Exploit writers invited to probe Chrome’s V8 engine, Google Cloud’s KVM

Google is asking bug hunters and exploit writers to develop 0-day and n-day exploits in Chrome’s V8 JavaScript engine and Google Cloud’s Kernel-based Virtual Machine (KVM).

“We want to learn from the security community to understand how they will approach this challenge. If you’re successful, you’ll not only earn a reward, but you’ll also help us make our products more secure for everyone. This is also a good opportunity to learn about technologies and gain hands-on experience exploiting them,” Google software engineers Stephen Roettger and Marios Pomonis noted.

The v8CTF reward program

The v8CTF – a capture-the-flag challenge focused on V8 – has been launched on Friday.

The exploit writers should make their exploitation attempts against a V8 version running on Google infrastructure. “Once you have identified a vulnerability present in our deployed version, exploit it, and grab the flag,” the engineers added.

They can try to exploit known (n-day) vulnerabilities found by other researchers or unknown (0-day) vulnerabilities they’ve unearthed themselves.

In the latter case, the bug hunter is eligible to receive a reward for the discovered zero-day under the Chrome Vulnerability Reward Program, and a reward for the 0-day exploit under the v8CTF reward program – but they have to make sure the two submissions are sent from the same email address.

“Exploits need to be reasonably fast and stable. We accept submissions with an average runtime of less than 5 minutes and at least 80% success rate,” says Google.

“Valid submissions [under the v8CTF reward program] get a reward of $10,000.”

The kvmCTF reward program

The kvmCTF will be launched later this year, but the rules have already been published.

Submitters can target 0-day and (patched) 1-day bugs, and the goal is to perform a successful guest-to-host attack.

The reward for a full VM escape will be $99,999. Google will pay $34,999 for arbitrary (host) memory write exploits and $24,999 for arbitrary (host) memory read exploits. Finally, a successful denial-of-service exploit affecting the host will be rewarded with $14,999.

“KvmCTF is (…) is focused on making exploiting Kernel-based Virtual Machine (KVM) vulnerabilities harder by inviting security researchers to demonstrate their exploitation techniques on 0-day and 1-day vulnerabilities on LTS kernel versions. Eventually we might add experimental mitigations to KVM that we would like to see if and how researchers can bypass them,” Google says.

“We are asking researchers to publish their submissions, helping the community to learn from each other’s techniques.”