There are only two weeks left in the
Native Client Security Contest and there's never been a better time to report bugs! So far we've seen twenty-four submitted issues from seven teams, so it's definitely not too late to be competitive. We've seen some great buffer overflows, information leaks and even a couple holes in the inner sandbox, but there probably are still exploitable bugs in the system. Here are some kinds of bugs we haven't seen:
- exploitable races in the service runtime
- attacks based on invalid IMC messages
- exploitable CPU errata
- scripting attacks that Native Client makes easier
See
http://code.google.com/contests/nativeclient-security/ for all the details about the contest.
Happy Hunting!
The Native Client Engineering Team