for the Native Client security contest:</p> | 
|  | <h3 id="chair">Chair</h3> | 
|  | <table border="1" class="docutils"> | 
|  | <colgroup> | 
|  | </colgroup> | 
|  | <tbody valign="top"> | 
|  | <tr class="row-odd"><td>Edward Felten</td> | 
|  | </tr> | 
|  | <tr class="row-even"><td>Princeton University</td> | 
|  | </tr> | 
|  | <tr class="row-odd"><td><a class="reference external" href="http://www.cs.princeton.edu/~felten/">http://www.cs.princeton.edu/~felten/</a></td> | 
|  | </tr> | 
|  | </tbody> | 
|  | </table> | 
|  | <h3 id="judges">Judges</h3> | 
|  | <table border="1" class="docutils"> | 
|  | <colgroup> | 
|  | </colgroup> | 
|  | <tbody valign="top"> | 
|  | <tr class="row-odd"><td>Alex Halderman</td> | 
|  | <td>Niels Provos</td> | 
|  | <td>Bennet Yee</td> | 
|  | </tr> | 
|  | <tr class="row-even"><td>University of Michigan</td> | 
|  | <td>Google</td> | 
|  | <td>Google</td> | 
|  | </tr> | 
|  | <tr class="row-odd"><td><a class="reference external" href="http://www.cse.umich.edu/~jhalderm/">http://www.cse.umich.edu/~jhalderm/</a></td> | 
|  | <td><a class="reference external" href="http://www.citi.umich.edu/u/provos/">http://www.citi.umich.edu/u/provos/</a></td> | 
|  | <td><a class="reference external" href="http://www.bennetyee.org/">http://www.bennetyee.org/</a></td> | 
|  | </tr> | 
|  | <tr class="row-even"><td>Brad Karp</td> | 
|  | <td>Stefan Savage</td> | 
|  | <td>Nickolai Zeldovich</td> | 
|  | </tr> | 
|  | <tr class="row-odd"><td>University of College London</td> | 
|  | <td>University of California San Diego</td> | 
|  | <td>MIT</td> | 
|  | </tr> | 
|  | <tr class="row-even"><td><a class="reference external" href="http://www.cs.ucl.ac.uk/staff/B.Karp/">http://www.cs.ucl.ac.uk/staff/B.Karp/</a></td> | 
|  | <td><a class="reference external" href="http://www.cs.ucsd.edu/~savage">http://www.cs.ucsd.edu/~savage</a></td> | 
|  | <td><a class="reference external" href="http://people.csail.mit.edu/nickolai/">http://people.csail.mit.edu/nickolai/</a></td> | 
|  | </tr> | 
|  | <tr class="row-odd"><td>Greg Morrisett</td> | 
|  | <td>Dan Wallach</td> | 
|  | <td><div class="first last"> </div></td> | 
|  | </tr> | 
|  | <tr class="row-even"><td>Harvard University</td> | 
|  | <td>Rice University</td> | 
|  | <td><div class="first last"> </div></td> | 
|  | </tr> | 
|  | <tr class="row-odd"><td><a class="reference external" href="http://www.eecs.harvard.edu/~greg/">http://www.eecs.harvard.edu/~greg/</a></td> | 
|  | <td><a class="reference external" href="http://www.cs.rice.edu/~dwallach/">http://www.cs.rice.edu/~dwallach/</a></td> | 
|  | <td><div class="first last"> </div></td> | 
|  | </tr> | 
|  | </tbody> | 
|  | </table> | 
|  | <h2 id="additional-information">Additional information</h2> | 
|  | <p>For additional information about the Native Client security contest, | 
|  | see the archived | 
|  | <a class="reference internal" href="/native-client/community/security-contest/contest-announcement.html"><em>Contest Announcement</em></a>, | 
|  | <a class="reference internal" href="/native-client/community/security-contest/contest-faq.html"><em>FAQ</em></a> and | 
|  | <a class="reference internal" href="/native-client/community/security-contest/contest-terms.html"><em>Terms & Conditions</em></a>.</p> | 
|  | <p>If you’d like to get involved with Native Client, you can:</p> | 
|  | <ul class="small-gap"> | 
|  | <li>Use the <a class="reference external" href="/native-client/sdk/download">Native Client SDK</a> to build Native | 
|  | Client web applications.</li> | 
|  | <li>Submit <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">bugs</a> | 
|  | and participate in the Native Client | 
|  | <a class="reference external" href="http://groups.google.com/group/native-client-discuss">discussion group</a>.</li> | 
|  | <li>Contribute to the | 
|  | <a class="reference external" href="http://code.google.com/p/nativeclient/">Native Client open-source project</a>.</li> | 
|  | </ul> | 
|  | </section> | 
|  |  | 
|  | {{/partials.standard_nacl_article}} |