The Linux kernel is a key part for the safety of the Web. Google makes use of Linux in nearly every part, from the computer systems our staff use, to the merchandise individuals around the globe use day by day like Chromebooks, Android on telephones, automobiles, and TVs, and workloads on Google Cloud. Due to this, we now have closely invested in Linux’s safety – and right this moment, we’re saying how we’re constructing on these investments and rising our rewards.
In 2020, we launched an open-source Kubernetes-based Seize-the-Flag (CTF) undertaking referred to as, kCTF. The kCTF Vulnerability Rewards Program (VRP) lets researchers hook up with our Google Kubernetes Engine (GKE) situations, and if they’ll hack it, they get a flag, and are doubtlessly rewarded. All of GKE and its dependencies are in scope, however each flag caught up to now has been a container breakout by a Linux kernel vulnerability. We’ve realized that discovering and exploiting heap reminiscence corruption vulnerabilities within the Linux kernel might be made so much tougher. Sadly, safety mitigations are sometimes arduous to quantify, nonetheless, we expect we’ve discovered a manner to take action concretely going ahead.
Once we launched kCTF, we hoped to construct a group of Linux kernel exploitation hackers. This labored nicely and allowed the group to study from a number of members of the safety group like Markak, starlabs, Crusaders of Rust, d3v17, slipper@pangu, valis, kylebot, pqlqpql and Awarau.
Now, we’re making updates to the kCTF program. First, we’re indefinitely extending the elevated reward quantities we introduced earlier this yr, that means we’ll proceed to pay $20,000 – $91,337 USD for vulnerabilities on our lab kCTF deployment to reward the necessary work being accomplished to grasp and enhance kernel safety. That is along with our current patch rewards for proactive safety enhancements.
Second, we’re launching new situations with further rewards to guage the most recent Linux kernel steady picture in addition to new experimental mitigations in a customized kernel we have constructed. Relatively than merely studying in regards to the present state of the steady kernels, the brand new situations will likely be used to ask the group to assist us consider the worth of each our newest and extra experimental safety mitigations.Â
Right this moment, we’re beginning with a set of mitigations we imagine will make many of the vulnerabilities (9/10 vulns and 10/13 exploits) we acquired this previous yr tougher to use. For brand spanking new exploits of vulnerabilities submitted which additionally compromise the most recent Linux kernel, we pays an extra $21,000 USD. For these which compromise our customized Linux kernel with our experimental mitigations, the reward will likely be one other $21,000 USD (if they’re clearly bypassing the mitigations we’re testing). This brings the entire rewards as much as a most of $133,337 USD. We hope this can enable us to study extra about how arduous (or straightforward) it’s to bypass our experimental mitigations.
The mitigations we have constructed try to deal with the next exploit primitives:
With the kCTF VRP program, we’re constructing a pipeline to investigate, experiment, measure and construct safety mitigations to make the Linux kernel as secure as we are able to with the assistance of the safety group. We hope that, over time, we can make safety mitigations that make exploitation of Linux kernel vulnerabilities as arduous as potential.
