The Linux kernel is a key part for the safety of the Web. Google makes use of Linux in nearly the whole lot, from the computer systems our staff use, to the goods other people around the globe use day-to-day like Chromebooks, Android on telephones, vehicles, and TVs, and workloads on Google Cloud. As a result of this, we’ve closely invested in Linux’s safety – and lately, we’re saying how we’re construction on the ones investments and lengthening our rewards.
In 2020, we introduced an open-source Kubernetes-based Seize-the-Flag (CTF) challenge known as, kCTF. The kCTF Vulnerability Rewards Program (VRP) we could researchers hook up with our Google Kubernetes Engine (GKE) circumstances, and if they may be able to hack it, they get a flag, and are doubtlessly rewarded. All of GKE and its dependencies are in scope, however each flag stuck to this point has been a container breakout thru a Linux kernel vulnerability. We’ve realized that discovering and exploiting heap reminiscence corruption vulnerabilities within the Linux kernel might be made so much more difficult. Sadly, safety mitigations are incessantly laborious to quantify, alternatively, we expect we’ve discovered some way to take action concretely going ahead.
After we introduced kCTF, we was hoping to construct a neighborhood of Linux kernel exploitation hackers. This labored neatly and allowed the neighborhood to be told from a number of participants of the safety neighborhood like Markak, starlabs, Crusaders of Rust, d3v17, slipper@pangu, valis, kylebot, pqlqpql and Awarau.
Now, we’re making updates to the kCTF program. First, we’re indefinitely extending the larger praise quantities we introduced previous this 12 months, that means we’ll proceed to pay $20,000 – $91,337 USD for vulnerabilities on our lab kCTF deployment to praise the vital paintings being carried out to grasp and toughen kernel safety. That is along with our present patch rewards for proactive safety enhancements.
2d, we’re launching new circumstances with further rewards to guage the most recent Linux kernel strong symbol in addition to new experimental mitigations in a customized kernel now we have constructed. Quite than just finding out in regards to the present state of the strong kernels, the brand new circumstances might be used to invite the neighborhood to lend a hand us overview the price of each our newest and extra experimental safety mitigations.
As of late, we’re beginning with a suite of mitigations we imagine will make many of the vulnerabilities (9/10 vulns and 10/13 exploits) we won this previous 12 months tougher to take advantage of. For brand spanking new exploits of vulnerabilities submitted which additionally compromise the most recent Linux kernel, we can pay an extra $21,000 USD. For the ones which compromise our customized Linux kernel with our experimental mitigations, the praise might be any other $21,000 USD (if they’re obviously bypassing the mitigations we’re checking out). This brings the whole rewards as much as a most of $133,337 USD. We are hoping this may permit us to be informed extra about how laborious (or simple) it’s to avoid our experimental mitigations.
The mitigations now we have constructed try to take on the next exploit primitives:
With the kCTF VRP program, we’re construction a pipeline to research, experiment, measure and construct safety mitigations to make the Linux kernel as protected as we will with the assistance of the safety neighborhood. We are hoping that, through the years, we will make safety mitigations that make exploitation of Linux kernel vulnerabilities as laborious as imaginable.