How did they switch from Kubernetes to Linux? It was the next logical move. Via kCTF, researchers could use Google Kubernetes Engine (GKE) Cas. If they could successfully hack it, they would get a flag and potentially some money. But, well, in 1995, the Mozilla Foundation was the first organization to offer bug bounties. Now everyone is the one someone offers them. Google, which uses Linux in just about everything, is expanding its Kubernetes-based Capture-the-Flag (kCTF) project and kCTF Vulnerability Reward Program (VRP) to pay more attention to tracking down Linux kernel bugs.
How did they switch from Kubernetes to Linux? It was the next logical move. Via kCTF, researchers could use Google Kubernetes Engine (GKE) Cas. If they could successfully hack it, they would get a flag and potentially some money. But, while all GKE and its dependencies were in scope, every vulnerability they found so far turned out to be a container break through a Linux kernel vulnerability.
Linux Kernel Hacking Community
In particular, the bugs discovered tended to be heap memory corruption vulnerabilities. Google’s plan had been to build a community of Linux kernel hackers. Mission accomplished!
Moving forward Google is extending the kCTF VRP with larger rewards through December 31, 2022. These rewards now pay $20,000 to $91,337 for vulnerabilities on Google’s lab kCTF deployment. This is in addition to Google’s existing Bug Hunter patch rewards.
To help swat Linux kernel security bugs, Google is also releasing new instances with additional rewards. In these cases, search hackers will verify the latest stable Linux kernel image as well as new experimental mitigations in a custom Google kernel. In other words, rather than just investigating stable Linux kernels, hackers will also check for the latest and most experimental Linux security mitigations from Google.
Specifically, Google is checking for mitigations that should — should — make it more difficult to exploit newly discovered vulnerabilities. If you’re successful, going through these new Linux kernel patches, Google will pay you an additional $21,000.
These Linux kernel hardening mitigations are designed to block attacks on the following exploit primitives:
get the money
For the attacks, which compromise Google’s custom Linux kernel with its experimental mitigations, the reward will be an additional $21,000. For this you need to clearly bypass the test mitigations. In total, you can win up to $133,337.
The immediate goal is to create a pipeline to analyze, experiment, measure, and build Linux kernel security mitigations. Ultimately, the hope is to make exploiting Linux kernel vulnerabilities as difficult as possible.
As for me? For that kind of money, it’s time to bring out my Linux Static Analysis Tools and see if I can find any clues to get some of those sweet, sweet bug bounty bucks.
Featured image by MOUCHE:D on Unsplash.