The results and the PoC are in, congratulations to Mark Dowd and Ben Hawkes for uncovering 12 vulnerabilities in the open source Google Native Client: “Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser neutrality, OS portability, and safety that people expect from web apps“.
The project raises the question “Do we need another ActiveX?”, or rather, “do we need a safer ActiveX for running untrusted and arbitrary code from within a browser on all platforms?”. While the contest showed that BoF can be present in the sandbox itself, several of which appear to remain open issues, Google claims that the architecture in itself has been strengthened and validated by the contest: “This contest helped us discover implementation errors in Native Client and some areas of our codebase we need to spend more time reviewing. More importantly, that no major architectural flaws were found provides evidence that Native Client can be made safe enough for widespread use. Toward that end, we’re implementing additional security measures, such as an outer sandbox”. The contest seems to be an great way to clean up code, but the claims seem somewhat questionable. Just see what Dave Aitel has to say about what architectural flaws really are.