Chrome OS Remains Undefeated At Pwnium 3

hypnosec writes "Google has announced that its Chrome OS has managed to remain undefeated during the Pwnium 3 event that was held alongside Pwn2Own. Announced by Google on January 28, 2013 the Pwnium 3 event carried a prize money of $3.14 million. Researchers were asked to carry out attacks against a base Samsung Series 5 chromebook running the latest stable version of Chrome OS. It turns out security researchers were not able to come up with winning exploits even after the competition's deadline was extended. Google Chrome Team has revealed that partial exploit entries have been filled in but, no other details have been released."

Re:OS that doesn't do anything isn't cracked..

[DCstewieG]

You say that like it's a bad thing. A glorified web browser with incredible security is exactly what a good amount of people should be using. Hell, I know someone who would get along fine if their computer did nothing but Facebook, let alone the rest of the web.

I find it hard to believe (though it's getting easier) that even geeks who have trouble seeing the world outside their little techy bubble can complain about this. I've seen the idea of an internet "driver's license" come up on these boards but then something that protects people from themselves is shit all over. Well done.

Re:Does it do anything at all?

[simonbp]

Tablet, I mean. It's not as useful as a table.

Re:OS that doesn't do anything isn't cracked..

[hairyfeet]

That is why I don't understand why its included....do they include other thin clients? Because that is ALL it is, its a minimal kernel designed to have just enough to launch the browser interface, no different than one of the old Sun Ray thin clients. The ONLY difference between Chrome OS and any other classic thin client is Google provides the infrastructure in return for being able to datamine you for their real customers, which is of course the advertisers.

Now does this mean ChomeOS is "bad"? Of course not, if a thin client is all your company needs I would be happy to set one up, for some jobs a thin client is really all that is needed....BUT, and its a BIG BUT, there are a HELL of a lot of tasks that thin clients just aren't built for which is why I just don't get marketing this to consumers. Hell even my most boring home customers have SOME software they want to run, take the little old lady that was my last customer of the day, I had to load the little software that comes with her wireless printer into her new system because she uses that to make little announcements for her family, calendars made out of pictures of the new grandbaby, anniversary party invites, that kind of stuff. If she couldn't have her little software? The PC might as well be a paperweight for all the good it would do her.

So I really don't get why these rags keep lumping in ChromeOS with Windows and OSX because its really nothing like them at all, those are your classic "fat client" full OS while Chrome is a classic thin client "browser in a box". Hell feature wise its got less going for it than Android, Android you can side load and run third party programs easily and from what I've seen Chrome is strictly web based which is why they can get by with such little space on the drive, everything is supposed to be hosted by Google and run in the browser.

It just makes no sense at all to run a test of fat clients with Chrome, to use a /. car analogy it would be like having a test on which truck gets the best mileage and entering a moped. Sure its gonna get the best mileage but so what? It doesn't actually DO the jobs that you need a truck for in the first place!

So many uninformed comments

[daboochmeister]

A major theme here is "it doesn't run many apps, that's why it's secure". Yeah, that must be it - it probably has absolutely nothing to do with the way they've implemented Mandatory Access Controls in a rigorous fashion, and the way they isolate resources with heavy use of cgroups, and the read-only root filesystem and tmpfs /tmp, and how they've made every binary use ASLR and NX and DEP, and how they've rewritten several major typically-vulnerable daemons to not run as root, and how they've developed userland daemons to broker access to hardware, and how they don't allow any files in user home dirs to be executables, or how they've started to sandbox device drivers, or the way they implemented separate processing stacks for HTTP and HTTPS, or how they verify not just the boot record but the whole boot stack and partition table and nv ram on every boot and and and ...

Yeah, all those things probably don't matter. They probably don't play any role in exploits that work on Windows-based Chrome failing on Chrome OS. It's not more inherently secure than any other OS, riiiggghhhhhttttt ...