Google has recently initiated a vulnerability reward program (VRP) aimed at enticing individuals to uncover security vulnerabilities within the open-source Kernel-based Virtual Machine (KVM) hypervisor. The enticing aspect of this program is the top prize of up to a quarter of a million dollars. This VRP is structured as a capture-the-flag contest where participants, acting as testers, are required to log in as guests and search for a zero-day vulnerability within the KVM host kernel.

KVM stands as an open-source project that Google actively contributes to, and it has been integrated into mainline Linux since 2007. This technology enables devices powered by Intel or AMD to operate multiple virtual machines (VMs) with hardware emulation that can be tailored to support a variety of legacy operating systems. Google relies on KVM in its Android and Google Cloud platforms, underlining its substantial interest in maintaining the security of this system.

Initially announced in October of the previous year, the “kvmCTF” contest officially commenced on June 27. Participants must reserve specific time slots in Coordinated Universal Time (UTC) to access the guest VM running on a bare metal host and execute a guest-to-host attack.

The primary objective of the attack is to exploit a zero-day vulnerability within the KVM subsystem of the host kernel, as stated in Google’s launch post for the contest. Vulnerabilities originating in the QEMU emulator or those depending on host-to-KVM techniques are explicitly excluded from the scope of the contest. The complete set of rules delineates the entire process, from downloading the requisite files to demonstrating a successful exploit convincingly.

The rewards for successful exploits, as outlined in the Google Security blog entry dated June 27, are as follows:

– Arbitrary memory write: $100,000
– Arbitrary memory read: $50,000
– Relative memory write: $50,000
– Denial of service: $20,000
– Relative memory read: $10,000

It is important to note that rewards do not accumulate; ethical hackers are only eligible for the endpoint reward and not for any intermediary steps. Additionally, only the initial successful submission warrants the reward, although as of the current moment, no submissions have been recorded, as indicated in discussions on the kvmCTF Discord channel.

In conclusion, Google’s initiative of launching a VRP for discovering vulnerabilities within the KVM hypervisor showcases its commitment to bolstering the security of open-source projects, thereby fostering a safer digital environment for users worldwide.

Link na izvor